Win.Trojan.Oblom-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 f71a1b6492db2370…

MALICIOUS

Office (OLE)

14.0 KB Created: 1997-07-29 03:22:00 Authoring application: Microsoft Word for Windows 95 First seen: 2012-06-14
MD5: 4249fd02a487d08bd1cce3de4df0108a SHA-1: aec6560ddb74c49c7d1a151c8b3ddb443d07cc07 SHA-256: f71a1b6492db237066419f32c43e1d1f92a5941bd27cc966ef38165e55756a2f
124 Risk Score

Malware Insights

Win.Trojan.Oblom-1 · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The sample contains legacy WordBasic macro virus markers and explicitly instructs the user to enable macros, indicating a malicious intent to infect the system. The embedded URL and email address are associated with the malware's distribution or contact. The macro functions described, such as AutoOpen and FileSaveAs, are designed to infect Normal.dot and other documents, and disable macro protection.

Heuristics 5

  • ClamAV: Win.Trojan.Oblom-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Oblom-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Macro/content-enable lure medium SE_ENABLE_LURE
    Document instructs the user to enable macros or editing — a common technique used by malware droppers to bypass Office macro security settings
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.deol.ru/users/QueenI/ In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 221 bytes
SHA-256: 69a7a01ae2ffb9e88baf447960eb60ecedd96d31e6cfac536d912c7ccc4d65ff
Preview script
First 1,000 lines of the extracted script
= = = = = = @cmd0010 21349          
        357 "c) 1997 Master of infection...   QUEEN F"
      29472    
  19827 * ,   ,  
29797 ,         = 20339 @cmd7365     @cmd726f    
  = =     = 2816 3840 @cmd6964 @cmd0073 =