Melissa — Office (OLE) / .DOC malware analysis

Static analysis result for SHA-256 e51c932bc394a7d2…

MALICIOUS

Office (OLE) / .DOC

47.0 KB Created: 2000-04-10 15:23:00 Authoring application: Microsoft Word 8.0
MD5: 6bd367d364833b9b9085daa3044f730a SHA-1: 9f6b4c426c6d26d60731f3035b48cc4ccecdbb26 SHA-256: e51c932bc394a7d294f95fb3ee15746c33f08bbccb4588d57f673dacd99483bc
240 Risk Score

Malware Insights

Melissa · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic for Applications T1204.002 Malicious File

The sample is a Microsoft Word document containing a Document_Open macro, which is a common technique for initial execution. The heuristic firings indicate the presence of VBA macros and a CreateObject call, suggesting the execution of arbitrary code. ClamAV detection as 'Doc.Trojan.Melissa-4' strongly suggests the Melissa family. The document body contains garbled text, indicating potential obfuscation or corruption, but the primary threat stems from the embedded VBA macro designed to execute malicious actions.

Heuristics 6

  • ClamAV detection on extracted artifact critical EXTRACTED_FILE_CLAMAV
    ClamAV flagged at least one file extracted from inside this sample. Even when the wrapping document carries no AV detection of its own, a hit on the carved artifact is a strong indicator the sample is a delivery vehicle.
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 48,128 bytes but its declared streams total only 21,228 bytes — 26,900 bytes (56%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • Suspicious extracted artifact high EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • VBA macros detected medium OLE_VBA_MACROS
    Document contains VBA macro code

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas
b9cd1232487f17b8641fdf0d2a862aeeaf25e727b0d705bdbe6786e1aae9f4f8		 vba-macro oletools.olevba.extract_macros (decoded VBA source) 3837 bytes
Detection
ClamAV: Doc.Trojan.Melissa-4
Obfuscation or payload: likely
Carved macro source contains an auto-exec entry point and execution/download terms.

Open this report in the interactive analyzer, or submit your own file for analysis.