Melissa Office (OLE) / .VIR malware analysis — malicious · c5fc2a21421408a3

MALICIOUS

Office (OLE) / .VIR

29.0 KB Created: 2004-02-28 14:14:00 Authoring application: Microsoft Word 10.0

MD5: cfe739f06fc15a2d0bda0efa9d331ec6 SHA-1: 517e8021d376ce117834a6fb1df96b8ea55e8e39 SHA-256: c5fc2a21421408a3b236a3cbe59570e3c4c1b3b13aea2559de2a5a003f717810

140 Risk Score

Malware Insights

Melissa · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocol

The critical ClamAV heuristic firings directly identify this sample as 'Doc.Trojan.Melissa-4' and an extracted artifact as 'Win.Trojan.wmvg-1', strongly indicating the Melissa family. The VBA macro code, specifically the AutoOpen subroutine, contains logic to disable security warnings and then iterate through Outlook contacts to send infected copies of the document via email. This behavior is characteristic of the Melissa virus's self-propagation mechanism.

Heuristics 3

ClamAV: Doc.Trojan.Melissa-4 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Melissa-4
ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV

ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
VBA macros detected medium OLE_VBA_MACROS

Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas` `fd40bb66bbddb935b21cf02f038075a5e7e81b6db1c7e6474346f487d01056d5`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	824 bytes
Detection ClamAV: Win.Trojan.wmvg-1 Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.