Melissa — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 554701bc874da646…

MALICIOUS

Office (OLE) / .DOC

40.0 KB Created: 1999-03-26 11:39:00 Authoring application: Microsoft Word 8.0 First seen: 2022-03-31
MD5: 4b68fdec8e89b3983ceb5190a2924003 SHA-1: 45588547dc335d87ea5768512b9f3fc72ffd84a3 SHA-256: 554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca
302 Risk Score

Malware Insights

Melissa · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols T1190 Exploit Public-Facing Application

The sample contains VBA macros that execute automatically upon opening the document, as indicated by the 'Document_Open' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics. The script attempts to leverage Outlook to send copies of the document as email attachments to recipients from the user's address book. The document body and numerous URLs suggest a lure related to adult content, likely to entice users to enable macros. The ClamAV detection as 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Melissa-4' strongly suggests the Melissa family.

Heuristics 8

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cyberclub.com/ignite/members
    • http://hotbox.danni.com/hotbox/
    • http://www.powerflow.com/members/135798642.html
    • http://www.allasians1.com/membersonly/gallery/
    • http://www.breathlessbabes.com/protected
    • http://www.caughtceleb.com/cmlogin.html
    • http://www.pornmountain.com/members
    • http://www.sexillustrated.com/1stquarter/members2.htm
    • http://www.redlight.com/members
    • http://www.freeamsterdamsex.com/members
    • http://www.itouchmyself.com/members/index.html
    • http://www.dixiecam.com/members/
    • http://www.itsreal.com/members
    • http://www.111sexstreet.com/private/sex02.html
    • http://teenlabs.com/reactor/reactor1.htm
    • http://www.sweet18.com/home.html
    • http://members.campusbabes.com/
    • http://www.sextv.com/members/index.html
    • http://www.smutheaven.com/m/members.html
    • http://www.creamythighs.com/members/
    • http://www.celebrity-hardcore.com/members/index.html
    • http://www.dirtyonline.com/membersonly/
    • http://www.sexpaige.com/members/mem_home.html
    • http://members.sexy-photos.com
    • http://www.cybersex.com/members/index.html
    • http://members2.5starerotica.com/index.html
    • http://www.virtualhardcore.com/pictures/index.html
    • http://www.sexxx-drive.com/members/index.html
    • http://www.sizzle.com/members/index.shtml
    • http://www.lesbiansonly.com/members.htm
    • http://members.maturewomen.com/
    • http://www.sexualeuphoria.com/members/archives/index.html
    • http://www.pureteens.com/members
    • http://www.extremeadultsex.com/members
    • http://www.sexroom.net/members/
    • http://amazingonline.com/membersdox/
    • http://www.venusonline.com/tricia/Members/index.htm
    • http://www.chickflicks.com/m/members.html
    • http://www.valuesex.com/valuesexmembers/main.html
    • http://www.xxxensation.com/cgi-sec/xxxlogin
    • http://www.kingporno.com/authorized/
    • http://www.erotic-express.com/member/eng/
    • http://www.sexualeuphoria.com/members/index.html
    • http://members.celebs-n-models.net/babes/
    • http://www.erosnet.com/home.html
    • http://www.manhole.com/members/index.html
    • http://www.cyberstrip.com/members/html/members.cfm
    • http://www.corinadine.com/members/index.html
    • http://www.Shockingpink.com/members/tina1.html
    • http://www.adultpleasures.com/members/
    +21 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
81525858b96df11b026f10f6692f428df7c66d1fb2901374c3c34053153f39e1		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 12847 bytes
Detection
ClamAV: Doc.Trojan.Melissa-4
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.