Win.Trojan.Wogob-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 03b779417e1734ee…

MALICIOUS

Office (OLE)

22.5 KB Created: 1998-09-02 03:47:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: a37bd0f7ffea3e732804d4d91da080bc SHA-1: f3afce6f69037b933473a7a01fed4c18c0ff9c01 SHA-256: 03b779417e1734ee7f9e65fcef20dec6ad2cf043f1dd139aa3bd4d0be04c8b0b
160 Risk Score

Malware Insights

Win.Trojan.Wogob-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy WordBasic macro virus, specifically triggering the 'OLE_LEGACY_WORDBASIC_MACRO_VIRUS' heuristic. Additionally, critical heuristics indicate the presence of XOR-encoded strings, a common obfuscation technique used by malware. The ClamAV detection name 'Win.Trojan.Wogob-1' further supports its classification as a known malicious trojan.

Heuristics 3

  • ClamAV: Win.Trojan.Wogob-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Wogob-1
  • XOR-encoded strings (key 0xCC) critical SC_XOR_ENCODED
    Found 1 Windows library/API name(s) XOR-encoded with single-byte key 0xCC: 'ExitProcess'
    Disassembly
    Attempted x86 opcode disassembly
    00005749  89b4a5b89cbea3    mov dword ptr [ebp - 0x5c416348], esi
00005750  af                scasd eax, dword ptr es:[edi]
00005751  a9bfbfcccc        test eax, 0xccccbfbf
00005756  cc                int3
00005757  93                xchg ebx, eax
00005758  a0bbbea5b8        mov al, byte ptr [0xb8a5bebb]
0000575D  a9cccccc9e        test eax, 0x9ecccccc
00005762  a9ab9db9a9        test eax, 0xa9b99dab
00005767  beb59aada0        mov esi, 0xa0ad9ab5
0000576C  b9a989b48d        mov ecx, 0x8db489a9
00005771  cc                int3
00005772  cc                int3
00005773  cc                int3
00005774  cc                int3
00005775  9e                sahf
00005776  a9ab89a2b9        test eax, 0xb9a289ab
0000577B  a187a9b58d        mov eax, dword ptr [0x8db5a987]
00005780  cc                int3
00005781  cc                int3
00005782  cc                int3
00005783  9e                sahf
00005784  a9ab8fa0a3        test eax, 0xa3a08fab
00005789  bfa987a9b5        mov edi, 0xb5a987a9
0000578E  cc                int3
0000578F  cc                int3
00005790  cc                int3
00005791  9e                sahf
00005792  a9ab83bca9        test eax, 0xa9bc83ab
00005797  a287a9b58d        mov byte ptr [0x8db5a987], al
0000579C  cb                retf
0000579D  ab                stosd dword ptr es:[edi], eax
0000579E  c7                .byte 0xc7
0000579F  4c                dec esp
000057A0  c9                leave
000057A1  a08accdea0        mov al, byte ptr [0xa0decc8a]
000057A6  cc                int3
000057A7  cc                int3
000057A8  ca                .byte 0xca
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Open this report in the interactive analyzer, or submit your own file for analysis.