Melissa — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 32efeccef2b038af…

MALICIOUS

Office (OLE) / .DOC

42.0 KB Created: 1999-07-02 17:10:00 Authoring application: Microsoft Word 9.0
MD5: c09e343837209dfe7736206c1230574d SHA-1: 3d72f824c2f5a4be72b99ea7523e6679b26b1c8d SHA-256: 32efeccef2b038afa3de7503b5d6ebab9103a67b7f2bfda61ce1e33ac1fd3b3d
240 Risk Score

Malware Insights

Melissa · confidence 95%

MITRE ATT&CK
T1566.001 Phishing: Spearphishing Attachment T1059.005 Command and Scripting Interpreter: Visual Basic for Applications T1534 Internal Spearphishing T1204.002 User Execution: Malicious File

The sample is a classic mass-mailing worm. The ClamAV signature 'Doc.Trojan.Melissa-4' directly attributes the sample to the Melissa virus family. The presence of a Document_Open macro and CreateObject calls in the VBA macros indicates automated propagation and automation of the the Outlook application to send copies of itself to the first 50 contacts in the author's address book. The document body contains a list of adult-themed URLs and credentials, which serves as a lure to entice users to open the document.

Heuristics 7

  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 43,008 bytes but its declared streams total only 24,396 bytes — 18,612 bytes (43%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cyberclub.com/ignite/members
    • http://hotbox.danni.com/hotbox/
    • http://www.powerflow.com/members/135798642.html
    • http://www.allasians1.com/membersonly/gallery/
    • http://www.breathlessbabes.com/protected
    • http://www.caughtceleb.com/cmlogin.html
    • http://www.pornmountain.com/members
    • http://www.sexillustrated.com/1stquarter/members2.htm
    • http://www.redlight.com/members
    • http://www.freeamsterdamsex.com/members
    • http://www.itouchmyself.com/members/index.html
    • http://www.dixiecam.com/members/
    • http://www.itsreal.com/members
    • http://www.111sexstreet.com/private/sex02.html
    • http://teenlabs.com/reactor/reactor1.htm
    • http://www.sweet18.com/home.html
    • http://members.campusbabes.com/
    • http://www.sextv.com/members/index.html
    • http://www.smutheaven.com/m/members.html
    • http://www.creamythighs.com/members/
    • http://www.celebrity-hardcore.com/members/index.html
    • http://www.dirtyonline.com/membersonly/
    • http://www.sexpaige.com/members/mem_home.html
    • http://members.sexy-photos.com
    • http://www.cybersex.com/members/index.html
    • http://members2.5starerotica.com/index.html
    • http://www.virtualhardcore.com/pictures/index.html
    • http://www.sexxx-drive.com/members/index.html
    • http://www.sizzle.com/members/index.shtml
    • http://www.lesbiansonly.com/members.htm
    • http://members.maturewomen.com/
    • http://www.sexualeuphoria.com/members/archives/index.html
    • http://www.pureteens.com/members
    • http://www.extremeadultsex.com/members
    • http://www.sexroom.net/members/
    • http://amazingonline.com/membersdox/
    • http://www.venusonline.com/tricia/Members/index.htm
    • http://www.chickflicks.com/m/members.html
    • http://www.valuesex.com/valuesexmembers/main.html
    • http://www.xxxensation.com/cgi-sec/xxxlogin
    • http://www.kingporno.com/authorized/
    • http://www.erotic-express.com/member/eng/
    • http://www.sexualeuphoria.com/members/index.html
    • http://members.celebs-n-models.net/babes/
    • http://www.erosnet.com/home.html
    • http://www.manhole.com/members/index.html
    • http://www.cyberstrip.com/members/html/members.cfm
    • http://www.corinadine.com/members/index.html
    • http://www.Shockingpink.com/members/tina1.html
    • http://www.adultpleasures.com/members/
    +22 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
57adb003894f2bc44fcab6eabd7ff88a7d4a1292b34a9e330bac613ef8757fd2		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3880 bytes
Detection
ClamAV: Doc.Trojan.Melissa-4
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.