Win.Trojan.Minimorph-1 Office (OLE) malware analysis — malicious · fd9fb96c8e71cfbc

MALICIOUS

Office (OLE)

6.0 KB First seen: 2012-06-14

MD5: 969135a0601796fdaed40c4134ea1951 SHA-1: 0ddaa104091f2e1688714da94de37ebecc11e375 SHA-256: fd9fb96c8e71cfbc5d1361a3248dabdee6ff746c427d0ee28a6b3145174d138e

102 Risk Score

Malware Insights

Win.Trojan.Minimorph-1 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The sample exhibits characteristics of a legacy macro virus, specifically identified by the "RSN MACRO VIRUS" marker and the ClamAV detection as Win.Trojan.Minimorph-1. The presence of WordBasic macro virus markers and the explicit mention of "RSN MACRO VIRUS Goat file" in the document body strongly indicate a malicious intent to execute embedded code. The document body also contains references to AutoOpen macros, a common technique for automatic execution.

Heuristics 3

ClamAV: Win.Trojan.Minimorph-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Minimorph-1
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
Recovered legacy WordBasic macro source info OLE_LEGACY_WORDBASIC_MACRO_SOURCE

The Word 6.0/95 document stores tokenised WordBasic macros in the WordDocument stream rather than as a modern VBA project, so VBA source extraction cannot see them. The macro source was detokenised and carved so its identifiers, string literals (file paths, URLs, registry keys, message text) and comments are available for review and signature scanning.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

wordbasic_macros.txt wordbasic-macro analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source) 444 bytes

Filename	Kind	Source	Size
`wordbasic_macros.txt`	wordbasic-macro	analyzer.wordbasic (detokenised Word 6/95 WordBasic macro source)	444 bytes
SHA-256: `420c0136c6b4894bd0c01e9f8cd9d8833b5ef03354f7c1b09e802554814af458`
Preview script First 1,000 lines of the extracted script MAIN , - @cmd8111 0 DUHIM$ = @cmd8025 @cmd80c2 DUHIM$ = ":AutoOpen" , "AutoOpen" @cmd80c2 "AutoOpen" , DUHIM$ = ":AutoOpen" @cmd0054 = 1 DCLUL = @cmd8002 @cmd800e 3 = 5 PPWMS = 1 DCLUL A$ = A$ = @cmd8005 @cmd8002 @cmd800e 26 = 65 B$ = B$ = @cmd8005 @cmd8002 @cmd800e 26 = 65 C$ = C$ = @cmd8005 @cmd8002 @cmd800e 26 = 65 PPWMS @cmd00d7 = "AutoOpen" , @cmd0075 = "DUHIM" , = A$ , @cmd0075 = "PPWMS" , = B$ , @cmd0075 = "DCLUL" , = C$ , @cmd809f 1

SHA-256: 420c0136c6b4894bd0c01e9f8cd9d8833b5ef03354f7c1b09e802554814af458

Preview script

First 1,000 lines of the extracted script

MAIN
, -
@cmd8111 0
DUHIM$ = @cmd8025
@cmd80c2 DUHIM$ = ":AutoOpen" , "AutoOpen"
@cmd80c2 "AutoOpen" , DUHIM$ = ":AutoOpen"
@cmd0054 = 1
DCLUL = @cmd8002 @cmd800e 3 = 5
PPWMS = 1 DCLUL
A$ = A$ = @cmd8005 @cmd8002 @cmd800e 26 = 65
B$ = B$ = @cmd8005 @cmd8002 @cmd800e 26 = 65
C$ = C$ = @cmd8005 @cmd8002 @cmd800e 26 = 65
PPWMS
@cmd00d7 = "AutoOpen" ,
@cmd0075 = "DUHIM" , = A$ ,
@cmd0075 = "PPWMS" , = B$ ,
@cmd0075 = "DCLUL" , = C$ ,
@cmd809f 1

Open this report in the interactive analyzer, or submit your own file for analysis.