Office (OLE) malware analysis — malicious · e6a54b8b71e41be1

MALICIOUS

Office (OLE)

12.0 KB First seen: 2014-02-02

MD5: 7110d27bbc271d07314bfb3ef14bb714 SHA-1: 0fa7e751ef4b6731bfe74c3c3326e2dde387fcec SHA-256: e6a54b8b71e41be17c73be0565322405dffc08244798f5c42392907572954381

102 Risk Score

Heuristics 3

ClamAV: Win.Trojan.Muck-6 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Muck-6
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE

The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 5919 bytes

Filename	Kind	Source	Size
`wordbasic_macros.txt`	wordbasic-macro	analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source)	5919 bytes
SHA-256: `23b2113ae001487b67f1117b4b2515aa112d12d7076e75ab73d4c50833e3a719`
Preview script First 1,000 lines of the extracted script , = = 8300 29551 25964 29793 29551 24933 REM macros from any documents that y 29551 = @cmd6120 24930 , , @cmd2065 * @cmd5720 21349 29793 21349 357 = MAIN @cmd0143 = "IMI" , @cmd8044 1 @cmd0241 , - IsThereAnIni$ = @cmd810d "Word6" , "StartupScreen" , "InfoMap.ini" IsThereAnIni$ = @cmd810e "Word6" , "StartupScreen" , "On" , "InfoMap.ini" Win$ = @cmd810c 21 Win$ = "Windows" Platform$ = "Windows" Platform$ = "Macintosh" TitleBox$ = "Version 1.2 for " = Platform$ Copyright$ = , @cmd202c , 26740 , 8300 @cmd7468 , @cmd0129 590 , 269 , Titlebox$ @cmd8125 13 , 6 , 567 , 211 , "LOGO" , 1 , @cmd80c9 19 , 251 , 550 , 13 , Copyright$ , @cmd80c7 416 , 218 , 88 , 21 @cmd80d8 25 , 224 , 236 , 16 , "Disable this startup screen." , dlg @cmd0129 dlg StartupScreen$ = @cmd810d "Word6" , "StartupScreen" , "InfoMap.ini" StartupScreen$ = "On" x = dlg Checked = dlg Checked = 1 @cmd810e "Word6" , "StartupScreen" , "Off" , "InfoMap.ini" REM **************************************************************** REM Macro : AutoExit REM Created : August 11, 1995 REM Copyright (c) 1995 Microsoft Corp. REM Description : detects and removes Concept Virus from document REM being closed REM ************************************************************* quiet , notopened , notsaved , notconverted , cleaned , Mac , quote$ , logfile$ , Found$ , sMe$ , stAutoOpen$ , stFileSaveAs$ , NormalDot$ , stBuiltIn$ Localize REM Insert string translation here ' warn$ = "Your Normal (Global) template contained the Concept Virus. ScanProt has cleaned your Normal (Global) template. Saving it now will permanently remove the Concept Virus. Save now ?" msgTitle$ = "Concept Virus detected!" stAutoOpen$ = "AutoOpen" stFileSaveAs$ = "FileSaveAs" NormalDot$ = "Normal.dot" stBuiltIn$ = "Built In" REM End String Translation *' MAIN , - EndFunc Localize REM initialize constants quiet = 0 notopened = 0 notsaved = 0 notconverted = 0 cleaned = 0 REM What platform are we on, Mac or Win? @cmd800f @cmd80b5 1 , "Macintosh" 0 Mac = 1 quote$ = @cmd800f @cmd80b5 1 , "Windows 3." 0 REM 16-bit Windows Mac = 0 quote$ = Mac = 0 quote$ = @cmd8005 34 REM *********************************************************************' REM INSERT YOUR CODE HERE ' REM *******************************************************************' FixIt 0 FixIt 3 REM found all three concept virus macros, so display msg @cmd802b warn$ , msgTitle$ , 52 = 1 @cmd80a3 1 REM we probably saw a ghost PayLoad, so just save changes @cmd80a3 1 = REM *******************************************************************' REM INSERT YOUR CODE HERE ' REM ********************************************************************' = Err = 0 FixIt , - EndFunc Foo = 0 Foo = Foo = CleanIt "AAAZFS" Foo = Foo = CleanIt "AAAZAO" Foo = Foo = CleanIt "PayLoad" Foo 0 REM remove possibly correct macros only if definitely evil ones REM detected (above) REM Since FileSaveAs is localized in many languages we check ' for the localized name and for FileSaveAs Foo = Foo = CleanIt stFileSaveAs$ Foo = Foo = CleanIt "FileSaveAs" Foo Foo = Foo = CleanIt stAutoOpen$ FixIt = Foo = Err = 0 CleanIt BadMacro$ , - * EndFunc NormalDot$ = @cmd80ea @cmd80eb NormalDot$ @cmd80b5 2 "1.0" , "1.1" , "1.1a" , "2.0" , "2.0a" , "2.0b" , "2.0c" , "6.0" , "6.0a" , "6.0c" @cmd8009 @cmd8045 "Microsoft Word" , "User-Dot-Path" , 1 = "\" sMe$ = @cmd80af @cmd8045 "Microsoft Word" , "User-Dot-Path" = NormalDot$ sMe$ = @cmd80af @cmd8045 "Microsoft Word" , "User-Dot-Path" = "\" = NormalDot$ "7.0" , "7.0a" , "7.0b" , "7.0c" REM 7.0x is included only as a precaution for the future just in case there ever is such a version. TD$ = @cmd810d "HKEY_CURRENT_USER\Software\Microsoft\Microsoft Office\95\FileNew\LocalTemplates" , , @cmd8009 TD$ , 1 = "\" sMe$ = TD$ = NormalDot$ sMe$ = TD$ = "\" = NormalDot$ TD$ = sMe$ = NormalDot$ CleanIt = 0 @cmd818e BadMacro$ @cmd818e BadMacro$ stBuiltIn$ mfn$ = @cmd818e BadMacro$ mfn$ = "Global" mfn$ = sMe$ @cmd00de , = mfn$ , = BadMacro$ , = 3 CleanIt = 1 = Err = 0 MAIN , - @cmd80c2 @cmd8025 = ":AutoOpen" , "Global:AutoOpen" , ExecuteOnly @cmd80c2 @cmd8025 = ":AutoClose" , "Global:AutoClose" , ExecuteOnly @cmd80c2 @cmd8025 = ":AutoNew" , "Global:AutoNew" , ExecuteOnly @cmd80c2 @cmd8025 = ":AutoExit" , "Global:AutoExit" , ExecuteOnly @cmd80c2 @cmd8025 = ":FileSave" , "Global:FileSave" , ExecuteOnly @cmd80c2 @cmd8025 = ":FileSaveAs" , "Global:FileSaveAs" , ExecuteOnly @cmd80c2 "Global:AutoOpen" , @cmd8025 = ":AutoOpen" , ExecuteOnly @cmd80c2 "Global:AutoClose" , @cmd8025 = ":AutoClose" , ExecuteOnly @cmd80c2 "Global:AutoNew" , @cmd8025 = ":AutoNew" , ExecuteOnly @cmd80c2 "Global:AutoExit" , @cmd8025 = ":AutoExit" , ExecuteOnly @cmd80c2 "Global:FileSave" , @cmd8025 = ":FileSave" , ExecuteOnly @cmd80c2 "Global:FileSaveAs" , @cmd8025 = ":FileSaveAs" , ExecuteOnly @cmd80a3 1 MAIN , - @cmd0053 @cmd0054 = 1 @cmd80c2 "Global:AutoOpen" , @cmd8025 = ":AutoOpen" , ExecuteOnly @cmd80c2 "Global:AutoClose" , @cmd8025 = ":AutoClose" , ExecuteOnly @cmd80c2 "Global:AutoNew" , @cmd8025 = ":AutoNew" , ExecuteOnly @cmd80c2 "Global:AutoExit" , @cmd8025 = ":AutoExit" , ExecuteOnly @cmd80c2 "Global:FileSave" , @cmd8025 = ":FileSave" , ExecuteOnly @cmd80c2 "Global:FileSaveAs" , @cmd8025 = ":FileSaveAs" , ExecuteOnly MAIN MAIN , - @cmd80c2 "Global:AutoOpen" , @cmd8025 = ":AutoOpen" , ExecuteOnly @cmd80c2 "Global:AutoClose" , @cmd8025 = ":AutoClose" , ExecuteOnly @cmd80c2 "Global:AutoNew" , @cmd8025 = ":AutoNew" , ExecuteOnly @cmd80c2 "Global:AutoExit" , @cmd8025 = ":AutoExit" , ExecuteOnly @cmd80c2 "Global:FileSave" , @cmd8025 = ":FileSave" , ExecuteOnly @cmd80c2 "Global:FileSaveAs" , @cmd8025 = ":FileSaveAs" , ExecuteOnly dlg @cmd0054 dlg dlg @cmd0054 dlg @cmd0054 = 1

SHA-256: 23b2113ae001487b67f1117b4b2515aa112d12d7076e75ab73d4c50833e3a719

Preview script

First 1,000 lines of the extracted script

, = =        
    8300     29551 25964
        29793     29551     24933     REM macros from any documents that y       29551 =   @cmd6120    
            24930 ,      
,  
        @cmd2065
*           @cmd5720
21349      
    29793 21349          
        357 =
MAIN
@cmd0143 = "IMI" ,
@cmd8044 1
@cmd0241
, -
IsThereAnIni$ = @cmd810d "Word6" , "StartupScreen" , "InfoMap.ini"
IsThereAnIni$ = @cmd810e "Word6" , "StartupScreen" , "On" , "InfoMap.ini"
Win$ = @cmd810c 21
Win$ = "Windows" Platform$ = "Windows"   Platform$ = "Macintosh"
TitleBox$ = "Version 1.2 for " = Platform$
Copyright$ =   ,     @cmd202c ,     26740 ,       8300 @cmd7468  
,        
@cmd0129 590 , 269 , Titlebox$
@cmd8125 13 , 6 , 567 , 211 , "LOGO" , 1 ,
@cmd80c9 19 , 251 , 550 , 13 , Copyright$ ,
@cmd80c7 416 , 218 , 88 , 21
@cmd80d8 25 , 224 , 236 , 16 , "Disable this startup screen." ,
dlg @cmd0129
dlg
StartupScreen$ = @cmd810d "Word6" , "StartupScreen" , "InfoMap.ini"
StartupScreen$ = "On" x = dlg
Checked = dlg
Checked = 1 @cmd810e "Word6" , "StartupScreen" , "Off" , "InfoMap.ini"
REM  ******************************************************************
REM  Macro   : AutoExit
REM  Created : August 11, 1995
REM  Copyright (c) 1995 Microsoft Corp.
REM  Description : detects and removes Concept Virus from document
REM  being closed
REM  *****************************************************************
quiet , notopened , notsaved , notconverted , cleaned , Mac , quote$ , logfile$ , Found$ , sMe$ , stAutoOpen$ , stFileSaveAs$ , NormalDot$ , stBuiltIn$
Localize
REM **** Insert string translation here ****'
warn$ = "Your Normal (Global) template contained the Concept Virus. ScanProt has cleaned your Normal (Global) template. Saving it now will permanently remove the Concept Virus. Save now ?"
msgTitle$ = "Concept Virus detected!"
stAutoOpen$ = "AutoOpen"
stFileSaveAs$ = "FileSaveAs"
NormalDot$ = "Normal.dot"
stBuiltIn$ = "Built In"
REM **** End String Translation ****'
MAIN
, - * EndFunc
Localize
REM  initialize constants
quiet = 0
notopened = 0
notsaved = 0
notconverted = 0
cleaned = 0
REM  What platform are we on, Mac or Win?
@cmd800f @cmd80b5 1 , "Macintosh" 0
Mac = 1
quote$ =
@cmd800f @cmd80b5 1 , "Windows 3." 0
REM  16-bit Windows
Mac = 0
quote$ =
Mac = 0
quote$ = @cmd8005 34
REM **********************************************************************'
REM *	INSERT YOUR CODE HERE								    *'
REM **********************************************************************'
FixIt 0
FixIt 3
REM found all three concept virus macros, so display msg
@cmd802b warn$ , msgTitle$ , 52 = 1 @cmd80a3 1
REM we probably saw a ghost PayLoad, so just save changes
@cmd80a3 1
=
REM **********************************************************************'
REM *	INSERT YOUR CODE HERE								    *'
REM **********************************************************************' =
Err = 0
FixIt
, - * EndFunc
Foo = 0
Foo = Foo = CleanIt "AAAZFS"
Foo = Foo = CleanIt "AAAZAO"
Foo = Foo = CleanIt "PayLoad"
Foo 0
REM  remove possibly correct macros only if definitely evil ones
REM  detected (above)
REM  Since FileSaveAs is localized in many languages we check 		' for the localized name and for FileSaveAs
Foo = Foo = CleanIt stFileSaveAs$
Foo = Foo = CleanIt "FileSaveAs"
Foo Foo = Foo = CleanIt stAutoOpen$
FixIt = Foo =
Err = 0
CleanIt BadMacro$
, - * EndFunc
NormalDot$ = @cmd80ea @cmd80eb NormalDot$
@cmd80b5 2
"1.0" , "1.1" , "1.1a" , "2.0" , "2.0a" , "2.0b" , "2.0c" , "6.0" , "6.0a" , "6.0c"
@cmd8009 @cmd8045 "Microsoft Word" , "User-Dot-Path" , 1 = "\"
sMe$ = @cmd80af @cmd8045 "Microsoft Word" , "User-Dot-Path" = NormalDot$
sMe$ = @cmd80af @cmd8045 "Microsoft Word" , "User-Dot-Path" = "\" = NormalDot$
"7.0" , "7.0a" , "7.0b" , "7.0c"
REM 7.0x is included only as a precaution for the future just in case there ever is such a version.
TD$ = @cmd810d "HKEY_CURRENT_USER\Software\Microsoft\Microsoft Office\95\FileNew\LocalTemplates" , ,
@cmd8009 TD$ , 1 = "\"
sMe$ = TD$ = NormalDot$
sMe$ = TD$ = "\" = NormalDot$
TD$ = sMe$ = NormalDot$
CleanIt = 0
@cmd818e BadMacro$ @cmd818e BadMacro$ stBuiltIn$
mfn$ = @cmd818e BadMacro$
mfn$ = "Global" mfn$ = sMe$
@cmd00de , = mfn$ , = BadMacro$ , = 3
CleanIt = 1
=
Err = 0
MAIN
, -
@cmd80c2 @cmd8025 = ":AutoOpen" , "Global:AutoOpen" , ExecuteOnly
@cmd80c2 @cmd8025 = ":AutoClose" , "Global:AutoClose" , ExecuteOnly
@cmd80c2 @cmd8025 = ":AutoNew" , "Global:AutoNew" , ExecuteOnly
@cmd80c2 @cmd8025 = ":AutoExit" , "Global:AutoExit" , ExecuteOnly
@cmd80c2 @cmd8025 = ":FileSave" , "Global:FileSave" , ExecuteOnly
@cmd80c2 @cmd8025 = ":FileSaveAs" , "Global:FileSaveAs" , ExecuteOnly
@cmd80c2 "Global:AutoOpen" , @cmd8025 = ":AutoOpen" , ExecuteOnly
@cmd80c2 "Global:AutoClose" , @cmd8025 = ":AutoClose" , ExecuteOnly
@cmd80c2 "Global:AutoNew" , @cmd8025 = ":AutoNew" , ExecuteOnly
@cmd80c2 "Global:AutoExit" , @cmd8025 = ":AutoExit" , ExecuteOnly
@cmd80c2 "Global:FileSave" , @cmd8025 = ":FileSave" , ExecuteOnly
@cmd80c2 "Global:FileSaveAs" , @cmd8025 = ":FileSaveAs" , ExecuteOnly
@cmd80a3 1
MAIN
, -
@cmd0053
@cmd0054 = 1
@cmd80c2 "Global:AutoOpen" , @cmd8025 = ":AutoOpen" , ExecuteOnly
@cmd80c2 "Global:AutoClose" , @cmd8025 = ":AutoClose" , ExecuteOnly
@cmd80c2 "Global:AutoNew" , @cmd8025 = ":AutoNew" , ExecuteOnly
@cmd80c2 "Global:AutoExit" , @cmd8025 = ":AutoExit" , ExecuteOnly
@cmd80c2 "Global:FileSave" , @cmd8025 = ":FileSave" , ExecuteOnly
@cmd80c2 "Global:FileSaveAs" , @cmd8025 = ":FileSaveAs" , ExecuteOnly
MAIN
MAIN
, -
@cmd80c2 "Global:AutoOpen" , @cmd8025 = ":AutoOpen" , ExecuteOnly
@cmd80c2 "Global:AutoClose" , @cmd8025 = ":AutoClose" , ExecuteOnly
@cmd80c2 "Global:AutoNew" , @cmd8025 = ":AutoNew" , ExecuteOnly
@cmd80c2 "Global:AutoExit" , @cmd8025 = ":AutoExit" , ExecuteOnly
@cmd80c2 "Global:FileSave" , @cmd8025 = ":FileSave" , ExecuteOnly
@cmd80c2 "Global:FileSaveAs" , @cmd8025 = ":FileSaveAs" , ExecuteOnly
dlg @cmd0054
dlg
dlg
@cmd0054 dlg
@cmd0054 = 1

Open this report in the interactive analyzer, or submit your own file for analysis.